Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Education

6th Grader Expelled After Zoom Provided Possibly Inaccurate IP Address (ajc.com) 143

An Atlanta newspaper tells the story of 11-year-old Malachi Battle, who's been suspended from school for the rest of the year after being accused of "repeatedly trying to log into Zoom classes with threatening phrases" in lieu of his name (according to documents shared by the family's lawyers, in a story shared by Slashdot reader McGruber).

The student says they're innocent: Malachi's lawyers say Gwinnett County Public Schools accused him based on an inaccurate list of students' Internet Protocol addresses from Zoom, a problem that could repeat elsewhere since the company's online sessions are replacing classrooms for millions of students amid the coronavirus pandemic... Chris Gilliard, a fellow with the Technology and Social Change Project of the Harvard Kennedy School Shorenstein Center on Media, Politics and Public Policy, had not heard of a situation similar to Malachi's but said "it's hugely unlikely that this is the first time" a student had been disciplined based on questionable data from Zoom...

During the "Zoom bombing" attempts, Malachi had already logged into the classes under his regular name, according to his appeal. The school district retrieved from Zoom a list of the names and IP addresses in each waiting room, Malachi's legal team said. The Zoom bombers' public IP addresses matched Malachi's — but four other students who did not appear to be Zoom bombers were also listed as having Malachi's public IP address, an impossibility since they were not in the same house, said Scott Moulton, a Woodstock-based forensics expert hired by the attorney working on Malachi's case. Moulton said the school district's technology employee who investigated should have been able to tell that many of the IP addresses in the Zoom report were wrong. "I would have at least picked up the phone and called Zoom before hanging the life of an 11-year-old kid based on a log that looks like an error," Moulton said.

The Zoom bombers' local IP addresses, which identify the exact device being used, did not match Malachi's, according to the log his attorneys provided. Nor did the local IP addresses match any of the possible sequences available under the configuration of the router in Malachi's house, Moulton said. There were no other routers or devices in the house that could have used those local IP addresses, Moulton said... Teachers also said Malachi's camera was on and he did not appear to be doing anything unusual...

Teachers also said unknown people had tried to enter their virtual classes using false names before the day Malachi stayed home sick.

Wild theory: pranksters spoofed Malachi's address.
This discussion has been archived. No new comments can be posted.

6th Grader Expelled After Zoom Provided Possibly Inaccurate IP Address

Comments Filter:
  • IP addresses? (Score:5, Insightful)

    by bobby ( 109046 ) on Saturday May 22, 2021 @01:46PM (#61410814)

    Am I missing something? AFAIK, most people's Internet connections are through a temporary DHCP-assigned IP address that the ISP assigns when the modem (cable, fiber, cell phone, whatever) connects to the network.

    And also, AFAIK, it can change on the fly. As in, DHCP lease time runs out and you get a different IP address.

    And any power interruption, modem reset, ISP change, network problem, etc., and you'll get yet another IP address.

    I now have a gmail account (ugh) through work at a new employer. I have many ways of logging in at many different places, and I keep getting annoying emails from google saying they don't recognize my "device" or IP address. I tried to disable that in settings, but I still get the annoying messages. Geez people, I move around, connect in many different places with many different "devices". Is that going to be a crime in the coming survielance state?

    • Re:IP addresses? (Score:4, Informative)

      by 93 Escort Wagon ( 326346 ) on Saturday May 22, 2021 @01:57PM (#61410842)

      It really depends. Technically they are DHCP addresses - usually NAT IPv4 addresses - but how much they change depends on the carrier. Our Comcast IPv4 address hasn't changed in several years - nor has the IPv6 /64 they've assigned to us.

      Even after a couple day-or--more-long power outages, it always comes back with the same address.

      • DHCP technically just means the IP settings are remotely managed by a service (the DHCP server). A component of that is leases, but that is for dynamic allocation. Almost all DHCP server implementation allow for reservations of a MAC address to be assigned a particular IP address (which can be referred to as static allocation). The rest of the options are usually defined by which broadcast domain you are on. Router, DNS servers, and optionally a smattering of others like time servers, and such.
        • Right, I actually help manage our DHCP (and DNS) at work and prefer using fixed DHCP address assignments versus coding a static IP assignment into a computer - especially if they're laptops. The DHCP solution means a computer's network access will continue to work when someone moves the machine to a different subnet, which happens surprisingly often even withrour desktops.

          But I would think Comcast must be doing something a bit unusual, since we've had the same IP across three different cable modems (all pur

      • by dryeo ( 100693 )

        OTOH, my IP address changes once every 24 hours or more if I reset the modem, which it needs about once a week. Depends on the ISP.

        • by MrL0G1C ( 867445 )

          but four other students who did not appear to be Zoom bombers were also listed as having Malachi's public IP address, an impossibility since they were not in the same house

          Anything that ignores the fact that the log showed several students having the same IP address as the accused student is besides the point. The log is clearly wrong and should never have been used as evidence, the student has a rock solid case here. I hope a student body organises a protest walkout.

      • by ufgrat ( 6245202 )

        As long as the lease doesn't expire, the DHCP server will typically offer the same IP address to a requesting mac address. Your lease time could be several days, and your modem should renew the lease at the halfway point of the lease duration.

    • by Luthair ( 847766 )
      They also say "local IP addresses" which makes me wonder whether its a LAN address as opposed to their public IP.
      • by qqqqarl ( 678615 )

        10 bucks says his "local IP" was 192.168.1.1.

      • Re:IP addresses? (Score:5, Insightful)

        by KClaisse ( 1038258 ) on Saturday May 22, 2021 @03:05PM (#61411020)
        There are two IP addresses in question. The public IP which matched this student, another student, and the attackers. And the private IPs which the accused student's attorney is using to show the attackers and the student had different private IPs (and presumably on a different subnet so they can't easily say it was the same router).

        Sounds like either Zoom's logging of public IPs isnt working properly or the attackers are other students in the class and being geographically local they may be under the same carrier-grade NAT public IP address (if their ISP is using carrier grade NAT).
      • Comment removed based on user account deletion
        • Re: (Score:3, Informative)

          by Anonymous Coward

          Why would Zoom have provided a LAN address? Seems unlikely to be something Zoom would bother logging.

          In the enterprise edition, the Zoom dashboard provides me with WAN/LAN IPs, the hosts MAC, operating system name and version, the clients version, the percentage of the call the zoom window was in the foreground vs background, the CPU load in one minute increments through the call for windows and macs, and separately lists audio and video bitrate, latency, jitter, and packet loss.

          This seems unlikely to differ between educational and enterprise accounts.

          • by mysidia ( 191772 )

            It seems like the release of the LAN IP addresses without a law enforcement order is contrary to Zoom's posted privacy policy and maybe they should also be sued for divulging private personally-identifying network information which is not required to 3rd parties that users will have not given consent to be divulged..

        • Log everything, figure out a use for it later. Big Data!

      • The address was 127.0.0.1. After a raid by police of school board membersâ(TM) home computers, every board member was fired for secretly participating in the plot.
    • You aren't wrong.

        I'm willing to bet a lot of customers who aren't internet savvy will be behind plans that are going to place them behind a NAT, especially cellular wireless (super common) or satellite, and even cheaper DSL/Cable plans.

      All the customers behind the NAT will have the same public facing IP address. So, the zoom log may not even be in error. They all have the same public IP address.

    • Dynamic IP addresses aren't the issue here, since the 'zoom bombings' were reported from the same IP address at the same time he was also logged in legitimately.
    • by Bert64 ( 520050 )

      A DHCP routable address is still exclusively hours for the duration of the lease, if the lease expires your router will renew it so it's very unlikely to just change, and if it did in the middle of a call you would experience an outage.

      However a lot of ISPS - especially wireless ones, use CGNAT whereby you don't get a routable address to yourself, you are actually sharing one with potentially hundreds of other customers of the same provider.

      If several users were using the same ISP there is a significant cha

    • No, your ISP gives your account a permanent IP address, two websites (Common Dreams and Raw Story) I was a member of permanently banned me. I can get a new account and post if I use a VPN. Then I forget and post from my regular account and that email gets banned. Not worth the effort.
      • Please don’t confuse your account with your isp with all accounts on all isps. Dynamic IPs are extremely common, more so than static ones for consumer accounts. My Comcast provided IP rarely changes. But it does.
    • Leave it to the person complaining about security protection on an email required for work to somehow not understand that they are exactly the type of person that made such protections a requirement to begin with.
      Score 5: Insightful...

      Just curious, do you work for Colonial Pipeline?

  • So, the people working for an gov org that is breached almost daily by crackers throughout the country bans an 11 year old based upon an IP address, wow. Glad they know what they are doing /s

    • an gov

      Gov is not pronounced Uv.

      org that is breached almost daily by crackers throughout the country

      How is a local school district breaded throughout the country? It seems like they'd be breached... in their own school district.

    • Yea, well. After 2 generations of that type of schooling it is no surprise that our politicians are similarly incompetent.

  • I've been banned from Wikipedia for years because of their flimsy Checkuser evidence based on IP addresses. and now with more IP addresses stuck behind CGNAT there is no way to tell a good IP from a bad one any more. A whole business, neighbourhood or school can be stuck behind one IP address. It gets worse because Cloudflare and Google can captcha hell any IP address they don't like.
    • Yep, I regularly get captcha hell because in 2021 ATT still hasn't figured out how to deploy ipv6 and their own 6in4 tunnel doesn't work most of the time. Apparently "untrusted" users often use HE's free tunnels, or at least that's what the bot police want to think.

      It's amazing how ideas like collective punishment are arbitrarily excused when its "not the government" who does it despite how much government funding they receive.

  • is not the answer [youtube.com]
  • dynamic IP address. I mean, did they even bother trying to match the records up with the boy's ISP? Getting 4 additional hits on the IP address should have clued in at least one person.
  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Saturday May 22, 2021 @02:04PM (#61410872) Homepage

    The school can just do this, cite whatever flimsy reason that it wants and it is up to the 11 y/old (or his family) to try to prove otherwise and at probably great expense. The impact of this can be great on the child, especially if this is exam season. The impact on the school admins is almost zero, they can forget about doing this almost immediately. The admins are not automatically held to account, this might only happen if they get taken to court.

    If there was any doubt of evidence the school should have suspended its action; but they will not as to do so would involve them in more work for no benefit to them. Tossers.

  • by sjames ( 1099 ) on Saturday May 22, 2021 @02:16PM (#61410906) Homepage Journal

    This is not a matter of DHCP, it is a matter of logging. According to the Zoom logs, several students in the conference had the same IP address. It sounds like the school system just went down the list playing pin the tail on the donkey and they stopped at the first match and expelled the student without further thought. I don't blame the parents for looking into other alternatives. I wouldn't blame any of the parents in that county. Do they really want their kids to be "educated" by pointy headed morons?

    • According to the Zoom logs, several students in the conference had the same IP address.

      Which is entirely unsurprising if they're using the same local ISP and that ISP uses CGNAT.

      • by sjames ( 1099 )

        Or if the logs were hosed. Either way, it shows that the IP address cannot be reliably tied to any particular student. I'm not aware of any ISP in that area that is using CGNAT.

  • Wild Theory: (Score:5, Insightful)

    by Sebby ( 238625 ) on Saturday May 22, 2021 @02:16PM (#61410910)

    Wild theory: pranksters spoofed Malachi's address.

    Wild theory: Gwinnett County Public Schools officials are fucking morons.

    • I think you misunderstood the phrase "WILD theory".
  • root cause (Score:5, Insightful)

    by Jodka ( 520060 ) on Saturday May 22, 2021 @02:32PM (#61410948)

    I have special insight into this kind of thing because I have children in school. Schools are run by idiots.

    My kids were in online school during part of the COVID epidemic and the school accidentally scheduled my son for two classes which met at the same time. They take Zoom attendance and mark students absent who do not show up for their Zoom class sessions. So my son was always absent from one those two classes . Of course, we called the school right away and pointed out that was a problem. They could not figure out how to reschedule him to a different session of either class. The school knew that they had created the problem by scheduling two classes at the same time but was too incompetent to undo that, despite repeated calls from us over a period of months. So what the school finally did was to call the local police department, requesting that they send a truancy officer to our house because my son had missed too many classes. The police called ahead to say they were sending an officer over. We explained the situation and they told us well, never mind then. We told the school that this was really getting to be a problem. After that the police called again, said they were sending over a truancy officer. We explained the situation, they told us ok, well never mind then. Eventually someone at the school figured out how to move my son to a different session of one of those courses.

    It would not be as large a problem that schools officials were idiots, except they are also determined to make students suffer for the ineptitude of school officials. Too incompetent to reschedule a student out of class conflict? Mark him truant and send over a police officer. Misidentify a student's IP address by using an evidently bogus table if addresses? Expel the student, then fight him court to resist undoing the mistake.

    • by Kokuyo ( 549451 )

      What I don't understand is how a populace of a country that has been born out of an independence war could ever accept this kind of crap as normal.

      I don't even know what to say about stuff like that anymore... Some people get to do things in America that are so vile, idiotic and/or damaging and nobody does anything to stop them. I get it, we're all just cogs but by god, most machines grind to a halt when they pop out and wedge themselves in between other stuff....

      • The War of Independence was centuries ago so the majority of people today don't pay attention to the governance until it gets really bad (for them).

        Also, the smarter of us are too busy being productive in the world to take a governing job where one sits in a room and argues with dumber people, begging the voters to keep his job every 4 years. That often leaves only the less competent to run things, people who may have (political) "ideas" but perhaps have never really done anything in the real world.
    • Re:root cause (Score:4, Insightful)

      by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Saturday May 22, 2021 @10:34PM (#61411906) Homepage

      Report the school for making false police reports and wasting police time.

    • by Falos ( 2905315 )

      requesting that they send a truancy officer to our house because...

      ...the computer said so.

      Society has slid into a rot of allegation = execution. Individuals have human reasoning, but they have less rights than the systems ruling over them, systems we want "optimized" into oblivion. Human reasoning takes time and money, let's automate truancy handling, let's automate all handling. Allegation is execution. No appeals. No sanity checks. No humans.

  • by Leroy Brown ( 71070 ) on Saturday May 22, 2021 @02:56PM (#61411006) Homepage

    IP addresses should not be used as the sole means to identify people.

    • > IP addresses should not be used as the sole means to identify people.

      Correct, and courts have already decided on this.

      The school should be sued for damages and duress. Being smugnorant should have consequences.

    • Yes, as someone who has tmobile home internet I know we get shared IP addresses. My address is basically a private IP address inside tmobiles network and there are other tmobile customers who have the same public IP address. That is also why some services that require a publicly accessible IP address (servers, some game services, security cameras...) don't work with this type of internet. I have to run a vpn when I need a direct connection to a local computer.
  • can confirm (Score:3, Interesting)

    by OrangeTide ( 124937 ) on Saturday May 22, 2021 @02:59PM (#61411010) Homepage Journal

    US public schools are still ran by incompetent authoritarians. As it was when I was a child, so it remainsto this day. The only goals are to get children to conform. What those standards of conformance are is unimportant to the faculty, only that a 40 year old adult has power over a small child.

    • by sfcat ( 872532 )

      US public schools are still ran by incompetent authoritarians. As it was when I was a child, so it remainsto this day. The only goals are to get children to conform. What those standards of conformance are is unimportant to the faculty, only that a 40 year old adult has power over a small child.

      Teachers in the US (like Police in the US) are a public sector union. Every year, every principle engages in a practice called pass the trash. Once a teacher is hired and stays in the job for a very small amount of time (like a year or two), they are in the union and thus impossible to fire. Yet, every year there are a few teachers that principles wish to get rid of. Everyone on the facility knows who are the bad teachers but since they are in the union, they know unless they get caught molesting (or ac

    • As it was when I was a child, so it remainsto this day. The only goals are to get children to conform.

      It is almost certain that the people running those schools are thinking of their own problems, and not trying to get the kids to conform or do anything, really, unless it affects them personally.

  • by Randseed ( 132501 ) on Saturday May 22, 2021 @03:05PM (#61411022)

    The Zoom bombers' local IP addresses, which identify the exact device being used, did not match Malachi's, according to the log his attorneys provided. Nor did the local IP addresses match any of the possible sequences available under the configuration of the router in Malachi's house, Moulton said. There were no other routers or devices in the house that could have used those local IP addresses, Moulton said... Teachers also said Malachi's camera was on and he did not appear to be doing anything unusual...

    Now wait a second here. As mentioned by other commentators, he is almost certainly behind an IPV4 NAT. So how the hell does the school know what the local IP address is, since the Zoom logs are only going to show the outward-facing external IP? So his internal address is 192.168.0.20. Big deal. Like other posters said, the ISP is probably using some CGNAT implementation (sorry, ISP, if you don't allow me to actually have an IP accessible from the Internet, fuck off), so there might have been other people...Oh the hell with it.

    Then, if he's going to engage in Zoom bombing enough for it to be an actual problem, even at 11 (if he's doing stuff like this) you'd think he'd be clueful enough to use some cheap-ass VPN or Tor.

    I wouldn't normally advocate anyone really going on such shows, but maybe this kid should call out these idiot officials by name and go on Tucker Carson or even interview with some nutjob like Alex Jones. The administrators need to be called out for being the utter morons that they are.

    • by Ksevio ( 865461 )

      I would guess the Zoom client also logs the local IP. CGNAT is very common with mobile network internet and becoming more common in others as we run out of IP addresses.

      Of course it could even just be a dynamic IP and they lumped everyone who ever used that IP. It's plausible that multiple students in the same neighborhood could have reused an IP

    • ... Tucker Carson or ... some nutjob like Alex Jones.

      Obviously, you don't get the Fox Network. How many times have Tucker Carson or Alex Jones complained about an average joe having a child sex-slave? These shows exist to perpetrate the 'evil government' rhetoric used by States' Rights activists, white supremacists and euphemistically named 'job creators'.

  • Some operators I am working with use Carrier Grade NAT, which means multiple cable modems can be sharing the same real-world IP address simultaneously.

    It's creating havoc when law enforcement is asking to trace IP addresses back to subscribers.

  • Comment removed based on user account deletion
  • From the article I thought it was one. But the author referenced theyâ(TM)re. Does Malachi have 2 personalities?

    I havenâ(TM)t been here in awhile. I suppose this is an intentional gender neutral pronoun?

    *sigh*

    I suppose there is no stopping it.

    • And in the very first sentence of the subsequent quote, his gender neutrality is crushed out of existence, exposing the stupidity of the "they" pronoun.

  • I had to look at Zoom audit logs which was prompted due to a complaint about misconduct in a Zoom class/call. The Zoom audit logs (at least in 2nd half of 2020) were lackluster. There were inconsistencies in IP addresses and most importantly, the reported times of "sharing" for users was completely wrong. Person who was sharing screen most of the call was reported to have spent 0 minutes 0 seconds sharing video or screen. I ended up testing those metrics in other calls and it also misreported the share time

  • All this school is doing is basically challenging the world to break into their Zoom classes with goatse.cx photos. I hope that Zoom is at least paying some vague attention to security unlike previously when they were using trivially guessed session numbers.
  • "Wild theory: pranksters spoofed Malachi's address."

    That's enough crazy speculation for one day, Citizen.

  • Earlier, the schools were using outdated technology. Now they are are having outdated people using tech. The technology they don't understand but ready to fire bullet through it.

  • Look, schools are in way over their heads just now. If I'd been told my own job depended on, I dunno, drawing a still-life every time I engaged with writing software (my actual day job), I'd probably be catching flack too. That said, they're clearly either experiencing some Dunning-Kruger here or just don't give a shit about fostering a decent learning environment if their response to (what they believe is) 11 year old potty-mouth is 'git your ass outa here'.
    • by sjames ( 1099 )

      Not understanding recent tech is at least forgivable as long as they recognize their lack of understanding. But their willingness to dump on a kid based on their obvious complete lack of understanding erases all sympathy.

  • Sounds suspiciously like the kids lawyer doesn't have a clue. of course his "local" IP is not going to match anything the router or local computer have. It will match the routers WAN address or possibly a CG-NAT address.
  • by gravewax ( 4772409 ) on Saturday May 22, 2021 @07:08PM (#61411530)

    he school district retrieved from Zoom a list of the names and IP addresses in each waiting room, Malachi's legal team said. The Zoom bombers' public IP addresses matched Malachi's — but four other students who did not appear to be Zoom bombers were also listed as having Malachi's public IP address, an impossibility since they were not in the same house, said Scott Moulton, a Woodstock-based forensics expert

    A forensic expert that doesn't understand something as basic as CG NAT?

    The Zoom bombers' local IP addresses, which identify the exact device being used, did not match Malachi's, according to the log his attorneys provided. Nor did the local IP addresses match any of the possible sequences available under the configuration of the router in Malachi's house,

    holy fuck, The school shouldn't be chasing this, but damn the defense team are technically incompetent.

    • This isnâ(TM)t related to CGNat. Clearly this article doesnâ(TM)t have all the details or the logs, and as you probably realize we talk to a reporter for an hour but they can only tell so much. Itâ(TM)s a complex issue. Iâ(TM)m not able to release any of the more detailed items but the logs from zoom absolutely have errors and issues.

  • And I could have caused this exact situation and then sued (if I was a crook). Or if the parents are smart enough, they could be pulling the same scam. Not buying the story at all - we have gigabytes of access logs, and they havenâ(TM)t ever lied once. The LAN address of the device is trivial, but the WAN address is solid evidence â¦
  • "Wild theory: pranksters spoofed Malachi's address." That's not a wild theory at all. IP addresses are trivially easy to spoof, and it happens all the time.
    • by Bert64 ( 520050 )

      Not exactly.
      You can spoof outbound traffic, but you won't be able to receive the responses so you won't be able to establish a full session. You typically won't even be able to open a TCP connection because you won't receive the sequence numbers.

      Spoofed packets are mostly used for DDoS attacks since the goal is only to send malicious traffic and not receive any of it back.

  • If I’m not mistaken, the Comcast piggybacked Wi-Fi networks share the same IP address as the host’s modem.

  • more than likely this may be a consequence of the use of carrier grade nat,
    if the kid was on 4G any number of people in the area could be coming with the same public IP address, managed by a CGNAT equipment at the 4G telco.
    it is time we switch to IPv6 !

  • If 20.000 people use the same out country/region, they all have the same IP address.
    Just as people using a company computer where 3000 people share the same IP.

  • I know that this stuff is all written and reported by people with no clue, but if what I'm reading is true and correct, Zoom was logging the local IP address (as in 192.168.1.2) for no particularly good reason, then the school administration idiots ("those who can't...") were treating it as some kind of unique identifier. It's as if someone was on 1234 Williams St., and they blamed something on him that happened on 1234 Wharton St. because both were at 1234.
  • This would appear to be yet another example of the evil effects of trusting computers more than people. When information on the computer contradicts what a person says, then that person must be lying, because the computer can't lie.

    Only today, in the UK, I read of an innocent couple who were wrongly accused of trafficking child porn, because police computer forensics led to their home WiFi, which had of course been hacked by the real villains. No amount of protesting innocence and the absurdity of the charg

"Hello again, Peabody here..." -- Mister Peabody

Working...