Tufts Tells Judge, We Can't Tie IP To MAC Addresses

NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

hehe

[Hougaard]

Next hot network thing: RIAA approved DHCP ;)

Re:hehe

[Deus.1.01]

Oh, god. I'm not looking forward for the new update on the DMCA.

Re:hehe

[drspliff]

How long until it makes law?

We were recently required to explicitly keep something like 6 months worth of call data records (although we keep many years worth already due to customer requirements) so that wasn't such an issue.

However, if ISPs (and universities or other large organisations) were suddenly required to keep track of all IP allocations for 6 months or more it'd cost a bucket load to implement.

Re:hehe

[Sophia+Ricci]

Nobody is addressing real problem. Students are facing hard time downloading music.

The universities should provide a server within campus to download music. Problem solved.

Re:hehe

[tristian_was_here]

We should address the real issue here and provide porn to all students!

Re:hehe

[smittyoneeach]

Better still, we should have the Fed pay for the server. And pay subsidies to the RIAA. This satisfies both the students and the lawyers. What's not to like?

Re:hehe

[Paolone]

We should address the real issue here and provide sex to all students!

Corrected for you.

Re:hehe

How about beer instead?

RIAA solution to piracy: Get the feds to let the states lower the drinking age.

Re:hehe

[szo]

Right, aim high!

Re:hehe

[erotic_pie]

didn't napster try that already?

Re:hehe

[NewYorkCountryLawyer]

Next hot network thing: RIAA approved DHCP ;)

Scary, isn't it?

Re:hehe

[Gerzel]

I think you have it backwards. I think it is largely the students that provide porn to us.

Re:hehe

[Gerzel]

No I think he's aiming a bit lower.

Re:hehe

[Gerzel]

The Fed can negotiate with the RIAA the students can't therefore the RIAA will demand to deal directly with the students and their parents.

This is a shake down and it is difficult to shake down city hall/capitol hill as they blow the competition out of the water.

Re:hehe

Right, you're high!

Fixed.

Re:hehe

In soviet Russia you are provided to porn.

Re:hehe

[toxyouxunknown]

Tufts *does* provide that one-year license of song download service, but it sucks because you can't put the songs on your ipod or rip them to a CD.

Re:hehe

We do actually. We've provided a number of services over the years, such as Napter and CDIGIX. They usually place a dedicated cache server on the LAN that we are forced to rent.

All of them are heavily DRM restricted, don't work on linux, and most importantly, can't be synced to an iPod. The IT department understands that for these reasons, it will never be a real alternative to downloading MP3s illegally. Due to the RIAA and some pork barrel legislation tied to our acceptance of government grants, we are required to provide some kind of legal alternative, no matter how futile.

Another complaint hardly unique to Tufts is that we are no longer an IT department. We've simply become an RIAA/MPAA response team. Between receiving the sometimes hundreds of infringement notifications (of which only a fraction actually end up in court) to shifting through our records to find a matching MAC so that we can restrict it, to finally "re-educating" the infringers with RIAA provided propaganda, we hardly have time to address real problems with the network.

Re:hehe

[sm62704]

You can't fool me, you're on the board of trustees and you want me to go back to college. Uh, hmm, OK, where do I sign!

Re:hehe

In North Korea, only old people err... Nevermind that. Definitely TMI.

I think I just threw up a little in my mouth

Re:hehe

[geminidomino]

Ok, offtopic but someone REALLY needs to tell me when the verb "to rip" -- as relates to digital music -- changed direction. "Ripping" used to be reading FROM a CD/DVD TO a computer. Now it's the other way around?

Re:hehe

[AndrewNeo]

and least importantly, can't be synced to an iPod.

Fixed that for you.

Re:hehe

[clone53421]

rip: physical cd > computer data
burn: computer data > physical cd

You're not confused, people just don't seem to give a rip about it either way...

Re:hehe

Its usage here isn't that different -- "to rip" means, in the general sense, format-shifting -- removing data from the original format and converting to some other format. A webrip is video or audio ripped from a streaming format; similarly, GP is ripping from the song download service.

Re:hehe

So, after all, is not Microsoft who will take over the world.....it will be RIAA....

Re:hehe

[phoneteller]

maybe the RIAA will approve which tv channel we're gonna watch in future, or what files we download or what websites we're gonna visit!!

Re:hehe

[csteinle]

and remember to duck...

Re:hehe

Some universities do have a way. It's through a program called "Ruckus". http://www.ruckus.com/ If you have a university email address you can download all the (DRM-laden mind you) free music you want to, for listening to on your computer as long as that email address is valid. And it's completely legal.

Re:hehe

[chris462]

Nobody is addressing real problem. Students are facing hard time downloading music.

This is total FUD. These are civil suits, which incur civil penalties (read: this is a money grab).

Re:hehe

[geminidomino]

So IOW, it's not a physical -> Data conversion, it's an Original -> New Format.

Interesting evolution there...

Re:hehe

[Amisinthe]

We should address the real issue here and provide sex to all students!

Corrected for you.

No need, the students are happily providing sex to each other.

Re:hehe

That is a bit misleading...

lets say its 6 months. ~30 days per month 6 months and something large like 10k in machines. That is about 1800000 records if each one requests 1 new ip per day. Then 4 bytes to hold the ip 4 bytes to hold the pointer to 'who owned it'. So about 28 meg of data. Hardly a 'bucket load' of data. When I can get a TB of HD for ~200 bucks its not even that cost prohibitive.

Even if all the machines request 10 times a day that is 280 meg of raw data. That is NOTHING in the world of a relational db.

Just obfuscating the problem with 'bucket load' only pisses judges off. They will THEN start making unreasonable demands.

Re:hehe

[nauseum_dot]

Seriously, you couldn't write a program to copy the dhcp logs to a file with a date in it?

I'll bet, there is some Camel hacker reading this post that could write it in about 30 minutes. I know it would take me about a day to write a program that would take the logs at 3:00 am copy them to a new file and zip it. The hardest (for me) part is making sure that logs and STDERR outputs are written correctly.

Re:hehe

[heil_hitler_000001]

And the jew fag in RIAA will proceed to take control of the internet for their grand master.

Re:hehe

[poopdeville]

No, you really didn't.

Re:hehe

[Homer's+Donuts]

Or about 6 million boxes of punch cards.

(My church organ uses these to set voices)

So maybe I could make an mp3 of my organ playing each card.

No, you can NOT make a copy.

Re:hehe

[Profane+MuthaFucka]

Practicing for the service economy.

Re:hehe

[BraksDad]

What is wrong with the traditional frat/sor houses?

Re:hehe

[Archangel+Michael]

Why hasn't anyone suggested doing both???

Provide Sex to all students and FILM it, providing a robust Porn Library at the same time??? **

** Patent Pending. Copyright (2008). All rights reserved. No duplication, reproduction without the express written consent of the Commissioner of Porn.

Re:hehe

[The+Spoonman]

were suddenly required to keep track of all IP allocations for 6 months or more it'd cost a bucket load to implement.

Not necessarily. The easiest way is to just increase your IP pool and lease time. I have Roadrunner, and I've had the same IP for about 10 months now. Now, mine is on 24/7, but even after being offline for a day or so (because of power outages), I'll get the same IP when I reconnect. It doesn't take a large amount of horsepower to store a database of 75,000 IP addresses that only change once every few months.

AOL and the like, not as easy, but not very difficult to implement, either. But, does anyone have any info on how many dial-up users they've gone after? I can't imagine it's that many.

Re:hehe

[Khyber]

Last I remembered before we had all this wonderful technology, to rip was a verb describing a hit off a bong or other similar water pipe. When the hell was it turned from stoner lingo to technological lingo?

Re:hehe

[electrictroy]

I've always prefered the word "steal". It's so much more accurate (and honest). Of course if you own the CD you are ripping or burning, then it's really just copying ("I copied my CD over to my Ipod."). I try to avoid slang like "burn" or "rip", because it's just so imprecise. Can you imagine if we used that kind of slang back in the 80s:

- "I 'ripped' an INXS tape to my Commodore=64."
- "Awesome! 'Magnetize' me a copy onto a floppy."

- "Wouldn't you prefer I 'etched' a record instead?"
- "No man, etching records is so 1970s."

Re:hehe

I've always prefered the word "steal". It's so much more accurate (and honest).

Go chew on glass, troll.

Re:hehe

[Mattsson]

From now on, all network equipment and IP-stacks must include the "Trusted Network Platform"-technology.
Unfortunately, this can't be implemented in Open Source due to licensing, patents and secret NSA/DHS backdoors.

If you have equipment that don't include TNP, you might be funding terrorism! *gasp*
You're not a terrorist, are you?

Re:hehe

Nobody is addressing real problem. Students are facing hard time downloading music.

The universities should provide a server within campus to download music. Problem solved.

Times are tough. With some now adapted to the MacBook Air, students muscles may no-longer be ready for bulky objects like external USB/eSATA terabyte drives...

If it takes around 5 minutes to transfer the 21.5 GB of 720p Firefly over eSATA, a song takes....?

Re:hehe

[NewYorkCountryLawyer]

If you have equipment that don't include TNP, you might be funding terrorism! *gasp* You're not a terrorist, are you?

No, it's my adversaries who are the terrorists. I'm with the good guys.

Re:hehe

[Cramer]

No it wouldn't. The entire syslog records of the dialup hardware for an ISP I previously worked for fit entirely on a single 1G Jaz disk. That's 4 years worth of records -- from the day they went public to the day we switched to RADIUS. The RADIUS accounting record dumps for ~3yrs were also pretty small. I could tell you who was using what address with 99% certainly within minutes. This is not the mountain of data you seem to think it is. If telco's can keep CDRs for every call in their network for 10 years, a university can certainly keep DHCP logs for 6 months.

Re:hehe

[hob42]

In the days before CDs and MP3s, "ripping" tunes was the process where people far more inventive than I would find the song data in an executable or data file of a game with cool music and convert it to a MOD format so you could listen to it with any old music player.

Folks using "rip" to mean encoding CDs to MP3 just seems lame by comparison.

Re:hehe

[Cylix]

Um, ISPs do already keep this data.

Users authenticates against radius, database stores the login, ip address and other tid bits like time.

Once the user disconnects the depart time is also accounted for.

Kinda legacy at this point, but back in the day it was quite necessary for accounts which were on a metered basis.

Thus at the end of the month the totals could be tabulated or a running tabulation could be kept.

I'm unsure of how long most organizations keep this data, but generally we rotated out the old data after about six months to archive logs. Archives after three years were generally useless and relegated to tape.

I do remember one time when someone managed to get lucky and we had some holes due to database errors. However, there was enough additional evidence that our data would have been ancillary.

It really depends how you design your authentication system and data storage.

Re:hehe

[Baron+von+Pilsner]

You mean sex with a partner and not alone, right...?

Re:hehe

[Baron+von+Pilsner]

When somebody stole my guitar, I no longer had it in my possession (and I really miss that guitar).

When somebody makes my band's albums available online, I still have the originals. They have not been stolen from me.

And yes you can make the joke that they aren't worth stealing if you like...

Re:hehe

[ziggy00001]

Heck let's go for the triple play: Sex, Drugs and Rock'n'Roll

Re:hehe

[Arrak+Esterhazy]

You and me both, Ray.

That's one smug grin i would love to see.

[Deus.1.01]

I'm sure the ICT department were real sorry they couldnt facilitate RIAA's demands.

Re:That's one smug grin i would love to see.

[OeLeWaPpErKe]

Yeah indeed. That reads like a list of excuses too idiotic to be reasonably believed.

A dhcp server can't match ip to mac ? Oh sure why not ... if I were the RIAA's lawyer I'd say "then I'm sure you won't mind if I take a look at those logfiles, now will you ?". And then accept their apology in trade for a promise not to persecute this guy personally for lying in court (2 years).

"Only ARP is possible" riiiiiiiiiiiiiight ... and that would have nothing to do with arp being impossible after the computer is disconnected, in other words, it'd be worthless for the RIAA.

They're attempting to bullshit a judge. I'm ambivalent about this. This really shouldn't work and should get that "expert wittness" prosecuted for fraud. On the other hand, I like what he's doing ...

But this is bullshit. Since it's presented as the truth to a judge, it really should get someone in trouble.

Re:That's one smug grin i would love to see.

DHCP is not required keep a mapping between MAC and IP address. At least not at the protocol level. A very minimalistic implementation of a DHCP daemon would only need to keep the IP addresses that it has doled out and for how long - after expirey time, mark that address as unused. The client, according to the RFC, is supposed to ask for a new IP address and work properly if it gets a new address. That would qualify as conforming under the RFC that spells out DHCP. If you do that and don't store the IP address, you can't reverse the mapping using DHCP - only ARP can.

Last I checked, universities were not required to keep log files, and if you kept log files from the above program (that printed "Issued IP xx.xx.xx.xx at 12:00:00UTC for 4h"), it wouldn't help you in the slightest.

Re:That's one smug grin i would love to see.

[Just+Some+Guy]

A dhcp server can't match ip to mac ?

Not if doesn't log. Furthermore, what they're really saying is that it can't match IP to ephemeral MAC that may or may not have been spoofed.

Re:That's one smug grin i would love to see.

To be honest, my DHCP servers don't keep logs either, why would I, active leases are the only ones relevant for operational purposes. The only thing logged are exceptions (invalid DHCP requests, etc).

I got screwed over by my ISP over a similair case, where the logfiles did exist but where erronous....

Re:That's one smug grin i would love to see.

[Aqualung812]

It is not bullshit if you don't log DHCP assignments. Why would you? None of my DHCP servers log. Either something has an active lease, or if it does not, I don't care about it!

Re:That's one smug grin i would love to see.

[petecarlson]

I run an ISP which uses multiple DHCP servers on each layer2 segment. DHCP assignments are logged and kept for a month but quite frequently we get a notice of claimed infringement, spam, or malicious behavior that can't be mapped to an active DHCP assignment at the time stated in the notice. That is not to say that the claimant is making things up, rather that DHCP is not authoritative. A DHCP offer does not need to be taken and even if taken it does not need to be kept. Mac (Not MAC) users seem to have the habit of taking an IP address they have received in the past and setting it as a static IP. I don't use a Mac but this must be in the gui somewhere because it happens all the time.

A dhcp server can't match ip to mac ? Oh sure why not ... if I were the RIAA's lawyer I'd say "then I'm sure you won't mind if I take a look at those logfiles, now will you ?". And then accept their apology in trade for a promise not to persecute this guy personally for lying in court (2 years).

1) User 1 receives a DHCP assignment and sets it as static. They then turn off their laptop after some time.

2) Lease runs out and the address is returned to the pool.

3) User 2 requests an IP and is assigned the same IP (IP1).

4) User1 gets home and turns on their computer and starts sharing "The Wire ...".

5) User2 gets IP conflict message and repairs connection. Gets different IP (IP2) from other DHCP server.

6) HBO sends me a "Notice of Claimed Infringement" for IP1 at time X.

7) I look up who was assigned IP1 at said time and come up with user2.

Looks like we got our match.

Re:That's one smug grin i would love to see.

[clone53421]

A dhcp server can't match ip to mac ? Oh sure why not ... if I were the RIAA's lawyer I'd say "then I'm sure you won't mind if I take a look at those logfiles, now will you ?". And then accept their apology in trade for a promise not to persecute this guy personally for lying in court (2 years).

And they'd say "Sure, here's the last 10 days worth of DHCP logs. Sorry, but we don't keep them longer than that. These won't be of much use to you, of course... if you want useful logs in the future you'll have to notify us within 10 days of the alleged infraction." (oh wait: they did say that.)

"Only ARP is possible" riiiiiiiiiiiiiight ... and that would have nothing to do with arp being impossible after the computer is disconnected, in other words, it'd be worthless for the RIAA.

Um, they're saying "without DHCP logs, ARP is the only thing remaining to possibly tie a user to an IP address, and it can't conclusively do so." Which is pretty much the same thing as you're saying, if you look at it closely.

Re:That's one smug grin i would love to see.

[Piranhaa]

What you need to do then is restrict traffic based on IP leases.

My ISP will refuse to let traffic pass if the IP address set is not dynamic. They require you to enable dhcp, even if you're a static customer. In rare occasions if my dhclient has acted up, my internet will no longer work.

This not only makes administering your network easier and network safer (less chance of spoofing), but also better for your customers so they don't get conflicting IPs if someone decides to be 'naughty'.

Re:That's one smug grin i would love to see.

[mzs]

I wish I had mod points. What the parent wrote is correct. In fact I see the following happen to me. My lease time is 6 hours. Every fourth time I try to renew the lease I get a different IP address. I think my ISP does this to make it hard for people to run servers. I guess they do not know about DDNS and their perfect 24 hour pattern makes it very easy for me to get the new IP addresses at a time it usually does not cause a problem.

Re:That's one smug grin i would love to see.

[Mattsson]

But many systems don't release their DHCP-lease when shutting down, and you might simply yank the power.
So if the address is leased out to you, but your computer is off, another computer might be able to use that same address statically until the lease expired in the DHCP server.

The only somewhat secure way of being sure that the connecting computer is actually used by a certain user, is via 802.1x authentication.
If you don't authenticate yourself, you can't even get past the ethernet port you're connected to.

Re:That's one smug grin i would love to see.

[petecarlson]

My point was not that this is the best way of doing things, but rather that this is often the way things are done and is quite likely the same setup that was being used in the network in question.

Re:That's one smug grin i would love to see.

[policysup]

Well even though they may not be required, in my last two ISP's I worked for, the average time that logs were kept were for 6 months to a year. (a year being new average.) Mostly because they also have to do internal abuse investigations as well as legal requests. The system is not perfect, but it catches 99%.

Re:That's one smug grin i would love to see.

[Piranhaa]

They way it's done is that the lease is actually tied to your interface. All and ONLY your traffic passes through it, and no one else can spoof it (there is protection against this). So if someone else was to obtain the IP AND Mac address of your system within a 43 minute period (the length of the lease) AND was connected to your physical line, they simply wouldn't be able to do anything about it.

And the judge understood it?

[Bazman]

I suppose in the US you have judges with clue. In the UK it's fuddy duddy old men in wigs who go "What is this 'internet'?".

http://www.theinquirer.net/en/inquirer/news/2007/05/17/judge-has-beatles-moment-over-internet

or maybe he didnt:

http://www.theinquirer.net/en/inquirer/news/2007/05/18/judge-didnt-have-beatles-moment-after-all

Apparently the original story of the judge saying 'Who are the Beatles?' might be a myth anyway...

Re:And the judge understood it?

[Opportunist]

What makes you think judges know anything about technology?

That's not a requirement for them. Here, we have sworn in experts for almost every field in existance, from agriculture to zoology. And of course electronics, electrotechnics and yes, even IT. And with the IT field expanding, they're broadening the board of experts in that field.

If a judge doesn't know jack about something, he calls an expert and has him explain what's cooking. What does this or that mean, how does this or that work, is this claim credible, everything. These experts are required by law to give a verifyable and cross examined report about their findings and expertise, and usually (not always) their claims stands unchallenged by either side, because they usually are actually right.

Of course either side may bring their own experts to the table and discuss it out with the court's expert. And yes, it makes sense to bring your own expert, especially if you're the defendent, since all you have to do is punch holes into the court's expertise. All your expert has to do is create "credible doubt". But, as said before, the experts there are far from dumb (or they don't retain that status, together with the rather good payment, for long), so punching holes into his expertise is already nontrivial.

That whole ordeal is expensive, of course, and usually only warranted if the value of the claim exceeds trivial amounts. Maybe that's the reason why the RIAA (or its sister organisation here) didn't try a multi million charge yet so far. I have good faith that the court's experts alone blow them and their "proof" out of the courtroom before the session even starts.

Re:And the judge understood it?

[meringuoid]

I suppose in the US you have judges with clue. In the UK it's fuddy duddy old men in wigs who go "What is this 'internet'?"

You mean judges who know meaningless jargon when they hear it, and want all terms of reference used in their courtroom to be clearly defined.

What, exactly, legally speaking, is a 'website'? Where does one 'website' end and another begin? How does a 'site' differ from a 'page', if at all? Is a 'forum' part of a 'website', or only attached to it? Is there, as the media often says, a 'file sharing website' called 'BitTorrent' on which pirates trade music? What exactly is this 'Web' thing anyway, and how is it distinct from the 'Internet', if at all?

A lot of terms bandied about in common parlance regarding Internet services are very vague, and I'm glad to hear of judges demanding that they be defined clearly and unambiguously when in court.

Re:And the judge understood it?

[bhima]

"Here" where? In the US? I had no idea they did that. I've been in court a few times and never saw anything like that, even though I thought it was needed.

Re:And the judge understood it?

[squizzar]

I don't know about the US, but in the UK an expert witness must give completely impartial testimony, or face being held in contempt. Whilst a company may hire an expert witness to investigate a case, once they are sworn in they must answer all questions in a completely honest manner, even if it is detrimental to their employers case. We had a lecture at uni from a guy who worked as an investigative engineering consultant (or something like that). He said he'd quite often inform companies that hired him that maybe they shouldn't take a case to court as he would be obliged to give honest and impartial testimony, and that may not be a good thing for them.

Re:And the judge understood it?

[Elky+Elk]

or maybe they want things legally defined for the jury?

Re:And the judge understood it?

[Opportunist]

Generally that's true, of course. Still, a court expert may bring up facts that the opposing side (of a expert brought in by one side) wouldn't think of. The court experts are required to offer all information they consider important to a case, unasked.

Generally it is frowned upon when they can't at least credibly try to offer information benefitial for both sides, the very last thing one of those "impartial experts" wants is to be accused of offering biased testimonies, something that happens easily when the testimony appears biased. Since their testimonies have a lot of influence on a verdict (the judge basically has to trust this expertise and often simply tack it to the verdict), if a side gets disadvantaged by it their most likely attempt at a defense is to bring in an expert of their own and have him come up with scenarios that are beneficial for their side that were left out by the court's expert and argue that he is biased. It is often the only defense you have against it.

Now, the very last thing such a court expert wants is an accusation of a biased expertise. It can easily cost him his position, and since it's very easy money for them, bribery is usually quite useless. People who are even considered for such a position usually do it less for the money, since they are such luminaries in their field that they usually already have earned more than they can spend in a lifetime. The goodwill loss for being labeled a biased court expert is most of the time a bigger fear for them than any money can wipe.

Re:And the judge understood it?

[Off+the+Rails]

Brings to mind this classic: http://www.youtube.com/watch?v=z6KyA_KabNM

Re:And the judge understood it?

[Viol8]

You could say that about many things in life. eg: How do you define a car? Is an SUV a car? What about a pickup - they're more or less the same size? Is a pickup really a truck? What is a truck anyway? Whats the difference between a house and a mansion? etc etc etc.

Very few things outside mathematics or physics have an absolute carved in stone definition. This is either because theres a whole spectrum of similar things with no clear demarcation anywhere , or , simply because of limitations of human language. Law courts must take this into account and this applies when talking about the internet.

Re:And the judge understood it?

[Threni]

> You mean judges who know meaningless jargon when they hear it, and want all terms of reference used in their courtroom to be clearly defined.

Exactly. It's always amusing when people who know nothing about the process of law criticize judges. The most famous example is perhaps "who are the Beatles" - as if Judges are somehow able to distinguish a pop group who'll be famous for decades after they split up from the thousands of crap, me-too disposable bands who had a one-hit wonder and then vanished into well-deserved obscurity.

Re:And the judge understood it?

[marcosdumay]

Maybe that is why laws define the meaning of 'car' and 'residence'.

Re:And the judge understood it?

[caluml]

How do you define a car? Is an SUV a car? What about a pickup - they're more or less the same size? Is a pickup really a truck?

The answer, of course, is programmatically.

public class SUV extends Vehicle implements PoorFuelEconomy,DangerToOtherRoadUsers {
private int lengthCms;
private int heightCms;
private boolean isPickup = false;
}

Re:And the judge understood it?

[bloobloo]

Judges ask questions like that in order to ensure clarity. Remember, their cases will still be sitting in archives in hundreds of years' time, potentially to be used as precedent.

While I expect Elvis, Sinatra, The Beatles and other artists of that calibre will be known for a LONG time, at what level do you draw the line? Radiohead? S Club 7? The Cheeky Girls?

By adding less than 30 seconds to the case by the exchange:

"Who or what are the Beatles?"
"A popular beat combo musical band, m'lud. "

not only will humour be created by people saying "Oh, how ignorant judges are!", it ensures that 500 years down the line a case about cockroaches isn't confused by people pulling out the wrong information.

Re:And the judge understood it?

None of your examples were vague. They have definitions.

Re:And the judge understood it?

[petermgreen]

IIRC in the USA most SUVs are legally light trucks.

Re:And the judge understood it?

[Viol8]

Not in my country they don't.

Re:And the judge understood it?

and there are many cases where nobody but the person sitting in the expert witness chair knows whether he really gave honest and impartial testimony.

Furthermore if a second expert witness was brought in to testify against the first, a lot of things fall under a difference of opinion or interpretation. Unless the expert witness makes a gross error he can shape his testimony in favor of whomever is paying him quite nicely.

Maybe the UK has a slightly better expert witness system, maybe it does not. What is for sure is that it is a police state and it's citizen's freedoms are being usurped (or given up willingly?) at an alarming rate. So put that in your pipe and smoke it!

Re:And the judge understood it?

[ultranova]

You could say that about many things in life. eg: How do you define a car? Is an SUV a car? What about a pickup - they're more or less the same size? Is a pickup really a truck? What is a truck anyway? Whats the difference between a house and a mansion?

If any of that has any relevance to a case, then I'd certainly hope that the court either looks up the definition in a dictionary or whatever, or defines it for the purposes of the case, and any future case uses the same definition unless there's a good reason to change it. After all, it's kinda hard to judge a case correctly if you don't even know what, exactly speaking, the case is.

Re:And the judge understood it?

[Zontar+The+Mindless]

Get back to me when "expert" witnesses are punished for giving false ans misleading evidence.

But that's what appears to have happened in the wake of the Susan Clark trial.

The flawed statistics used by the prosecution in the Clark case would likely not have been nearly so convincing, had a key piece of evidence not been suppressed by another doctor. Allan Williams, the pathologist who withheld the relevant information about Clark's medical condition from her defence (and apparently botched the autopsies he performed on the infants), was ultimately found guilty of misconduct and banned from practising medicine for 3 years. Meadow (the paediatrician who supplied the misleading statistics) managed to overturn being struck from practise, but has nonetheless been effectively discredited, and is not likely to be called upon for expert medical testimony in any future trials in the UK.

So I think your complaint should be that Williams weren't punished sufficiently, rather than that Meadow got off scot-free (which he didn't, at least not entirely).

Also note that - at least in part due to the Clark case and other trials where Meadow was called on as an expert witness - the UK courts made it clear that medical expert witnesses are legally and professionally liable for false or misleading testimony, or for other misconduct relating to their actions as expert witnesses.

Re:And the judge understood it?

'Expert' witnesses are coming under more scrutiny here in the US. Here are two that I've heard of in the past year.

1) There is a forensics expert who was caught intentionally deceiving the court (for the prosecution, I believe) for a number of years. All cases where his testimony was relevant to the outcome of the trial are/were reexamined.

2) The FBI was providing 'proof' that they could match one spent bullet with a box of bullets by claiming metallurgicaly that they were from the same production batch. This continued until their science was proven bad and that they knew their science was bad.

Cases like this illustrate that expert witnesses may give biased or even false testimony.

Re:And the judge understood it?

That's a very narrow SUV, having no width :)

Re:And the judge understood it?

[clone53421]

No, it just inherits the width property from Vehicle.

Re:And the judge understood it?

(damn it - I hate the log in system - can't be arsed to log in then find this post again... AC it is...).

UK judges: The last bastion for the proper and correct use of the English Language...

Re:And the judge understood it?

[Chris+Burkhardt]

Whilst a company may hire an expert witness to investigate a case, once they are sworn in they must answer all questions in a completely honest manner, even if it is detrimental to their employers case

In the United States, all* witnesses must answer all questions in an honest manner after being sworn in. That's what the whole "sworn in" part is about.

But expert witness testimony is treated no differently than other evidence, and may be disregarded by the jury if they think it is not credible.

(*except the defendant, who is not required to incriminate herself.)

Re:And the judge understood it?

[Jonboy+X]

And what are these "tubes" I keep hearing about?

Re:And the judge understood it?

You could say that about many things in life. eg: How do you define a car? Is an SUV a car? What about a pickup - they're more or less the same size? Is a pickup really a truck? What is a truck anyway?

The department of transportation already has very clear rules defining cars, trucks, bicycles, motorcycles, mopeds, etc. This isn't new. All of them are vehicles though.

In the USA, if the vehicle is a car, then it has to meet some strict standards, including fuel economy, rollovers, impact safety, bumpers, headlight placement, airbags, etc. If the vehicle is a light truck (minivans & most SUVs are in this category) then the standards are far far more lenient (which is why you are much less safe in a big SUV than a big car).

And if the truck is over 6000 pounds (like chevy suburban or Hummer H1), then things get even more lenient.

Re:And the judge understood it?

You should have marked isPickup as final and static, it relates to the SUV class, not an individual instance of that class :)

Re:And the judge understood it?

[TheoMurpse]

I don't know where you live, but they do in the US. I'd suggest your country never do business with the US, because it would take any first-year law student here about 10 seconds to find loopholes.

If a word has more than one meaning in common parlance, then it is ripe for manipulation and in the US it might even be subject to nullification for vagueness.

Re:And the judge understood it?

[bitrex]

That's true, for years US automakers classified as many vehicles as possible as "light trucks" so they would be subject to less stringent fuel economy requirements under the CAFE regulations.

Re:And the judge understood it?

[gknoy]

In the United States, all* witnesses must answer all questions in an honest manner after being sworn in.... (*except the defendant, who is not required to incriminate herself.)

If they answer a question, it must still be truthful -- they just have the option of Not Answering. (I don't think other witnesses have that option, unless doing so would incriminate themselves.)

Re:And the judge understood it?

It's the same in the US. Any expert brought into court is basically treated the same as any other witness. They have to tell the truth and if they refuse to answer they can be in contempt of court. If they lie they face perjury charges.

Like other witnesses they face cross examination so one side can't call upon an expert witness and only ask him questions that help their side. If they did so, the opposing side hopefully is smart enough to ask the correct questions.

First thing on that To Do List...

At the university...

Put every computer behind multiple routers and hubs.

Good luck getting through the mess of routes and MAC addresses on each.

Re:First thing on that To Do List...

[iminplaya]

Heh, That could be construed as "obstruction" in their eyes.

Re:First thing on that To Do List...

[clone53421]

Huh? I was just trying to get a safe level of firewall between my computer and the dangerous world known as the "internet"!1

Re:First thing on that To Do List...

[iminplaya]

Obviously you have something to hide.

And turn your sarcastic meter on.

Re:First thing on that To Do List...

[clone53421]

You can't prove that. We aren't talking about waterboarding, this is a courtroom setting.

Re:First thing on that To Do List...

[iminplaya]

Proof. I don't need no steeeenking proof. All I need is money. Then I'll get you, and your little dog too. Haven't you noticed how things work here? I wear you down. You settle. I get rich(er). The end. Who's next?

Remember, kids...

Remember kids: Just because an IP address doesn't necessarily identify a person doesn't mean that copyright infringement is OK.

Re:Remember, kids...

Doesn't mean it's not OK either. It's an orthogonal argument.

Re:Remember, kids...

Yes, there are plenty of other reasons that justify copyright infringement instead. Choose one of them.

Re:Remember, kids...

[fortyonejb]

It also doesn't mean spinning the roulette wheel of blame to choose who to pin the infringement on is OK either.

Re:Remember, kids...

[sm62704]

Remember kids: Just because copyright infringement may not be OK doesn't mean you can't share work that the copyright owner WANTS shared. The danger is having downloads go into a shared folder and downloading the RIAA's crap instead. You not only get dreck, but you get sued for your mistake.

It seems to me that there ought to be proof of intent. If I'm trying to download The Station's The Fog but I get Radiohead's completely different song by the same name instead, why should Radiohead's label be able to sue me?

Re:Remember, kids...

[OutSourcingIsTreason]

Just because, in this era of absurd copyright term extensions, copyright infringement is illegal, that doesn't mean it's immoral.

Re:Remember, kids...

[Just+Some+Guy]

If I'm trying to download The Station's The Fog but I get Radiohead's completely different song by the same name instead, why should Radiohead's label be able to sue me?

That's like trying for self-flagellation but getting kicked in the butt instead. Haven't you been punished enough?

Re:Remember, kids...

[sm62704]

Dude, The Station is composed of friends of mine and they ROCK. I blogged at K5 the first time I saw them. Joe Frew introduced me to them later.

Re:Remember, kids...

[mea37]

Just because copyright terms have been extended beyond reason, has nothing to do with the validity or moral issues surrounding a movie/song/etc. that was created in the past year.

Re:Remember, kids...

Yes, there are plenty of other reasons that justify copyright infringement instead. Choose one of them.

You first.

Re:Remember, kids...

[DamnStupidElf]

Good example. Quoting is technically infringement, but covered by fair use and/or the exemptions for scholarly research or reviews. But try telling that to the RIAA if you play one of their songs while commenting on it and stick it on a P2P network.

Re:Remember, kids...

That's right.

Copyright infringement is OK all by itself!

Re:Remember, kids...

[HiThere]

Actually, it does. The reason is that it is the companies that produce the movies, etc., now that bought the grotesque copyright laws that exist. Bought. (Fairly cheaply, too, as I recall, though I don't recall precise numbers [not even to thousands]. The exact figures came out a few years ago for various congressional representatives, and were spread to several places for a few days. Then they stopped being news, and the oath-breakers remained unpunished. Some of them are still in office. [E.g. Feinstein and Boxer...though they might have seen it as supporting the local industry, and thus legitimate. Others have no such excuse.])

Re:Remember, kids...

[mea37]

That would be a non-sequitar.

True, these companies, in advocating for their interests, tried to get anything they could whether justified or not. This is what companies do, and it was the government's job to stop it. The government declined to do its job, so over-reaching concessions were made to a special interest.

However, that does not bear on their legitimate interests, such as copyright protection in the immediate term after a work is created. Saying it does is just a rationalization to ignore others' rights when they're inconvenient.

Wanting more than you should have doens't negate your right to what you should have.

Re:Remember, kids...

[OutSourcingIsTreason]

It's also in the immediate interest of these companies to not be perceived as a bunch of greedy pigs stealing music from the public domain and then suing people for taking what should rightfully be theirs.

Re:Remember, kids...

Remember, kids...
Just because the RIAA are corporate and within the law (...most of the time) doesn't mean the law is right.

IPs are horribly dated.

Re:Remember, kids...

[Tuoqui]

A Fair(y) Use Tale

Long story short

1) Copyright started out as 7 years.
2) Copyright extended to 14 years.
3) Copyright extended to like lifetime.
4) Copyright extended to life+70 years.
5) Corporate authorship lasts the life of the company. If company is bought it lasts the life of that company.

Ever since Mickey Mouse was created in 1928 there has NEVER been an instance of a copyright expiring into the public domain. Maybe the ordinary people should lobby for shorter copyrights. However, there are a large number of laws and treaties in place that are presumably industry funded (MAFIAA) that dictate the length of protection for signatory countries and what not. Look up WIPO. It also dictates draconian measures like adopting DMCA-like provisions and what not which is a major reason why Canada hasnt ratified that particular treaty (instead working on the older treaty they are signatory to 'Berne Convention').

If something is created and NEVER goes into the public domain then it is effectively theft from the public domain. The one good thing about patents over copyrights is the fact that AT LEAST they expire in 20 years (although I'm sure some patent trolls would just *LOVE* to extend that to Life+70 years).

What, me change MAC address? I wouldn't do that...

[apathy+maybe]

Actually, I would and have done that.

Say you are in a situation where you can't connect your laptop to a network, but you can find the MAC address for a computer that is connected to that same network.

1) Disconnect the computer that is connected;
2) Change your laptop MAC (I assume you are all using some variant of GNU/Linux, but whichever, you can find information http://www.irongeek.com/i.php?page=security/changemac which will get you started, there is also a tool available for Ubuntu (and I guess other *nix) which can randomise your MAC, choice a MAC based on a specific company etc.)
3) Connect your laptop to the network in place of the other computer.

Did I mention profit? I never did, but all I wanted to do was not be forced to use Windows and MSIE. (Of course, disconnect your laptop before reconnecting the other computer, having two machines with the same MAC could cause problems.)

So, even if you have a case of having to register your MAC before connecting to the network (which is the case in many places), because it is so easy to spoof MAC's, I don't think that you can even reliably connect MAC addresses to a computer (at least in the cases where geeks are around), let alone an IP address to a computer.

Basically, the only way that one should be trying to identify individuals is by using username/password, and even that is potentially problematic. (At my old Uni, to connect to the Wireless network you had to use your network login/password, it then didn't matter which computer you were using. Though in that case, I think the software only worked for MS Windows, the Mac and *nix software for the protocol wasn't up to scratch.)

You don't have a loghost?

[Colin+Smith]

I thought that was pretty much standard practice these days.

Anyway, it's trivial to do.

 

Re:You don't have a loghost?

[the4thdimension]

Still impossible to tie it to a MAC address with any certainty that that MAC address corresponds to the same person now as it did then. For instance, say CompOnwer 1 owns Comp A with MAC 1 uploads a bunch of crap on kazaa. RIAA gets to requesting the info but lags. In the mean time, Comp A is sold to another person on the same campus, becoming CompOwner 2 owning Comp A with MAC 1. The way DHCP works, they are likely to end up with the same IP and same MAC address but its a totally different person.

Re:You don't have a loghost?

[sgbett]

And, of course, nobody has *ever* spoofed a MAC Address ....

Re:You don't have a loghost?

[ta+bu+shi+da+yu]

Maybe for dial-in or cable. But if corporations or campuses that provide Internet access had to maintain all MAC to IP addresses, this would get out of hand.

Seriously, I've been wondering how long it was going to take for a network admin to point out what the IT dept. of Tuft university has pointed out. ARP was never designed to be audited like this, and why they heck should it? And I've also been wondering when someone would twig that a computer can be used by more than one person. Sheesh.

Re:You don't have a loghost?

[bjourne]

Not necessarily. Many ISP:s ties the IP address allocation to the socket. It is quite common to do so for student apartments and dormitories. That is, the RIAA could prove, with the universitys help, which network socket the infringing file came from.

Re:You don't have a loghost?

[IceCreamGuy]

Why don't you go a step further and just assume that everyone does their illegal sharing in a virtual machine? Hell, you could change the MAC every day. The possibilities for error by tying an IP to a MAC are pretty boundless.

Re:You don't have a loghost?

[Kent+Recal]

Spot on. The lack of clue within the RIAA is mindnumbing.
A MAC-Address is completely meaningless. As in:

ifconfig eth0 hw ether 00:DE:AD:BE:EF:00

Entertaining lawsuit indeed.
But the sour point is that the RIAA apparently still has money to burn... Will it ever end?

Re:You don't have a loghost?

[theophilosophilus]

Still impossible to tie it to a MAC address with any certainty that that MAC address corresponds to the same person now as it did then. For instance, say CompOnwer 1 owns Comp A with MAC 1 uploads a bunch of crap on kazaa. RIAA gets to requesting the info but lags. In the mean time, Comp A is sold to another person on the same campus, becoming CompOwner 2 owning Comp A with MAC 1. The way DHCP works, they are likely to end up with the same IP and same MAC address but its a totally different person.

I don't see why this is a problem. Its like a hit and run case where they know the car. Claiming the car was driven by someone else by sale or permission is a defense - it does not invalidate the entire case.

The important difference that the court in this case needs to realize is that in a campus piracy scenario - every case could be a "borrowed car" situation because it is much more likely that a computer will have multiple owners/users. Then add the further complexity that MAC is not as permanent as the RIAA would have people believe.

Re:You don't have a loghost?

All you'd need to do is change your mac address using ifconfig, then get a new DHCP lease before you did the illegal and nobody knows nuttin'. After you are done, just reboot.

You *cannot* use MAC address as a reliable identifier. You can change yours in approximately 15 seconds. As long as the octets are valid it will work(even AA-AA-AA-AA-AA-AA) Then you grab a new lease which is just about guaranteed to get an unused IP address, which is different than the one you got with the default hardware mac address. When you are done Kazzaing, just reboot. Your MAC will reset back to the default hardware settings and you'll get your IP back.

I've done this research because my boss at the bank I used to work for was trying to find a reliable way to ID a computer. The answer is you can't. You have to ID the user, not the hardware ;) The only way to do this is to go KGB with your network, which most schools will never do.

-Viz

Re:You don't have a loghost?

[omnichad]

That's a whole lot easier if the socket is a port on a DSLAM and not a port on a network switch

Re:You don't have a loghost?

While spoofing MACs is possible and a computer may have multiple users, the MAC that held the IP in question is still the best place to start looking for the user who did whatever it is the RIAA is complaining about. Good on Tufts for resisting, but the rules say that the RIAA really does have a right to investigate. (Obviously, a MAC alone is not enough for a conviction, but it's a likely place to start looking for more evidence.)

Federal Rule of Civil Procedure 26(b)(1): "Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense . . . Relevant information [is anything that] appears reasonably calculated to lead to the discovery of admissible evidence."

If Tufts resistance accomplishes anything, it merely puts a time delay in the process so that people who are spoofing their MAC regularly can have switched MACs before any investigation can get to them.

YIIALBIANYL. GYOGDL. YMNO.

Re:You don't have a loghost?

[Dr.+Donuts]

While that winnows down things a little, it still isn't conclusive evidence. Home routers/firewalls that do NAT and provide wireless and 4 port switches/hubs are quite common and cheap and allow for that network port to be used by multiple machines. And almost all of them allow you to assign a MAC address to be used for DHCP purposes for the WAN port.

Re:You don't have a loghost?

Tying IP+Time to MAC is easy, the problem is that it doesnt tie to a person.

The solution to that is just active sniffing, which is far scarier than anything they're doing now.

Log any screennames or usernames they login to on that IP+Time+Mac session. Factor in things like browser useragent, TCP timestamps and sequence numbers, browsing patterns, etc.

none of this is 100% certainty, but enough pieces of data and you could get a reasonably accurate view of who someone is, and at the same time pick up plenty of more useful info too such as profiling-- which users primarily load torrent sites, who they IM most often, really..anything you do in cleartext.

And if you do everything encrypted, I hope you convince everyone else to give up their unencrypted things and do the same, otherwise you being the only 100% encrypted person would give you away.

Not to mention you could still tie what IPs you communicate to, and who signed the keys you're talking to. Or just block any non-approved encryption (including all HTTPS to self-signed certs).

None of this is easy, but all of this is doable with todays technology and a little funding.

Re:You don't have a loghost?

[CowTipperGore]

Not necessarily. Many ISP:s ties the IP address allocation to the socket. It is quite common to do so for student apartments and dormitories. That is, the RIAA could prove, with the universitys help, which network socket the infringing file came from.

And how exactly does that help? Student housing generally has two to four people in the same room or suite, students sometimes provide their own WAP or wired switches, and students often share their computers with friends.

The most restrictive arrangements I encountered in over five years as a CIO in higher education was a college that required students to register their MAC address and tied it to the switch port, blocking all other traffic on that port. This arrangement is prone to MAC spoofing as well as a router or firewall that will NAT traffic from the room.

I know another college that went the other way and shared a single business-class cable connection across an entire dorm. I'm sure their upload rates were terrible, but they had more download bandwidth than the administration LAN. And, neither the school nor the ISP had any user-to-traffic logs available.

I'm not suggesting that a more airtight solution doesn't exist but colleges usually are concerned with network management, not with providing enough evidence to meet the standards of a civil lawsuit. As you make the process more restrictive, you increase the inconvenience to your end-users. As you increase the amount of useful data that you log, you increase the cost of providing network services.

Re:You don't have a loghost?

[DigiShaman]

Except it's your cable/DSL modem that has it's own MAC. Generally tied to it's own 10.net address. That you CANNOT spoof.

So can they tell which computer behind the network is at fault? No. Can they nail the subscriber of the service? Yes.

Re:You don't have a loghost?

[gfxguy]

But this is at a university... is that how they're doing it nowadays? Cable and/or DSL?

I really wouldn't know, but I would imagine not.

Re:You don't have a loghost?

[janeuner]

I believe that this situation falls under the "Open WAP" defense strategy.

Re:You don't have a loghost?

How would a Uni go KGB on their network? I'm simply curious on what that would involve.

Here at mine, we run WPA Enterprise on the wireless with unique names/passwords. Either wired or wireless, you have to authenticate AGAIN with a different name and password at the router level. Is that KGB enough? While we're at it, can I just spoof someone elses MAC? :p

I work in the IT department, and we get dozens of letters a day from the RIAA. Just this summer I think they started actually giving a crap. I'm pretty sure they are just forwarding the notices on to the students for now.

Re:You don't have a loghost?

[Nefarious+Wheel]

I guess a working catch phrase might be "hardware is not people".

Re:You don't have a loghost?

[MoeDrippins]

Spot on. The lack of clue within the RIAA is mindnumbing.

I suspect the RIAA knows EXACTLY what the technical facts are. But if they can still sue w/o having those get in their way, so much the better! (For them)

Remember this is law, not logic.

Re:You don't have a loghost?

[iminplaya]

Yes, and aren't some places trying to outlaw that?

Re:You don't have a loghost?

[Kz]

not only VMs, real MACs are easily changeable by software. (ifconfig eth1 hw ether DE:AD:BE:EF:00:00)

Re:You don't have a loghost?

[Kent+Recal]

But what does this lawsuit gain them when they cannot actually track down the music-sharing terrorist?
The case will just be dismissed and that's it.

Re:You don't have a loghost?

[mikkelm]

It's just as easy to do on a DSLAM as it is on an IP switch. All you have to do is tag the DHCP discover/request with an ifIndex-based Option 82 value, and delegate your addresses based on this.

Re:You don't have a loghost?

The lag + possibility of selling during the interim is a cop out.

E.g. Suppose AutomobileOwner 1 owns Car A with License Plate A and kills a Senator. Cops don't find out that a nature watching camera caught the License Plate until Car A is sold to AutomobileOwner 2. OMG, the world will end because we can never catch them. There's no way you can ask detectives to do routine police work.

Re:You don't have a loghost?

[SuperQ]

Someone I know setup a script that every time he connects to an AP it generates a random MAC. It tries to continue to use the same MAC for the same AP MAC.

Re:You don't have a loghost?

[MoeDrippins]

Sorry, I didn't mean to imply I disagreed in general, only that the RIAA doesn't "have a clue".

The RIAA isn't in the pattern of suing people they *KNOW* they can beat, they sue people they think they can beat. They're simply playing the odds; 1 big case won from legal shenanigans and/or technical ignorance can overcome many that never make it that far.

Re:You don't have a loghost?

[sexconker]

Simply trash the modem, buy a surfboard, call the cable company and say "hay guys, new modem, update MAC entry plz."

Re:You don't have a loghost?

[TheScottishGuy]

at least with the ISP I work for we run straight bridged DHCP, so it would be the first device hooked up to the modem, not the modem that pulls the IP. -Proud to work for an ISP that refuses to hand over ANY information without a solid court order.

Re:You don't have a loghost?

[RpiMatty]

So what?
You still need to figure out who was in that room at the time. Unless there are cameras setup, it could have been anyone in the dorm at the time, just hanging out in a friends room.
My dorm room was almost always open to guests (as long as myself and my roommate weren't at class).

Re:You don't have a loghost?

[DrgnDancer]

Of course tying an IP to a machine is useless , because you can't prove that I was using my machine at a given time. Especially in a dorm room. I used to let people use my computer all the time in college. Further, a moderately competent user could simply spoof a MAC address and make it look like the guy the down the hall is downloading all the music.

Re:You don't have a loghost?

[numbski]

This raises a technical question...

Does anyone have a relatively safe/sane script laying around that does a quick arping on the local segment, generates a non-conflicting mac address, and then assigns that mac address to your nic, either at reboot or at regular intervals?

Doing this would basically make this sort of thing moot. Extra credit for adding the *real* mac address of your nic to the exclude list, guaranteeing that no one will ever tie it back to you.

Re:You don't have a loghost?

[dpilot]

No, I suspect that *someone* in the RIAA knows exactly what the technical facts are, but I'll bet the "technical experts" for the litigation team are kept carefully clueless about this. This is all speculation.

Think for a moment about the care taken in a good "Clean Room" reverse engineering job, and now apply it to the RIAA. Have a truly good "Evil Technical Team" who understands all of this, including MAC spoofing, open access points, etc. Then have a "Litigation Technical Assistance Team" that consists of carefully vetted new-hires out of college. Make sure this second team has only book-learners, no hackers or hobbyists, etc. Then you need a "Technical Interface Team," which is placed in between the "Evil" team and the "Litigation Assistance" team. So when technical questions come up, the Interface team makes sure that the Litigation Assistance team gets the information they need from the Evil Team, but is *very* careful to vet all information to make sure nothing leaks through that could damage the RIAA case.

In other words, the "technical experts" in the RIAA may have college degrees, but they and their schools are carefully selected to make sure they don't know about things that might damage the legal cases. Beyond that, as they need more information it's provided to them, but carefully so that they learn no more about "hacking techniques", walking the fine line between damaging their legal cases and getting cited for contempt.

Re:You don't have a loghost?

[azuredrake]

I go to Tufts. That's not how our system works. It checks your MAC address when you attempt to use a browser/online service/etc., and if it's not registered in the system, they make you sign the terms of service again. As long as you're not on wireless, you never enter a username/password to get online, so the only remotely identifiable aspect of the end user is their MAC address.

Re:You don't have a loghost?

[Mattsson]

There's also the possibility that someone stole an IP temporarily.
Checked what IP a certain computer had received and then setting that manually on another computer, unplugging the first one and plugging in the second one.

If you use smart edge-switches and implement IEEE 802.1x and have personal logins for every user, you can start trusting you logs.

Re:You don't have a loghost?

[bluefoxlucid]

generate random MAC address.

RARP on the MAC.

No response, use.

Re:You don't have a loghost?

[ewhenn]

I prefer 2B:1G:A5:5B:00:B5

Re:You don't have a loghost?

[Cramer]

As long as you're not on wireless

And if you are? You have to login with a username and password? So why can't Tufts IT tell who was using what IP at a given time on the wireless network? Are each of the wireless APs NAT routers?

Re:You don't have a loghost?

[frank_adrian314159]

"hardware is not people".

Yes, but Soylent Green is!

Re:You don't have a loghost?

[Cramer]

802.1X. Next question.

You don't have to register MACs or any of that crap. And you don't need web page authentication redirects for "unregistered" systems. With 802.1X, you either present the required authentication materials or you get no/limited network access. Granted this is only effective per port which means you couldn't plug in a switch in your dorm room to connect several machines. (in theory you could, but I don't know any switches that will do upstream 1x auth; or at least none kids can afford.)

Most of what Universities are using are very old, hastily cobbled together systems. Better methods have been around for a long time, but they don't have the time or money to mess with building a better system given the current system does actually get the job done. Having worked in that world, there are usually very few people to get a lot of things done. (I was lucky. I only had one lab (~2 dozen PCs) and a maybe a dozen more research systems (some PCs some VMEs) to manage.)

Re:You don't have a loghost?

[azuredrake]

Yes, wireless requires a username/password and thus could almost certainly be traced. Thankfully/tragically, most dorms aren't covered by wireless; it's used heavily only in classrooms/libraries/dining and recreation areas.

Re:You don't have a loghost?

[Cramer]

Then why can they nail down the hardwired to one likely suspect but the 2 wireless addresses to dozens of people?

I hate the **AA's as much as anyone, but this sounds like Tufts is simply lying. There are details they aren't telling the courts.

Re:You don't have a loghost?

[azuredrake]

Eh?

The only truly personally identifiable information ever communicated over the network is the user login - and even that isn't necessarily secure, since all it takes is someone who has read your email to get your login. There really is no way that people can be positively identified over the Tufts network, to the best of my knowledge. Of course, I am just a student, and am not privy to the inner workings of our IT center.

Re:You don't have a loghost?

[Von+Helmet]

The most restrictive arrangements I encountered in over five years as a CIO in higher education was a college that required students to register their MAC address and tied it to the switch port, blocking all other traffic on that port.

They did that at the University of Durham in the UK when I was there. Before you could get your computer on the network, you had to get the MAC address (which for many people was a nigh incomprehensible technological feat in itself) and go to the IT department to have it registered with them. The switch would then only allow your computer to connect from the relevant port in your room.

It was quite a pain in the arse at times. As the resident geek I was often called on to fix computers, and occasionally made the mistake of trying to troubleshoot someone's PC in my room. Plug their PC into the wall, switch picks up different MAC, and BAM! the port is locked out until you go and request that it be unlocked again.

This arrangement is prone to MAC spoofing as well as a router or firewall that will NAT traffic from the room.

Indeed, MAC spoofing would have worked, as would two network cards in one PC and a bit of windows ICS "magic". I imagine you could also have given them the MAC address of the WAN side of a router, but they might have picked up on the fact that the connection was being shared by the usage pattern of the port or whatever. That may or may not have been possible, I don't know.

Re:You don't have a loghost?

[Cramer]

You missed the point... on the wireless network, one must login to get an address. Thus, there should be records of who logged in and was given a specific address. So, they should have one and only one name for the two wireless addresses.

Of course, if they expire those logs as fast as the dhcp logs, there's nothing to search.

Re:You don't have a loghost?

[electrostatic]

From the Report to the Judge (pdf p. 3/6)

Identification: Tufts University's system is entirely dependent upon a computer's [MAC] address. . . . When a computer is first connected to the Tufts' network . . . the user must "register" the computer's MAC address(es) of the machine presented along with the username.

It seems that spoofing would not work here.

Re:You don't have a loghost?

Just as easy - You just have to do these extra things. ~

Re:You don't have a loghost?

[EdIII]

only that the RIAA doesn't "have a clue".

Exactly. They have more than enough money to hire a technical consultant to tell them how the stuff works. There are a lot of people that want to take the time to point at the RIAA and say, "HA HA. Stupid RIAA". No, they are far from stupid. It's just a process of discovery. For every item in the discovery process they can claim the defendant is deliberately not producing it is less credibility for the defendant in front of the judge. Does not always work, but it certainly a well known legal tactic. You never want to seem like your hiding something to the judge. In this case, they are going to have to explain and the judge will need to understand how DHCP and MAC Addresses work. Most technical people that have a basic understanding of networking already know that the MAC address is at best a piece of networking history that just has not been EOL'd. It has it's uses still, but as far as security and identification purposes go, you would have an easier time nailing jello to the wall. Let's hope the judge does not fall for it.

The RIAA isn't in the pattern of suing people they *KNOW* they can beat, they sue people they think they can beat. They're simply playing the odds; 1 big case won from legal shenanigans and/or technical ignorance can overcome many that never make it that far.

Now this is where you are dead wrong, and consequently, why they are far from being stupid. They are NOT EVEN PLAYING THE ODDS. It does not matter if they win a case, although it is a plus certainly. They could never hope to make litigation profitable. How could they? Even if you factored in reasonable court costs and time for a lawyer (less than 100$ per hour) you STILL would not gain enough cash from a judgment to cover 1% of your expenses. It's the Deep Pockets Test. Does the other party have deep enough pockets to make your litigation even worth while? In the case of the RIAA against the people, not even remotely close. The RIAA may get a judgment, but chances are they are just selling it for pennies on the dollar to collection agencies. If the collection agencies push to hard, the people just go *poof*. *Poof* can mean anything from bankrupt, to just plain going out of state every time someone tracks you down. For the people that do settle for a few thousand dollars, which is tantamount to extortion, the reality is that cash flow does not even cover a fraction of the operating costs. Even if it is in the millions. The RIAA is in the hundreds of millions as far it's operating costs and expenditures go. That really fancy supreme court case lawyer cost one heck of a pretty penny. I would bet dollars to donuts that they would need 50-100 settlements to cover just his costs for being there.

The RIAA is 100% about CHAOS. The more disruptive they can be to the legal system, the higher educational systems, and file sharers in general the more successful they think they are. They are not looking for compliance with their copyright and business plan manifestos given to them by their masters in Big Media. That would be a foolish pipe dream and they know it.

What the RIAA wants is:

1) To spread enough FUD around to mitigate file sharing losses. If the people are afraid, then maybe a good portion of them will stop pirating music.

2) To create case precedence to allow other copyright holders lower "barrier to entry" to sue any entity they want.

3) To create case precedence to allow plaintiffs in court the ability to pierce privacy and anonymity at will to gain whatever data they want, regardless of whether it even helps their case.

4) To create a litigation vehicle and general cluster fuckery to allow them to convince the legislative bodies to create laws favorable to their positions.

They are failing with everything but #4. The amount of law they have written is truly astounding. Not only prolific, but

Re:You don't have a loghost?

[mikkelm]

It's not an "extra thing". It's a different thing that's no more time consuming, and no more difficult to do.

Re:You don't have a loghost?

[MoeDrippins]

I'm not sure I agree, but as I don't have any facts to back me up I can't say for sure. Your argument is certainly compelling.

BTW, +1 karma for the use of "cluster fuckery" =)

Re:You don't have a loghost?

[PetiePooo]

Spot on. The lack of clue within the RIAA is mindnumbing. A MAC-Address is completely meaningless. As in:

ifconfig eth0 hw ether 00:DE:AD:BE:EF:00

And for you Windoze enthusiasts, there's macshift.

DHCP lease logs

[Ted+Freeman]

Nice job from the IT department. They say how difficult it is to extract meaningful information from the ARP cache records, but you don't need them anyway. All they would need to do is keep the DHCP lease logs. Conveniently they

In both cases the retention notice arrived in such close proximity to the expiration of the ten day retention period of the DHCP data that we were unable to access the data before it was overwritten.

So they used the same excuse twice - log rotation - RIAAs new enemy.

Re:DHCP lease logs

[TerminaMorte]

DHCP logs will only contain the IP address and MAC address; information that cannot be used to identify anything other than a machine (assuming the MAC isn't spoofed; my laptop runs macchanger -A ath0 on startup :)).

Re:DHCP lease logs

[Ted+Freeman]

Yes, that is all you can hope to identify people from. MAC addresses can be changed, machines can have multiple MAC addresses, people can use common access terminals or access the network through NAT / masquerading routers or use a friends computer. All this is possible but the MAC address(es) of your computer:

When a computer is first connected to the Tufts network the user must register their MAC address with their individual username and password.

So it is not a perfect system but it is the best they have and would "catch" most ( non/semi technical ) users.

Re:DHCP lease logs

[nfsilkey]

So they used the same excuse twice - log rotation - RIAAs new enemy.

Sadly, thats what things have come to in higher-ed IT regarding subpoenas and legal issues: log as little as possible ... so that theres little to offer up to those who come asking. Srsly.

Re:DHCP lease logs

[Tuoqui]

True... Though maybe someone can come up with an "Enhanced Privacy" version of Ubuntu or RedHat...

Use virtual machines with...

MAC Randomization
Tor Proxy for web surfing
Use of rotating proxies through bittorrent
Restart the virtual machine fresh each time

Good luck associating a MAC and IP address with any machine running this. Unfortunately since it is not windows and wont play crap like WoW it'll probably only be used by the geeks in the Comp Sci departments.

Re:What, me change MAC address? I wouldn't do that

[Carthag]

At the dorm I used to live we had to authenticate our computers in order to gain access to the network, this was done via username/password combos. There were several that multiple people knew (mostly to get around bandwidth limits - you'd just jump on another account if you exceeded your quota).

It registered the MAC address at this point, but I doubt they were actually saved, as the quota was obviously tied to the user account and not the MAC.

Re:What, me change MAC address? I wouldn't do that

[huge]

People should understand that MAC address is no more permanent than IP address is.

Unfortunately they don't.

Re:What, me change MAC address? I wouldn't do that

[yakumo.unr]

On windows, most wired NIC drivers will let you set the "Locally Administered Address" which is your MAC address in the devices advanced properties.

Re:What, me change MAC address? I wouldn't do that

And with Wifi, it's even easier (useful for these Kiosk-type nets wthat present you with a login page on first access):

• tcpdump traffic for a while
• chose a low-activity mac and matching IP
• configure victim's mac and IP on your card.
• no need to even disconnect or remove victim's computer
• surf ahead!

Well, occasionally you (or the victim) might get one or the other dropped connection, but in practice, this is extremely rare.

Re:What, me change MAC address? I wouldn't do that

[JustKidding]

This is almost exactly what I was thinking: aside from the difficulties and uncertainties of matching an IP to a MAC at any given time in the past, with NAT and everything adding a lot of ambiguity to whole mess, it's simply not possible to match a MAC address to any given NIC, much less to a user of the computing containing this NIC, let alone establish knowledge or intent of the alleged infringement.

MAC forgery for dummies:
1) start packet sniffer
2) start ping probe of network segment, record ARP replies
3) when you want to forge a MAC address, probe the network segment again
4) use MAC from any host that is not responding, but that you did record the MAC address for previously
5) enter MAC in advanced setting for the network card (in windows, all dummies use windows).

The only thing I can think of to prevent this, is tying the MAC address to the physical port on the router. This is, of course, not possible with a wireless network.

username/password systems won't work reliably either, passwords can be sniffed, keylogged, or brute-forced.

More like "notice that you're being watched"

[lysse]

Nice move on Tufts' part. If they ever do receive such a "notice to preserve", they can relay it straight back to their students and staff and say "look, the RIAA is watching us with a view to screwing you, so behave yourselves" for the duration of such a notice; and if they don't, they have effectively insulated their charges from all further RIAA action. And all whilst looking extermely co-operative for the benefit of the courts...

Re:More like "notice that you're being watched"

After which time your performance would start slipping, there'd be some "concerns", your duties would change, and after a while, you'd be out of a job and the word out on the street would be that you are unloyal. Couldn't happen to a nicer guy.

Re:More like "notice that you're being watched"

Sounds like they're helping students obey the law.. for the duration of the probe.

Re:More like "notice that you're being watched"

[Overzeetop]

More interstingly, I would presume that Tuft's would be within their rights to use that as a profit center as well. Those things don't preserve themselves, and in most litigation the financial burden of collecting pre-discovery data (and some discovery data) is on the requesting party.

I wouldn't be surprised to find that Tuft's would give explicit notice to the faculty/students, as well as charging for the software, installation, maintenance, and storage of custom logging operations. That can get expensive quickly, especially when people are billing hourly and university overhead is often north of 50-60% of direct costs.

Re:More like "notice that you're being watched"

Do that and the RIAA will ask congress to give them the authority equivalent to national security letter that prohibits dissemination of these kinds of demands.

Re:More like "notice that you're being watched"

[sm62704]

Or there would be a blanket party. That's how narcs are dealt with in the military. When I was in the Air Force they had to medivac one guy home after such a party.

I wonder if the GP AC has ever heard of a fellow from ancient times named "Judas"?

Re:More like "notice that you're being watched"

[DesScorp]

Nice move on Tufts' part. If they ever do receive such a "notice to preserve", they can relay it straight back to their students and staff and say "look, the RIAA is watching us with a view to screwing you, so behave yourselves" for the duration of such a notice; and if they don't, they have effectively insulated their charges from all further RIAA action. And all whilst looking extermely co-operative for the benefit of the courts...

You don't think most judges wouldn't see that as collaborating with students in copyright violation? I'll promise you Tufts lawyers certainly would see it that way.

Re:More like "notice that you're being watched"

[Nushio]

Ah, but here's the catch. You wouldn't exactly yell it over the P.A. System.

You'd start a rumor with a bunch of different groups and let the students themselves spread the word.

It isn't perfect, but you wouldn't be able to mark someone specifically as "collaborating with copyright violation"

Re:More like "notice that you're being watched"

[GargamelSpaceman]

I wonder if the RIAA is going after students because the MAC address registration thing common at universities makes them more vulnerable. People in say a large apartment block use Regular ISPs that do not require the mac address to be registered. If you have an open wireless router then any of your neighbors can use your internet connection. If you randomize your mac address then there is no way they can prove it was you and not one of your neighbors that downloaded a copyrighted file unless they actually find it on your hard drive. Just keep an old pc connected for them to find, but do your real browsing from your laptop with the rubberhose encrypted drive that you keep under your bed.

Re:More like "notice that you're being watched"

[steelfood]

I smell late-night open-door pizza parties, courtesy of the RIAA.

Re:More like "notice that you're being watched"

[lysse]

Does telling a streetful of prostitutes that the police are on their way make one a pimp?

Re:More like "notice that you're being watched"

[DesScorp]

Does telling a streetful of prostitutes that the police are on their way make one a pimp?

If you're working with them, yeah. If you're just some shmoe on the street, no. But the students and Tufts have an official relationship, with Tufts being responsible for some of their actions while they're on campus (In Loco Parentis, anyone?). Furthermore, the students are using a university Internet connection, and almost certainly are violating some of the regulations that Tufts puts on the system.

Re:More like "notice that you're being watched"

and the RIAA would have to pay for any implementation costs of such a notice. Beautiful:-)

Re:More like "notice that you're being watched"

[lysse]

Sorry. Your thinking is just too screwed up on this to be worth arguing with.

Re:More like "notice that you're being watched"

[gknoy]

Sounds like they're helping students obey the law.. for the duration of the probe.

Heck, they could even send out a reminder that university policy forbade illegal filesharing. Or, make like the librarians ( http://www.librarian.net/technicality.html ) and say something like, "The RIAA has not asked us to monitor your traffic this month." (as a big sign on the campus IT building, or somesuch). Some months, it might be removed ....

Re:More like "notice that you're being watched"

[Tuoqui]

I know this is feeding the troll but hey...

Yes most ISPs use a number such as 3 days because a house is not apt to move around. A university/college with laptops and wireless internet would be more apt to use a lease duration of a shorter time of say 2-4 hours. This is because the length of classes/lectures is typically 1-2 hours and DHCP specification calls for renewing the lease halfway through the duration with a DHCP server. If they do not get permission to continue using the same IP address then they request a new one (common practice to not let someone keep the same IP indefinitely).

Also when shutting off the computer and moving to a new location (IE. New classroom, lecture hall, the cafeteria) typically one transits multiple different APs and will usually end up having to re-request an IP address from the DHCP server.

DHCP leases are a minor security threat if they have a long enough duration. If someone previously knew that this MAC and IP address combination were in use and arent now they could spoof the MAC and uses the same IP address since as long as the other machine is not being used it does not require the DHCP server's communication to use an address that is not in use or was previously dished out.

Another way around it that even non-technical users can utilize would be a USB or PCMCIA card that does the wireless connection and judicious use of Truecrypt with strong passwords with a removable hard drive such as a USB stick. They cant compel you to tell you the password if its only in your head. 5th amendment right and all that.

Re:What, me change MAC address? I wouldn't do that

Unfortunately for people that try this at the school I work at this doesn't work. As soon as we see a MAC address on a switchport in the residence halls, that's the only address allowed on that port unless we specifically allow another one. So, if you try to change your address, you'll not only find that your new address doesn't work, but now your old one doesn't either because your port has been errdisabled and you have some explaining to do to network management.

Of course if a regime change happens...

[jskline]

Of course if a regime change happens at the end of the year, you can rest assured that there are certain politicians who will push hard for law changes to formally "outlaw" the use of DHCP in computer networks due to it's haphazard way of handling network IP's, traffic; and because it doesn't know who the user is!...

What a joke. If you think I'm wrong on this, take a look at the democratic side of the US Congress and look at some discussions that have been bantered about recently! Thats all I'll say on that.

God I hope and pray we get to replace them all next year! They're all bad.

Re:Of course if a regime change happens...

I'm sure glad it was the "evil" democrats who suggested we torture detainees... oh wait... but the 'pubs will let you keep your guns, right, so they're the best, right?

Re:Of course if a regime change happens...

I believe his point is that it really doesn't matter which party has control of the government. Both of the two main political parties in the USA have their fair share of loonies when it comes to security and copyright issues. So having one person in the Presidency over the other doesn't guarrantee that you won't see some onerous new laws be put in place.

Re:Of course if a regime change happens...

[cfulmer]

I would like to believe that this is true. But, the Republicans have shown themselves to be just as willing to let lobbyists write laws as the Democrats have. The principled Republican Party of 1994 doesn't exist any more.

Re:Of course if a regime change happens...

[jskline]

I'll agree with that! We've got a whole lot of dirty politicians in places they should not be. It will be interesting after November to find out how much of the playing field changes.

Please don't even GIVE them this idea.

[Lunarsight]

For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

I honestly wish Tufts hadn't even suggested this to the RIAA, since we all know this will be the next thing they'll try and have legislated through Congress. One of the congressmen on the RIAA payroll will attempt to slip it into a bill undetected.

They won't limit it to colleges either - they'll probably make it a requirement of ISPs in general.

Re:Please don't even GIVE them this idea.

[EvanED]

Oh please. You think the idea hasn't occurred to them?

The RIAA may be blood-sucking mosquitoes who rape the justice system, but they aren't stupid.

Re:Please don't even GIVE them this idea.

[Lunarsight]

Oh please. You think the idea hasn't occurred to them?
The RIAA may be blood-sucking mosquitoes who rape the justice system, but they aren't stupid.

Perhaps it has occurred to them, but the last thing we need is somebody reminding them about it.

This is like dangling the mouse in front of the cat.

Re:Please don't even GIVE them this idea.

actually this is already common practice. They know it. Apparently they didn't feel it was necessary in this case due to the rapid response (10-day retention? I only wish ours was that short)

Re:Please don't even GIVE them this idea.

[GargamelSpaceman]

Well couldn't tufts then respond to the 'notice to preserve' by giving them a 'notice to pay for it?' Tufts didn't include this demand because it would give them the opportunity to respond earlier. This way they must issue a notice to preserve, then recieve a notice to pay for it, take it to court, then get a notice to preserve with check attached. Then Tufts can say that it takes 6 months to implement the new logging technology etc. By now maybe a year and a half or 2 years have passed, and they possibly upgrade their network in such a way as to require the reimplementation of the logging functionality. So the RIAA gives them a notice to preserve, and they give them another notice to pay for it, but the RIAA says WHAT?? we already paid for it! Then Tufts points out that they upgraded their network and need them to pay for a new logging infrastructure. So the RIAA sends them a notice to preserve with check attached, they wait six months for the new logging infrastructure to be put into place. Then finally they get their logs. What they see is that Joe student's computer has no illegal material on it, but that he had an open wireless router, and all his dorm mates, repeatedly warned by the Tufts IT department that the RIAA would likely catch them if they downloaded illegal material, have been using it to share and access copyrighted music and movies. They do note that Joe user's laptop is downright ancient, and has no files that have been modified in the past six months. They suspect, but can not prove that Joe has a real laptop that they've never seen with a small part of the illegal files they know were downloaded. Joe is secure in the knowledge that by opening his wi-fi he cannot be responsible for the traffic going through it.

Re:Please don't even GIVE them this idea.

The RIAA may be blood-sucking mosquitoes who rape the justice system, but they aren't stupid.

Mosquito rape, you say? That'll probably be the next porn trend in Japan.

Re:Please don't even GIVE them this idea.

If they do have logs, what happens if you change your MAC address?

Re:What, me change MAC address? I wouldn't do that

[apathy+maybe]

Username/password is still better then MAC or IP. Yes there are problems, but as I outline below...

Encryption much? Prevents password sniffing. The protocol that my old Uni used was, I think, something based on http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol EAP. No more sharing a single password amongst everyone.

My own computer much? Prevents keylogging. (Not to mention, software keylogging is prevented on lab machines by locking them down and drawing the image down the network when you login. So even if you install keylogging software, if it works at all, it would only work for your login. Hardware keyloggers are expensive/hard to get.)

Brute-forced... Joking much? The password file is stored at the other end of the network, you can't just grab it. And good luck tapping in different passwords by hand, with an enforced three second delay.

Why?

[Armakuni]

For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit.

Why? The RIAA is not a court of law or even a government agency. Surely the university would have no obligation to comply with its requests? Talking about the RIAA in these terms ("notices", "forensic") lends it unwarranted legitimacy and authority.

Re:Why?

[NewYorkCountryLawyer]

For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit.

Why? The RIAA is not a court of law or even a government agency. Surely the university would have no obligation to comply with its requests? Talking about the RIAA in these terms ("notices", "forensic") lends it unwarranted legitimacy and authority.

That's what I want to know. Why?

Re:Why?

[nomadic]

That's what I want to know. Why?

Is Tufts in a jurisdiction that recognizes a cause of action against third parties for spoliation of evidence? I know in Florida they could be possibly liable before their offer to the RIAA to preserve upon notice (and almost certainly liable after they made the offer).

Re:Why?

[NewYorkCountryLawyer]

I was only asking rhetorically. I know the reason they did it. It's because they're sissies.

Re:Why?

[Todd+Knarr]

Probably CYA for the judge. It'd look bad to the judge if Tufts refused to co-operate with a plaintiff completely. But when Tufts says "If you can give us a formal legal request telling us what to preserve, we'll do our best to try and preserve it while you sort things out with the court. We don't really have to, we're not a party to your lawsuit and aren't obliged to help you out until you come to us with a court order, but being nice guys we're willing to try and work something out.", they look a lot better to the judge. And when, after they've made that offer, the RIAA comes along screaming about how unreasonable Tufts is being and how they should just give the RIAA what's demanded, the judge starts to wonder whether it's really Tufts being unreasonable here. After Tufts making that offer, if the RIAA just rejects it and demands more it makes it easier for the judge to slap the RIAA down for making undue demands on a non-party. And, not coincidentally, from the sounds of it by the time the RIAA goes through the whole legal procedure to get the information from Tufts it'll be long gone through the natural operation of their system (which they're not technically obliged to change until after the RIAA's gone through the legal procedure and served papers on them).

Re:What, me change MAC address? I wouldn't do that

[Oidhche]

The only thing I can think of to prevent this, is tying the MAC address to the physical port on the router.

Even this wouldn't prevent it if you can physically access the cables.

Re:What, me change MAC address? I wouldn't do that

[MT628496]

If you let users have physical access to your network hardware, you deserve to be cracked.

Re:What, me change MAC address? I wouldn't do that

[apathy+maybe]

And how the fuck are you going to prevent them? Hide your computers and just let them access the screen, keyboard and mouse?

Unless you put your lab machines in a safe, there is always a way to access the network cables. (Even if it involves pulling the cover away from where they go into the wall.)

Why don't they just come out and say...

[OneSmartFellow]

.. Hey, RIAA, you guys must be pretty stupid if you don't realize that a MAC address can be changed with trivial ease. Therefore, even if we could dredge up the DHCP logs, the IP address to MAC address mapping you are so interested in wouldn't tell you anything anyway.

Please stop feeding the idiots, they foul the footpaths of life.

Re:Why don't they just come out and say...

[troon]

Because they're not 13 years old, and have a hint of maturity about them.

Re:Why don't they just come out and say...

[NewYorkCountryLawyer]

.. Hey, RIAA, you guys must be pretty stupid if you don't realize that a MAC address can be changed with trivial ease. Therefore, even if we could dredge up the DHCP logs, the IP address to MAC address mapping you are so interested in wouldn't tell you anything anyway.

They don't care. They just want to have someone to sue.

Re:Why don't they just come out and say...

[RowD1]

The RIAA knows perfectly well that a MAC address can be changed. The RIAA is not out for justice. They are out for convictions and making examples of people. So, it makes little difference to them whether or not the person convicted actually was the infringer.

Re:Why don't they just come out and say...

[Sancho]

Exactly. The RIAA know that they won't get everyone. Only a fool would think that they could. These are just scare-tactics. Sue enough people that everyone else is too scared to share files.

This is why they can afford to be loose with the facts and pick-and-choose which cases they actually pursue.

Re:What, me change MAC address? I wouldn't do that

[antirelic]

- I changed my ethernet card
- I was using a friends laptop
- I bought a new computer
- I bought two new computers
- Must have been a room mates friend
- etc...

Is it clear to though?

Had a quick scan through the PDF and note that they are saying they can identify a number of users via the MAC refering to the ARP..

With pretty much everyone and their cat knowing how to spoof/copy/clone/randomise a MAC could this one person still not be potentially someone else?

Ok it implies that it *could* be this guy but without certainty shouldn't it say just that, my reading of it suggests they are certain it is one person?

Re:What, me change MAC address? I wouldn't do that

[MT628496]

Who said anything about a lab? I'm talking about dorms, where there are two ports in a room and two people in a room.

IT to RIAA:

[nimbius]

you're the reason we aren't keeping logs of this stuff.

Re:What, me change MAC address? I wouldn't do that

[base3]

Hardware keyloggers are expensive/hard to get.

While I've never bought one, they seem to be readily available although buying one untraceably would be a bit more difficult (but not impossible) which would be a necessary step to avoid having the keylogger found and an investigator simply asking (perhaps under subpoena) the selling company for the purchase information for that (probably serialized) keylogger.

Re:What, me change MAC address? I wouldn't do that

[ciderVisor]

Hardware keyloggers are expensive/hard to get.

O RLY ? http://www.blueunplugged.com/p.aspx?p=121554

The MAC is not in DHCP leases

Everyone has missed the point. The DHCP protocol does not use MAC addresses to identify clients. It uses client identifiers, which can be any unique string. The fact the *windows* chooses to use the mac address as a client identifier is beside the point. Who says the client being investigated is using windows?

I expected more from the MS-bashing Slashdot crowd. Apparently you are all windows users.

Re:The MAC is not in DHCP leases

[jeremyp]

Yes, but once the computer is assigned an IP address, ARP ties the MAC address to the IP address. You could then, in principle, log the mappings by dumping the router's ARP table at regular intervals.

Re:The MAC is not in DHCP leases

[Cheerio+Boy]

Everyone has missed the point. The DHCP protocol does not use MAC addresses to identify clients. It uses client identifiers, which can be any unique string. The fact the *windows* chooses to use the mac address as a client identifier is beside the point. Who says the client being investigated is using windows?

I expected more from the MS-bashing Slashdot crowd. Apparently you are all windows users.

So it's time for someone to write a tiny little app that changes the client identifier for the Windows DHCP protocol.

As for non-Windows users didn't someone in another post mention an auto MAC changer?

What I'd love to see here is an MIT style hack where all of a sudden the students put all the computers behind NATs with MAC addresses that match faculty workstations.

MAFIAA:"Okay Professor you now owe us $500K."

Re:The MAC is not in DHCP leases

[Phroggy]

Uh, that completely depends on how you've chosen to set it up. My DHCP server sees the client ID you send, logs it, and ignores it completely, using only your MAC address to determine what IP address to assign you (either a static IP I've configured, or a dynamic IP from the pool).

I'm sure I could set it to use the client ID instead, but I'd have to RTFM to figure out how. I know there are some cable companies that use the client ID to determine who you are and won't give you an IP if your client ID isn't one they recognize - or at least there used to be; I haven't encountered this in years. I think @Home used to do it, or maybe I'm thinking of the network AT&T Broadband set up after @Home went out of business and before selling it to Comcast. In any case, it's definitely possible, just not very common.

Re:The MAC is not in DHCP leases

[TheCarp]

Um, I think you are far underestimating Tufts Networking group. In fact, I know that you are, since I happen to know they are pretty top notch.

http://portal.acm.org/citation.cfm?id=1047561

Check that out, notice the name, and that the person is from Tufts University. I was working there when it was the new internal tool that this same networking group in question wrote.

-Steve

Re:The MAC is not in DHCP leases

[AndrewNeo]

It was @Home, that was a pain because at the time I didn't have a router capable of setting the client name itself, so I had to hook it in directly to one PC.

Re:The MAC is not in DHCP leases

At work, i made a simple python script that made this, and we had a pretty good track of the mac ip associations.

Re:What, me change MAC address? I wouldn't do that

[base3]

I was thinking the same thing--I'd never do something like that in an unknown environment without having already come up with some "good answer" for the low-level network fascist that might question what I was doing. I would think the least painful way to deal with restrictions in a NAC/NAP environment like often exists in residence halls (the test bed before they roll it out to everyone, unfortunately) is to hook up a healthy, compliant, good-boy Windows box and then connect your actual machine through the "blessed" Windows machine. Of course, if one of the conditions for NAC/NAP "health" is not running a DHCP server, that won't work.

Re:What, me change MAC address? I wouldn't do that

In all of those cases, I'd ask you to email me a list of addresses you'd like allowed. Then you've identified yourself.

Re:What, me change MAC address? I wouldn't do that

[Stellian]

Yes but the proof RIAA would bring to the court is not just the IP/MAC address combination. That's just a pretext to grab a random student who's IP happens to match, seize his computer and find thousands of MP3 files in the shared folders of a P2P application. That would then constitute the actual evidence they need.

IP To MAC Addresses?

[houghi]

Anybody have some MAC addresses from the RIAA? That way people can use those in some semi-random rotating system and they can sue themselves.

After all if the IP can be linked to the MAC, the MAC can be linked to the user, so anybody with that MAC will be guilty.

Re:IP To MAC Addresses?

[Carthag]

Maybe the RIAA is already spoofing *our* MAC addresses so they have random people to sue!

Re:IP To MAC Addresses?

[OeLeWaPpErKe]

In advising this to people, I'm sure you know what will happen to a network (and to the helpdesk of said network) when multiple people start using the same mac-address, right ?

Re:IP To MAC Addresses?

cool idea :-] ... that needs to be an option for macchanger

# macchanger --riaa eth0

Re:IP To MAC Addresses?

[that+IT+girl]

This is the best idea I've heard in a long time. Somebody get on this!

Re:IP To MAC Addresses?

RIAA advert:
"Got an annoying neighbor with open wi-fi?
Spoof his MAC and leech some music."

Re:IP To MAC Addresses?

[Sancho]

MAC addresses only have significance within the context of a network segment. This is a pretty pointless idea.

Re:IP To MAC Addresses?

In advising this to people, I'm sure you know what will happen to a network (and to the helpdesk of said network) when multiple people start using the same mac-address, right ?

As long as you're not using the same mac address at the same time on the same broadcast domain, it won't cause any trouble.

One way around the mac address based authentication systems is to run tcpdump, gather a bunch of authorized mac addresses, wait for the user to go away, then change your mac address to an authorized one.

You can have a lot of fun with arp-spoofing on wifi!

Re:IP To MAC Addresses?

[mooingyak]

Wouldn't you need to also be on the same network as whatever RIAA user you're impersonating?

Well, if you can't...

... then you're liable! I'm expecting the courts to come up with that simple principle. Kinda like when your car is caught speeding: identify the driver or pay the fine.

That, of course, will make not only university LAN's but also corporate LAN's much more expensive to build. It'll also make it difficult to support multi-user machines as you'd have to tie each and every TCP connection to a user.

And after that liability scheme collapses under its own weight, we'll be rid of the whole copyright nonsense.

Re:Well, if you can't...

But when a car is recorded as speeding when the driver is not identifiable and the car's owner is mailed a speeding ticket for such-and-such a date and time, if the owner can prove that they were definitively elsewhere (with wittnesses, even), shouldn't that exculpate them (the owner) from the fine even in the absence of an identified culprit?

Liability *has* to rest with the culprit, not just anyone who has some association with the property in question.

Re:What, me change MAC address? I wouldn't do that

But that would be fine with me. All I want is to be able to tie your traffic to you. If your friend registered the windows box, then I'd tie it to him. Basically if I see a stream, I want to know who it belongs to on my end.

Re:What, me change MAC address? I wouldn't do that

And how the fuck are you going to prevent them? Hide your computers and just let them access the screen, keyboard and mouse?

Unless you put your lab machines in a safe, there is always a way to access the network cables. (Even if it involves pulling the cover away from where they go into the wall.)

Give me a break. Physical Security 101. The network design itself is protected to the level it needs to be. Even the US Government realizes that it's ALWAYS possible to physically break in somewhere. Therefore, you build in the appropriate protection. The security either justifies the building across from the base golf course, or within E-ring at the Pentagon or 3rd floor in NORAD.

Re:What, me change MAC address? I wouldn't do that

[jeremyp]

Until the next time the MAC address changes and he claims it was a different friend or another new computer or something.

Basically, there's so many legitimate reasons for a MAC address to change on a port that all you've really done is make everybody's life a little bit more miserable.

Re:What, me change MAC address? I wouldn't do that

[JustKidding]

Aside from the hardware keyloggers, which would take ayd remotely competent freshman CS student a whopping whole Saturday evening to build from scratch (the PS/2 keyboard protocol is very slow, simple en well documented), you reasoning contains one major flaw:

universities (at least in the Netherlands) are basically government institutions and are run as such. I have yet to see a university with half-way decent network security, given that the network has to be usable by clueless non-CS students (and worse, professors).

Usually, security takes a backseat to accessibility, because the elderly making the decisions are about as clueless as the general public.

The whole point of my post was to show that is certainly not possible to pinpoint any user *given the current infrastructure*. Sure, it is possible to change to infrastructure to make it possible, but who is going to pay for that? The RIAA?

Re:What, me change MAC address? I wouldn't do that

[Ratbert42]

One of the IS guys at work came by, checked the number on my ethernet port, then asked if I was the f*cker that changed my MAC address to DE:AD:BE:EF:CA:FE. Yes I was. B00B1E5.

Re:What, me change MAC address? I wouldn't do that

When I was working at CS Dept. / IT, your method would cause security to walk in within minutes... It was well known that MAC could not be relied for security. There were automatic remote checks (ssh-key for linux / unix + similar system for windows) to be done after computer bootup. If your machines identification doesn't match classes computer, it causes alert...

Response to meringuoid et al

I'm fairly sure you weren't seriously asking meringuoid but I'm in a good mood and thought I'd answer below anyway. Someone might find it interesting... Maybe. Most will argue finer(and thicker) points below I'm sure but this WAS done in a coupla minutes.

I very glad to hear about the MAC spoofing and log rotation issues. I believe, technologically that all of us have at least access to stuff that insulates us from a lot of this bullying. I'm worried just like most of us that we'll be paying $1-3/GB or more in the near future by disparate ISPs acting cohesively.


Questions by meringuoid above, comments welcome - IANAExpert.

>>What, exactly, legally speaking, is a 'website'?

In it's basest form that would be a domain or sub-domain. A collection of pages logically linked together. www.google.com/* or www.geocities.com/user/*

>>Where does one 'website' end and another begin?

Change of domains/users/content, et al. Fairly simple to prove unless obfuscation were employed. Even then if you can dig deeply enough...

>>How does a 'site' differ from a 'page', if at all?

A site should have more than one page. (kinda old school but I also think a myspace page is a site in a way - there are pics/video page links)

>>Is a 'forum' part of a 'website', or only attached to it?

If the same people whom have authority over the website have authority over the forum or b) the people whom have authority over the website delegate authority over the forum.

>>Is there, as the media often says, a 'file sharing website' called 'BitTorrent' on which pirates trade music?

Nah - an infrastructure.

>>What exactly is this 'Web' thing anyway, and how is it distinct from the 'Internet', if at all?

The web serves html pages. The rest perform other handy networking functions.

Re:Response to meringuoid et al

[lilomar]

What, exactly, legally speaking, is a 'website'?

In it's basest form that would be a domain or sub-domain. A collection of pages logically linked together. www.google.com/* or www.geocities.com/user/*

like news.slashdot.org? Wouldn't that mean that yro.slashdot.org was a different site?

Re:What, me change MAC address? I wouldn't do that

It's often worse. I run a firewall/router in front of all my lab machines, between them and the wider university network. The router clones the IP and MAC address of a machine that is "officially" registered with the university via DHCP. So, in my case, one IP/MAC address combination == ~5 actual machines.

Re:What, me change MAC address? I wouldn't do that

As I said, I agree that there are legitimate reasons. If he claims it's a different computer, he's either blaming his roommate or telling me that he left his room unlocked and some random person walked in and used his port. Give me a break.

No they don't

[tjstork]

Lawyers as a whole, and judges in particular, think that they can "cut to the chase" of a problem and dig into the details of any field by analyzing every activity with respect to the law. So they never grasp the technology per se as much as they extract talking points with which to argue their side. Judges just tend to go with whoever makes the better argument. Expert witnesses and consultants are brought in to boost the credibility of the lawyers and their talking points, not, to help aid in any real understanding.

Also

[p3d0]

Can't MAC addresses be spoofed?

Re:Also

[the4thdimension]

This only compounds the fact that a loghost doesn't really help whether you have it or not.

Re:Also

[Atzanteol]

Spoofed? It can be changed!

http://linuxhelp.blogspot.com/2005/09/how-to-change-mac-address-of-your.html

Re:Also

[Just+Some+Guy]

Out of curiosity, what did you perceive as the difference?

Re:Also

[nizo]

I wonder how hard it would be to find out what the MAC addres of the provost's pc is? Let the spoofing hilarity begin!

Re:Also

[mc900ftjesus]

Really? I have a Linksys router collecting dust that I can log into and type in any MAC I damn well please.

Re:Also

[ByteGuerrilla]

If I change my name via deedpoll, I'm not 'spoofing' everyone I meet from then on into referring to me with a name that isn't mine. That is my name. If I change my name and then change it back, or simply cut out the actual changing of the name and just introduce myself with a different name for a week, I've spoofed them into thinking my name is something that it isn't.

Technologically I don't think there's a difference. If you consider intent, then you can draw a small, pretty inconsequential difference.

Re:Also

[clone53421]

...unless the WAP is white-listing registered MAC addresses. Then you'd have to impersonate an inactive user, which means you'd have to know their MAC address, and you'd probably get them in some pretty big trouble while people try to figure out what went on.

Re:Also

[pxc]

Well the difference between spoofing a MAC address and spoofing an IP address is that MAC address information is stored in the hardware where IP address exists only in software. With that distinction in mind, it makes sense that spoofing (in software) and changing are the same for an IP address. With a MAC address, however, spoofing it in the software would not necessarily "change" it in the hardware. The question would be whether or not a NIC with a "changed" MAC would maintain that new, modified MAC address inside a new computer, for example. I don't think the link actually talked about burning anything into the firmware of the device (it just talked about using the ifconfig command to set the MAC address in Linux), but I can see where the confusion could arise.

Re:Also

[SanityInAnarchy]

Given that it's not terribly difficult, on a wireless network, to discover other people's MAC addresses, this seems like a pretty attractive attack.

Re:Also

[clone53421]

Yeah, but it'd be a bitch of a thing to do to somebody you knew... make sure it's a stranger's MAC address.

Re:Also

[idontgno]

Well the difference between spoofing a MAC address and spoofing an IP address is that MAC address information is stored in the hardware where IP address exists only in software

Oversimplification. Not all hardware has a hard-coded MAC address, and in most hardware the MAC address stored in ROM or firmware is advisory: it's not enforced in the hardware to use that MAC address, it simply advises the operating system network stack what the hardware's default MAC address should be. Formulating the address portion of the Ethernet (or equivalent) packet is still the responsiblity of the operating system, and it can use whatever MAC address it's configured for.

Re:Also

[JebusIsLord]

Pre-op vs. Post-op

Re:Also

I wonder how hard it would be to find out what the MAC addres of the provost's pc is? Let the spoofing hilarity begin!

The heck with that. Every peer-to-peer filesharing application should just spoof your MAC address to an address that RIAA owns.

If nothing else, in RIAA's fantasy legal land, maybe that makes it legal to distribute music...

Re:Also

They can have my Mac address it is: 46:55:52:49:41:41

Re:What, me change MAC address? I wouldn't do that

[huge]

Yes but the proof RIAA would bring to the court is not just the IP/MAC address combination. That's just a pretext to grab a random student who's IP happens to match, seize his computer and find thousands of MP3 files in the shared folders of a P2P application.

That's exactly the point. It has been established that the IP address on its own is not enough as it can not be tied to single user/pc. That's the reason why they try to use IP/MAC pair to single out the computer they want to confiscate.

IP/MAC is just as reliable as IP address on its own.

Re:What, me change MAC address? I wouldn't do that

[willmorton]

I have yet to see a university with half-way decent network security, given that the network has to be usable by clueless non-CS students (and worse, professors).

The computer lab at Cambridge University certainly used to have a policy (not sure if it still applies) that if you rooted one of their boxes, they would buy you a beer, if you rooted another one, they would buy you a whole evening of beers (at the legendary Eagle pub), and if you rooted a third one, they would offer you a job.

Their IT security was way, waaaaaaay better than any commercial company I have worked at. Full-time security staffers with PhDs, pro-active scanning, keypad entry to server rooms with CCTV, and so forth. I suppose with folk like Markus Kuhn and Ross Anderson in the department, they have to make a bit of an effort. :o)

Significance?

[adrenalinekick]

Does this have the potential to significantly impact any case other than Zomba v Does 1-11? I would love to see some precedents set that were based in actual technical fact rather than the typical RIAA pixie dust fantasy world.

My router

[fudgefactor7]

My cheap-ass router (4-port) allows me to make up a MAC address to use. I could, theoretically, post crap to Kazaa under MAC address #1, and then change to a completely different MAC Address (and new IP to go with it). What's the RIAA gonna do about that? As far as they know, I didn't do anything....

Re:My router

On that same note this is a good excuse to have an open wi-fi network. get one of those crappy routers with the wi-fi built in spoof your mac address(on your computer or router what ever you put behind their router) when file sharing government comes to the door say something like oh one of the neighbors must have been on my network damn hackers. Your MAC address isn't the one logged in their router. Thats if they could figure out what IP/MAC address the router was giving out to the users on that router. Otherwise your still screwed they will probably take your computer anyways and find your shared files. Best thing to do is have a hidden media computer(some hidden crawl space) that randomizes ip/MAC addresses say someones connecting to your network and watch files off of that computer.

Re:My router

[cdrguru]

They aren't interested in "downloaders". You can't really catch a "downloader" because they aren't responding to network queries with offerings of songs or other files. On the other hand, "uploaders" are easy to catch. Simple answer is that you leech off others and upload nothing. You are then invisible to the techniques the RIAA is using to identify potential targets for lawsuits.

Why would anyone with the desire for a large collection of music want to pay? What would it cost to fill up a standard iPod these days? Around $10,000 or so? Would anyone in their right mind buy such a device with the expectation of paying for the content? I don't think so.

About the only way to ensure who's doing what...

[IDtheTarget]

At my work we use two-factor authentication. (We use RSA SmartID tokens and a RADIUS server, but other similar systems are available.) Two factor authentication relies on something you know (in this case, a PIN number), and something you have (in our case, a hardware key-fob that generates a pseudo-random number every 60 seconds). We use this to allow VPN connections into our network while on the road.

The price for these tokens is coming down to the point where banks are considering giving them to their customers who wish to bank online, I don't see why universities couldn't use them to allow access to their network, whether via Ethernet or wireless.

If your keyfob is lost or stolen, you report it immediately and the IT department disables that fob and issues a new one, presumably with a fee. Otherwise, you are held accountable for whatever is done with your account.

I'd imagine that this fob would also allow you to access any of the other services that are typically offered online by universities (access to library resources, registering for classes online, etc).

It's not that difficult to store information as to which IP address is issued to which account during which time, we do it at work.

Great

[marcosdumay]

Now we just have to convince them that blocking incoming ports at the ISP damages the RIAA rights to whatch for themselver how any computer is acting, and that NATs and the small address space of IPv4 help anonymizing users from RIAA investigations.

What a congressman costs...

[zerofoo]

The RIAA and the courts will eventually figure out that any computer forensic logs can be faked, and will not be a reliable means of identifying computer users.

Trying to pin criminal or civil liability on someone based on DHCP logs or ARP tables is sheer stupidity. These records could easily identify multiple users - we aren't talking about DNA evidence here.

The justice system is slow - intentionally. It will take a while before judges get the technical details of this and realize that these identification methods are unreliable.

What worries me is that the RIAA/MPAA will buy enough of congress to legislate unique tokens for computer users and mandatory log retention. It is possible that congress will make all of us (network admins) do the dirty work for private industry. It happened in banking, and it will probably happen again.

I think I need to make another donation to the EFF and to the ACLU. Those organizations might be our only hope.

-ted

Re:What a congressman costs...

[prodevel]

I know I'll be making more donations and/or postings to ACLU/EFF...

Tools Exist

[psiberia]

MAC addresses can be altered utilizing wonderful software out there. Any type of monitoring is then useless for anyone who knows what they are doing. How do you track something that keeps changing...

Re:Tools Exist

[T.E.D.]

MAC addresses can be altered utilizing wonderful software out there

Yeah. Its called "the operating system".

On my XP box, its just a matter of going into the device manager, selecting "Properties" for the network adapter, selecting the "Advanced" tab. Then you select "Locally Administered Address" and type in the new MAC. Some cards' drivers don't support this, but the Intel ones generally do, which means probably nearly all laptops. Anyone with admin to their own box can do this easily.

Re:Tools Exist

[psiberia]

I didn't realize a component/module of the operating system was distinguishable from software. Not all is a Microsoft view of the world... stick everything in one package and bulk the sh*t out it.

Self created MAC addresses

I wonder how soon before the RIAA demand the ability to soft-set your MAC address via Device drivers is removed from PC's.

The drivers on my Laptop (and servers) allow the override of the Chip MAC address with a new one determined by me

This could give rise to MAC address cloning as a means to hide ... Now all you need to do is get someone else's MAC address when they are not active on the network.

To be truly accurate for "Audit" purposes, people would have to
1) disable all Wireless access, using only wired connections
2) Log all switches arp caches, and configs

a massive overhead for IT departments, as well as an inconvenience to all.

Some DHCP servers dont allow "leases" to be easily audited/determined

Re:Self created MAC addresses

[AndrewNeo]

You'd think so, but guess what? That'd only work with closed source wifi chipsets. Most hardware ethernet devices have open source Linux drivers, which could be ported back to Windows if such a thing happened. Also, removing the ability to do that would only apply in the US, so you might only have to get the drivers from another part of the world that doesn't have this useless new law.

Bypass the Internet

All the RIAA is doing is forcing people to think outside the box. Friends of mine have been trading MP3s for a while now by sharing USB keys. Other friends of mine trade those small 350GB USB external hard drives for movies.

Re:What, me change MAC address? I wouldn't do that

[Just+Some+Guy]

Say you are in a situation where you can't connect your laptop to a network, but you can find the MAC address for a computer that is connected to that same network.

Don't tell anyone, but this is the preferred way of not having to pay $15 a day for Internet access at crappy motels and Starbucks. Who cares if you and your, umm, sponsor both get each others packets? Your IP stack will ignore the ones it didn't expect.

The biggest gap is BCAK.

[miffo.swe]

The biggest challenge really lies between the chair and the keyboard. How can the court be sure that the one owning the computer is the culprit? I could just have lend it out to someone. Finding the right computer is also just the beginning in proving someone has committed a crime. Thanks to rampant trojan distribution on Windows computers its very common for a computer to be controllable by third parties, sometimes multiple parties, from remote. While in reality its mostly the owner that downloads nobody can prove it even if they could prove who was the owner of said computer.

Proving who used it is the challenging part where courts up until now have always assumed that the owner is always the user. If thats how it should be there should at least be a law written that states that the owner is always accountable for whatever happens at his computer. Right now the courts dont really grasp this and some people get sentenced while no real proof exists.

ipv6 fixes this

[MobyDisk]

Will this all become moot once ipv6 assigns everyone a static IP? Not sure if this is a good or a bad thing, but it seems inevitable.

Re:ipv6 fixes this

[Just+Some+Guy]

Will this all become moot once ipv6 assigns everyone a static IP?

IPv6 - by default - assigns an address based on your MAC. DHCPv6, MAC spoofing, and good ol' static configuration can result in a different address.

Re:ipv6 fixes this

[Skapare]

So someone gets assigned a static IPv6 address. That doesn't mean someone else can't use it. It will take more than just using IPv6 to prevent that. It will probably take a securely authenticated tunnel session (with corresponding overhead, which can be huge for the school's tunnel servers) to prevent someone from using someone else's IPv{4,6} address (because it's still way too easy to hijack MAC addresses).

University and MACs

This reminds me of when we were in university and a network admin had his computer recycled. We "borrowed" his MAC address that he never unregistered. Put us on the unmonitored/uncapped network access, and it actually allowed us to use P2P and Xbox Live.

He became suspicious when the network log had him as the top downloader and uploader on the network, and he did track down the person that did it. Luckily, we "borrowed" a neighbors unsecure wireless to do it from, so it appeared to be someone else.

A'int I a stinker?

Re:University and MACs

[Ferzerp]

If by a stinker you mean you suck at lying... Yes.

You borrowed a MAC address. A piece of information that only lives on in your specific network segment and then attached it to wireless that was set up by someone who wasn't smart enough to secure it. This means it was no doubt set up with the default config which means it was a router...

The network admin had a super special routable MAC address did he?

Re:University and MACs

[clone53421]

The network admin had a super special routable MAC address did he?

Very true... now I wonder why on earth he needed that?

Re:What, me change MAC address? I wouldn't do that

[rickb928]

The secondary NIC on most of the clusters I built would be named 02:DE:AD:BE:EF:20. My partner was more creative, but one of his ideas for a MAC was sorta sick.

Re:What, me change MAC address? I wouldn't do that

[Sandburd]

Isn't it possible to disconnect the port when the cable is unplugged? I believe they do this at my mom's work. Of course you have a big problem when you're recovering from a power outtage....

But i believe the switches/routers at her work just disconnect the port whenever you pull the cable out of the machine.

And all this time, I thought it would be difficult

[hyades1]

"For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information..."

So based on the university IT department's willingness to accommodate, I should maybe send Natalie Portman a "Notice That I'd Like A Date", and I could have a reasonable expectation of spending an evening in geek ecstasy?

If all it takes to persuade a major university that it should bend over and drop trou is a freakin' notice, there MUST be hope for me.

On topic - your sig

[sm62704]

You should encrypt it with ROT-1, and sue the RIAA for DMCA violation. Jg zpv dbo sfbe uijt, zpv bsf voefs bssftu!

Re:On topic - your sig

[jskline]

LOL...

Thats pretty good. But; remember. We're possibly dealing with people who barely scrapped through school and may not understand the encryption.

By having it simply displayed, and out front that they are looking here illegally, then there's no confusion... :-)

There's a huge logistical problem with that

[Benanov]

College students are highly irresponsible. You'll be replacing fobs left and right.

They'll also share them out or leave them in pools with the username taped to them...grab one, use it for a bit, put it back.

Re:There's a huge logistical problem with that

[IDtheTarget]

Sure, until you hit them in the wallet. If your fob was used to access something against policy and you're suspended for a semester, you're unlikely to do it again, and neither are your friends...

Re:There's a huge logistical problem with that

And you sue university, isn't it a great world

Re:There's a huge logistical problem with that

And then your enrollment manager has the practice stopped and potentially demands the person responsible's head on a platter. Nice idea, though.

Re:What, me change MAC address? I wouldn't do that

[LEMONedIScream]

I found it depends entirely on the router that you're connecting to.

Not that I've ever done highly dubious and probably illegal activity of jumping onto someone else's network.

Re:What, me change MAC address? I wouldn't do that

so just find a few mac addresses from some RIAA computers and use those to do your downloading

Static IP Anyone?

[omnichad]

How hard is it to assign yourself an IP and never have to worry about DHCP logs?

Re:Static IP Anyone?

[spydum]

True enough, just "borrow" someone elses leased IP while they are offline, and you instantly incriminate some other poor soul.

Time to write a new utility

[FoxconnGuy]

Or modify from an existed one. To make it generate MAC address dynamically and avoid collision automatically. It may become a "survive through RIAA jungle" tool.

And attached to each P2P software release and set a world record of d/l.

Can I apply a patent for this? (Just in case I may violate some RIAA's patent.)

Re:And all this time, I thought it would be diffic

[91degrees]

Try it. Might work.

Re:What, me change MAC address? I wouldn't do that

[TheCarp]

Yup yup. And I have to say, Tufts Networking group is full of people who really know their stuff. Though students, even ones who know they are doing something wrong, aren't that smart about their dealings.

I still chuckle thinking back to the day that a student that had been a pain before and managed to weasel by with narry a slap on the wrist decided to start spamming... though one of the main email servers. The network group went as far as to send one of their engineers out to the physical site to verify that the machine doing the spamming was the same MAC...

she showed up and called Campus police for access to the office, and the Student showed up while she was waiting. She said she needed to verify some information, checked it out, at which point the police showed up, she explained the situation, and the officer dragged the student off.

This, I think, shows that their position is consistant over time. They have known for years that these issues would crop up, and they took steps to verify the info end to end, in person.

-Steve

Simple solution

[JediN8]

You can tie the mac address to the device that connects to the broadband provider. For example, I am a Comcast subsriber and I have a cable modem device. When it was activated, the mac address was entered into the Comcast database. This allows me to pull a dynamic IP from their system over the cable modem "bridge". This mac address cannot be spoofed or I would not get service. This address is tied to my home address.now, here is the fun part. If I am commiting a "crime" using my broadband connection, my house can be siezed, the same as if I was running a crackhouse or making meth. It only takes a little creativity on the part of the police and DA. Here is the really fun part. I may be cleared of all wrongdoing by a slick lawyer but the house has to go to a "hearing" in which it can be proved that illegal activity was taking place. The house is then transfered to the local law enforcement for disposal in an auction or other sale. This happens every day in america. Car, boats, houses all siezed during criminal busts. Now, the RIAA claims that what downloaders are doing is a felany and the courts agree due to the nature of the huges costs associated with the "crime". All the RIAA has to do to deter the downloaders is to start having the homes seized. The hearing over the seizure is pretty cut and dried and very hard to win, for the citizen. Before you start claiming "BS", check the us code and search the web for property siezaures by the feds.

Re:Simple solution

[Tuoqui]

You could always try a constitutional challenge on the law itself...

4th Amendment explicitly states homes.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The Presumption of Innocence (Innocent until *PROVEN* guilty in a court of law).

8th Amendment restriction on cruel and unusual punishment could apply as well

Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted.

I presume this is the same amendment the 'sentence' of $220,000+ of that one lady who was actually found guilty is being challenged/appealed on. You could easily make a case for the law being unconstitutional if it's being used to 'excessively fine' individuals.

Re:What, me change MAC address? I wouldn't do that

[Rickasaurus]

Sure, but once you are logged in a skilled user can just clone your mac address and kick you off the network. The only way around this as far as I can tell is to have each and every user in their own encrypted and authenticated tunnel.

Re:What, me change MAC address? I wouldn't do that

[NeoSkandranon]

The labs in the engineering building where I attended had all the cases strung with a cable that was linked to an alarm. Try to dick with the case and through some mechanism the alarm was triggered and EVERYONE knew.

Seems like that could easily be extended to cover manipulating the cables as well.

Change MAC: Re:hehe

Linux makes it incredibly easy to use a different MAC address. Hell, most routers these days let you specify a MAC address. Based on that, you still can't guarantee that the IP was actually being used by the hardware with the detected address.

When I was at my old college, to get my laptop on the network, I would just clone the MAC of whichever workstation I was at, thank the DHCP server, and have internet access.

Re:What, me change MAC address? I wouldn't do that

[jedidiah]

Yes because we all know that college students are just all anti-social shut-ins.

Laptops have been pervasive in academia and corporations for at least a good 10 years now.

Re:What, me change MAC address? I wouldn't do that

[Abcd1234]

That's more than a little disturbing. That, or a great route to corporate espionage (I'm betting it'd be trivially easy to install keyloggers in your average corporate office, particularly given how small and discrete those things are). Not to mention the fun a disgruntled employee could have...

Re:What, me change MAC address? I wouldn't do that

[Lodragandraoidh]

Show of hands, how many people here have written a TCP socket application to span multiple machines?

Yet another reason you can't tie a specific connection to a specific person in a heterogeneous network.

Re:What, me change MAC address? I wouldn't do that

[clone53421]

Seriously, what a dumb setup... I'd be putting masking tape over my plugin when I wasn't using it to make sure my roommate didn't plug in accidentally. Or God forbid somebody came over and wanted to plug in their laptop... no, sorry, there's only two plugins and we're using them. What, use my computer? Like hell you will... actually, let me start up my keylogger and I'll let you have it for a bit.

Re:What, me change MAC address? I wouldn't do that

[clone53421]

Hmm, that actually gives me a great idea... I'll just go and check all the doors in the hall, and if anybody left their room unlocked I'll plug my lappy into their ports (using a different MAC address each time, of course). Then I'll be laughing as you try to get the mess straightened out when half a dozen rooms can't get on the network and you have no idea who did it.

While I'm at it, if anybody left their laptop accessible (yeah, how stupid, anybody could walk in and steal it), I'll just install a little script to change their MAC address periodically. That should be entertaining...

Be honest

[DesScorp]

And, of course, nobody has *ever* spoofed a MAC Address ....

How many kids have any clue whatsoever on how to do this? I'd wager most CIS and IS students don't even know how to do it. You'd have a few really savvy kids that would know how, but honestly, the vast majority of kazaa users don't even know what a MAC address is.

Whatever you think of the RIAA and their methods, that's not a valid legal defense here. Tufts would have to prove that MAC spoofing is common knowledge and a common skill to mount that defense for their students, and that just isn't going to fly in court.

Re:Be honest

[hedwards]

That's really not correct, the RIAA being the accusing party would be required to demonstrate to a standard that MAC spoofing is not common knowledge in order for this to fly. In all likelihood things would end up at trial anyways because no judge is going to grant summary judgment for an issue this close.

The other thing is that you're mischaracterizing the statement, Tufts is just arguing that it's impossible under their system to even tie down an IP a few weeks later spoofed or not. MAC spoofing is just one reason why the results are not likely to be useful.

Re:Be honest

[tooyoung]

How many kids have any clue whatsoever on how to do this? I'd wager most CIS and IS students don't even know how to do it

True, but I bet that most CIS and IS students know that you CAN do it. Then it becomes a simple matter of googling. The key here is that anyone who has taken a bAIX networking course has enough knowledge to dispute evidence crucial to the RIAA's case. The fact the RIAA is able to continually present this evidence in a court room tells me that
1. Judges and juries do not know enough about the technology that they are ruling on.
2. The RIAA's experts are deliberately misleading the judges and juries. This is not ethical and should have consequence.

Re:Be honest

[clone53421]

Actually, I'd just point to the old "MAC Addresses and Security: How MAC Address Identification of Users is Unreliable" flier that's been tacked to the campus bulletin board for the past 6 months (at least, that's what the date on it indicates). Oh, you want to know how many people attended that session? Sorry, we only keep the attendance logs for a week...

Re:Be honest

[AusIV]

Why would MAC spoofing have to be common knowledge to use that as a defense for their students?

It's not like every student would have to be going around spoofing MAC addresses. You could have ten kids going around sniffing MAC addresses, then spoofing a different MAC every day to do their file sharing. You could certainly be vulnerable to this without knowing how it works.

Re:Be honest

[Creepy]

This really has more to do with DHCP than with MAC addresses. What they're saying is they only have so many DHCP addresses assigned, and the number they have is inadequate to assign one unique address to every single host that uses their system. Since DHCP addresses are reused, they can't tie the DHCP to the MAC address.

What the RIAA will probably argue next is they could log this, as someone mentioned earlier, and then use the DHCP+MAC to identify the machine at the time. That, however, does not positively identify the user, so they would also have to log the user using the machine at that time (which still doesn't guarantee anything - they would then need to prove it.

Re:Be honest

[azuredrake]

It's actually very commonly done at Tufts. We're only allowed one connection to the network per person, because the wires were run prior to online console gaming being a common thing on college campuses. The easiest way to get your wii or 360 online simultaneously is to change its MAC address to clone your PC's, so that the network doesn't question its presence.

Re:Be honest

[azuredrake]

Oh and for reference, I'm a Poli Sci major and I know how to do this. And Tufts has a big Engineering school, and any of my EE/CE/CS friends could do this in their sleep as well.

Re:Be honest

[Mattsson]

As long as it is possible to fake your MAC-address, having a MAC / IP / Date / Crime relation documented means nothing.

Imagine if you could pose under a fake DNA for a couple of hours via techniques accessible to anyone with a few hours to spare, access to google and somewhat advanced knowledge in bio-medicine.
Maybe this would be possible for 1% of all college/university bio-med students and 50 to 60% of all professionals in the bio-med industry.
Would DNA spoofing be common knowledge or common skill? Nope, most people would probably not even know this was possible.
Would DNA-samples at a crime-scene be viable in court anymore? Not a chance.

Re:Be honest

[Deadplant]

But in this day and age it is enough to simply hear about something called 'mac address spoofing' to be able to do it.
even non-tech youngsters can google it a follow the instructions.

Re:Be honest

[dave562]

How many kids have any clue whatsoever on how to do this? I'd wager most CIS and IS students don't even know how to do it. You'd have a few really savvy kids that would know how, but honestly, the vast majority of kazaa users don't even know what a MAC address is.

You might be surprised about the tech savvy of "kids" these days. When I was consulting one of the clients I worked at was a private high school. We had their network locked down with a Sonicwall 4060 that isolated the different segments from each other. The teacher workstations were on one port, the library on another, the computer labs on another, the office on another and finally the classrooms on another. The kids were never able to jump the ACL to access the protected segments but they did manage to setup software that utilized the IP6 stack to get around the content filters.

Re:Be honest

[techno-vampire]

Tufts would have to prove that MAC spoofing is common knowledge and a common skill to mount that defense for their students, and that just isn't going to fly in court.

Well, in that case, I know what I'd do if I were still in college and there were any chance of something like this coming up. I'd organize meetings all over campus teaching other students what a MAC address is, how to spoof one and why you'd want to. That way, by the time the RIAA and its goons come knocking, it really would be common knowledge on campus.

Re:Be honest

[Cramer]

Actually, what they said (and I did read the PDF) is they don't keep logs for more than 10 days and the arp table snapshots are inconclusive. And I'd say their DHCP system is broken as well since the example they give shows an overlaping lease -- presumablly to the same machine, but still an overlap.

Re:Be honest

[RobertM1968]

Various routers seem to allow you to either assign your PC's MAC address to it, or add whatever one you want. Pretty easy to find. I'd expect most CIS and IS students know about this.

And apparently, there were (or still are) NIC cards that allow you to use a different MAC address (or reprogram them).

With all the attention such things (the RIAA suits) have garnered, I would expect a bunch more people are aware of how to accomplish this.

Keep in mind, you dont need everyone knowing how to accomplish this, you just need to prove that (1) it can be done, (2) it can be done pretty easily, and (3) there are people who know how. That would bring doubt into the validity of any MAC address logs - the RIAA would have no way of proving that someone, someplace else on campus (for instance) didnt spoof a MAC address used by someone else on campus.

Besides, if the school above is like many others, there are various NAT devices between the computers and the WAN routers... I've seen many levels deep at some places... all being devices that either dont record MAC addresses, or would quickly overwrite the earlier entries (in hours or days).

Re:Be honest

[m85476585]

Couldn't you just set up a cheap NAT router with port-forwarding?

Re:Be honest

The *real* question is why these dumbasses file sharing *don't* do anything. If I shared files I'd think like a squid - anytime I swam I'd be clouding the waters with any means at my disposal. I mean, c'mon! Don't expect everyone else to cover for you! No honor among thieves is true enough I suppose...

Generally?

[SanityInAnarchy]

I haven't actually seen that for awhile now. My DSL modem operated in bridge mode. Currently, my router -- a Linux router, which can, indeed, spoof a Mac address -- is on fiber, and has a real, live IP address. Every Linksys router I've seen lately has something called "mac clone", which is explicitly designed to spoof a Mac address -- I assume that's actually useful somewhere. (I've used it when my ISP doesn't want to let go of my DHCP lease.)

Oh, and this is at a university. When I was there, it was all a local Ethernet network -- which, in fact, was handing out live IP addresses, but it'd be worse if they didn't. The only saving grace for the RIAA was, my school required users to register their Mac addresses with an account, and that account was actually tied to their identity.

Re:Generally?

There are still ISPs who try to say that the connection is for one and only one computer, and refuse to troubleshoot if you have a router, so you hook up a live computer, get it running, and they bind the connection to that particular MAC. Then, you have to clone that MAC on your router in order to use it to share. Really, really stupid shit.

Re:Generally?

[zugmeister]

The "Clone MAC Address" feature is there because some ISP's (Cox comes to mind) will grab the mac addy. of the first device you hook up and refuse to provide service to anything else. So when you plug your laptop straight in to check if they've turned up the line it works. Plug in your router and it's dead.

Tech support swears they don't do this, so you have two choices: call/hold/bitch at tech support till they reset your account (locking you into your current router's MAC so you start over if you get another router) or just clone the MAC and start moving packets.

Re:Generally?

[DigiShaman]

Actually, I think that's part of the DOCSIS spec. Time Warner, Cox, and Comcast exhibit this behavior.

When you first power on the Cable Modem, it will seek out the first MAC address it sees and *never* lets go of it in memory. The only way to clear the MAC from cache is to unplug the CAT5 cable and physically kill power to the modem (reset).

Again, the ethernet side of the cable modem is NOT hot-swappable. The only way to hot-swap is to ensure all devices are cloned with the same MAC address. A simple solution would be to use a router and hot-swap from it.

Re:Generally?

[Holi]

You do understand all you have to do is cycle the cable modems power and it will grab the new MAC address, yes I used to do this daily. There is no need to "call/hold/bitch" to anyone.

Re:Generally?

[dave562]

This is right on. It seems to be the cable companies that do this. In my area we were able to simply turn the device off for thirty minutes and then turn it back on with the router/firewall attached to the ethernet port. It wouldn't surprise me if some cable companies were able to lock in the MAC of the first device attached to it.

Re:Generally?

[Cramer]

It's the cablemodem doing this. It's told to only allow a set number (usually one) of systems public access (read: IP's); many ISPs will sell you additional dynamic addresses. The first one to make a DHCP request wins. As others have said, reset or power-cycle the modem and it will forget that MAC.

Re:Generally?

[Attackinghobo]

Or you could unplug the power to your modem for 10 minutes and it will reset. I have used cox for 7 years now, and that's how its done.

Re:Generally?

or you could turn the modem off for about 5 minutes and that will fix it.

Re:Generally?

[slashdotwannabe]

Every Linksys router I've seen lately has something called "mac clone", which is explicitly designed to spoof a Mac address -- I assume that's actually useful somewhere. (I've used it when my ISP doesn't want to let go of my DHCP lease.)

FYI, there are often ISPs that will not let you NAT, or have more than one computer on your broadband service. They get a MAC from you and that's the only one they let talk on the network. Therefore, using the clone MAC feature on the Linksys gets around that problem...

Re:What, me change MAC address? I wouldn't do that

yes

ha!

[halcyon1234]

For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

RIAA sees "infringement" occur.

DHCP logs are overwritten immediately

They file a Notice to Preserve

IT department replies with "Ohhh, sorry, too late. Next time let is know in advance that you wanted some overwritten data preserved. The forms are clearly posted in the dark basement..."

Time sync?

Essentially this a distributed system isn't it? The RIAA have logs (supposedly) which say at what time an IP was (supposedly) sharing copyright (supposedly) files.

Assuming all their logging servers share the same clock (which I highly doubt), you've also got the University & ISP servers, which have their own times. Thus, a simple mistake in either log, and all of a sudden you are potentially looking at another machine. Given the high incompetence of the RIAA technical investigation (at least from what I've heard reported), I wouldn't put it past them to even forget about timezone changes or DST.

Re:What, me change MAC address? I wouldn't do that

Stupid much?

Re:What, me change MAC address? I wouldn't do that

Brute-forced... Joking much? The password file is stored at the other end of the network, you can't just grab it. And good luck tapping in different passwords by hand, with an enforced three second delay.

So? Most people use password related to the school they're at and their class. Seriously. football2010 or [mascot]2010 are great examples. If you can enumerate enough login names (shouldn't be too hard, honestly) you'll be able to find an account that you can log in to. Bonus is that you probably won't trigger account lockouts for any of the aforementioned accounts, making it less likely that you'll be detected.

Ruckus already provides free legal music downloads

[DaveP+in+Ohio]

If you are a college student, you already have access to a free music download service. www.ruckus.com All you need is a .edu email address to get an account and download free (albeit DRM'ed) music.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

I'm missing something

[jgalun]

I'm hoping someone can help me understand a part of Tuft's response. They say, on page 4:

"Occasionally, only one MAC address comes up in the ARP database...Therefore, if the IP address in question does not serve a high volume of users, there is a reasonable probability that the single matched MAC address was, in fact, the computer at use at the time of the alleged infraction...However, any such identification lacks the reasonable technical certainty of DHCP described above, since it is technically possible that another unidentified user accessed the system and used the IP address without being recorded in the ARP database."

In what scenario would DHCP capture an "unidentified user" while ARP would not?

Stop stealing... then the RIAA will not matter.

[pfarber]

Lots of people pontificating about logs and regurgitating the last chapter of 'Networking for dummies' they just read. Stop stealing shit. Really. Its a song. Whippy freaking do. Listen to the radio, satellite t.v. has lots of free songs. You whimpering little bitches brag about your 10G mp3 collection... but then complain about your mom telling you to turn down that music. Get a life, a paycheck and stop stealing.

Re:Stop stealing... then the RIAA will not matter.

"Stealing" is taking something that doesn't belong to you. Copying it isn't taking it, because you just have a copy. It's illegal, yes, but quit calling it stealing.

Re:Stop stealing... then the RIAA will not matter.

[dave420]

It's not stealing.

Re:Stop stealing... then the RIAA will not matter.

[DamnStupidElf]

Stop stealing shit.

Just as soon as you stop stealing letters (there's only 26 of them for god's sake!) and words. How will the rest of us communicate if you use up all the "of"'s, "the"'s, and "a"'s?

Re:Stop stealing... then the RIAA will not matter.

[Mesa+MIke]

Stop the stealing of a shit?

Re:Stop stealing... then the RIAA will not matter.

Stop stealing shit. Really. Its a song. ... Get a life, a paycheck and stop stealing.

Dear RIAA Troll,

I should note that the RIAA and the MPAA and their ilk have repeatedly paid for legislation that (retroactively) extended copyright terms. In doing so, they have deprived me, a member of the public, of the ownership of works that should rightly belong to me (as do all works in the public domain). The RIAA and MPAA and other "big copyright" lobbies have, in a very real sense, STOLEN from me (they have not infringed my copyright, but rather stolen in a very literal sense from me - and everyone else - that to which we have a fundamental right of ownership).

When you created your stuff, the deal was you got a limited amount of time. In exchange, we the public gave you copyright on your work. At the end of that time period, your material was to be owned by ME (and everyone else). That was the deal.

However, changing the terms of the deal in your own favor and lengthening the term of copyright - without granting to the public some form of compensation - YOU have invalidated the contract (hint: while I am not a lawyer, there IS something called "grant" and "consideration" in contract law - for me to "grant" you some sort of rights, you have to offer me something in return - the "consideration"). You tried to grab extra stuff for yourself without offering anything in return. This is simply not the way a contract works.

As you offered nothing in return to us, the public, when you extended your copyrights, there was no "consideration" exchanged for what you wanted us to "grant" you. Ergo, because of YOUR actions, the entire contract is *null and void*. You have NO claim to copyright now, thus there can BE no copyright infringement... because YOU broke the contract. I - and the rest of the public - am no longer beholden to adhere to the terms of a contract once YOU refused to uphold your end of the bargain.

I might add that it is quite hysterical to me that you hypocritical thieves apply such labels as "pirate" and wail about "untold amounts of damage" when you cannot so much prove those damages actually exist. I, on the other hand, can provide a long list of works that I *would* own had you not STOLEN them from me by extending the term of copyright just before these things fell into the public domain.

Those swapping music are *not* stealing. Those extending copyright durations *are* stealing - and not just from one person, but from every person on earth.

I don't mind paying for quality work. I *do* mind being stolen from. Extension of copyright terms to unreasonable limits (and for all intents and purposes, the definition of "unreasonable" is anything greater than 28 years), is stealing. Go look up Thomas Babington McAuley to find out why copyright isn't a legal thing as much as a social thing... and that by extending copyright to unreasonable lengths of time, you have lost the support of the public, who would be HAPPY to support reasonable laws.

To satirize one of your MPAA buddies' things...

You wouldn't commit electronic fraud to steal the credit card information of 40 million people. You wouldn't extort peoples' money by claiming unprovable and unreasonable damages. You wouldn't try to empty peoples' money into your own pockets by claiming a tax should be levied and paid to you on blank media. You wouldn't steal something from every one of the 6 billion people living on the earth.

EXTENDING. COPYRIGHT. DURATION. IS. STEALING.

Re:Stop stealing... then the RIAA will not matter.

[bratwiz]

As you offered nothing in return to us, the public, when you extended your copyrights, there was no "consideration" exchanged for what you wanted us to "grant" you. Ergo, because of YOUR actions, the entire contract is *null and void*. You have NO claim to copyright now, thus there can BE no copyright infringement... because YOU broke the contract. I - and the rest of the public - am no longer beholden to adhere to the terms of a contract once YOU refused to uphold your end of the bargain.

Uh, actually they probably did... to our "public representatives" in the form of "gifts" and "contributions"...

We need to stop electing representatives with an affinity for shiny stuff...

Re:And all this time, I thought it would be diffic

[PPH]

I got an error message to the effect that the Portman requested was blocked.

Kerberized VLAN's

[bill_mcgonigle]

At the dorm I used to live we had to authenticate our computers in order to gain access to the network, this was done via username/password combos. There were several that multiple people knew (mostly to get around bandwidth limits - you'd just jump on another account if you exceeded your quota).

Once upon a time CMU had a writeup on the net of a system they'd developed which would put everybody who connected to the network on a VLAN that could do local DNS, DHCP, and talk to the Kerberos server. That's it. Once you authenticated, an authorization system would pop your port onto an Internet-connected VLAN.

Anybody seen a modern equivalent to this? It would be lovely for elementary schools that have problems with inappropriate access.

No Mischief, Please

[bill_mcgonigle]

So, even if you have a case of having to register your MAC before connecting to the network (which is the case in many places), because it is so easy to spoof MAC's, I don't think that you can even reliably connect MAC addresses to a computer (at least in the cases where geeks are around), let alone an IP address to a computer.

So what you're saying is that a mischievous user at a university could hop on to the wireless network in the administrative building and assume the President's MAC address, and then proceed to make egregious copyright violations, and there would be mass panic and confusion when the RIAA letter came in?

That would be bad, m'kay?

Total certainty - and MAC addresses

[Skapare]

They can tie an IP address to a MAC address, although with less than total certainty. But, depending on how the network is wired, there is also no total certainty in tying a MAC address to a specific ethernet controller (and hence to a student). If their network is ethernet technology based, a MAC address can "float" from one port to another, even if there is a time delay in that from a switch flushing its cache.

All someone has to do is know the MAC addresses of other computers in the LAN. This can be known by sending IP packets to each of the addresses in the subnet, and checking what MAC addresses respond (and seen in the local ARP table). By scanning this network periodically, they can discover which computers get turned off or unplugged. As soon as that happens, the MAC address of the computer no longer responding is fed over to another computer which has an ethernet controller which allows substituting the MAC address by software. That other computer then assumes the MAC address and its associated IP address. Most ethernet switches will eventually associate that MAC address with a new port. Usually I see that happening within 3 to 10 seconds (the computer on the new port has to be sending ethernet frames with that MAC address as the source, plus some other computer trying to send ethernet frames to that MAC address). In the worst case I've seen it took 2 minutes for the switch to figure out where the MAC address "moved" to.

Once the switch associates the MAC address with a new port, the computer there can do whatever they want and there and it will be known under the original MAC and IP addresses.

There are means to prevent this. But would these means be implemented and deployed? One is for the switch to be configured to disallow a MAC address to move to another port. But that can make life difficult for students in dorms, where students with laptops, and even students with towers, are known to gather in one room, or a commons area, to work on things together with multiple computers (whether it is class work or otherwise). Another possibility is for the switch itself to log any port changes. That would at least reveal which dorm room a given MAC was "stolen" from. A more secure network would force all communications through an encrypted tunnel within the ethernet infrastructure, but this would be costly, impact performance, and require special drivers and/or proxies.

Imagine a plot of degree of security vs. cost. As you get close to 100% security, the cost begins to rise dramatically. At some point the cost of more security exceeds the potential loss due to that security not being 100%. Of course the **AA's would like to see their own losses figured into that, and without them having to pay for the extra security. The reality is, most schools will not achieve 100% security on their networks, and aside from the issue of piracy, will not be concerned with it. It's the same as the issue of how well do you secure your home from burglars. For most people it's just not worth tens of thousands of dollars in security equipment to protect tens of thousands of dollars of property. People like Bill Gates would certainly have a lot more security at home. But he's the exception. I'd expect the restricted areas of government intelligence agencies to have far more network security than any college or university.

So what it comes down to is, even the one and only student named as the user of a given MAC/IP combination, and even if their own computer was kept perfectly secure, may be just as much a victim of someone else doing the piracy, as the content owners are. And we know from history, the **AA's don't really care about making sure they have the true pirate.

If they would like to see the schools achieve 100% total security, maybe they should pay for it. Of course they don't want to. They want someone else to pay for maintaining their profit margins, even if that means raising taxes and/or tuition.

Read Ray's Blog

[Nom+du+Keyboard]

It's worth noting that there are some great comments on Ray's blog (link in the summary) that don't appear to have made it to Slashdot. Worth reading for those of you with an intense interest in all this RIAA foolishness.

Re:What a congressman costs...EFF/ACLU

[Nom+du+Keyboard]

I think I need to make another donation to the EFF and to the ACLU. Those organizations might be our only hope.

Too bad both of them have pissed me off so badly in the past.

The ACLU over the Second Amendment and their insanely restrictive view of the separation of church and state.

The EFF over their stand in the Michael Savage versus CAIR case.

Re:And all this time, I thought it would be diffic

[hyades1]

Thanks...phony abbreviations aside, that really DID make me laugh out loud.

Cheers!

No they didn't.

[mindstrm]

What they said was that in some of the requested users, they cannot provide a single user, and are not sure of the ramficiations of providing larger scoped lists of possible users in light of OTHER laws they have to adhere to, so they would like further discussion and guidance from the judge before proceeding.

Given the plaintiffs' strategy

[magus_melchior]

... even if they were somehow able to definitively identify someone based on MAC and IP addresses, that evidence still can only be extracted using the unconscionable end-run around the intended purpose of federal court procedures. If such use of those procedures in John Doe suits is stopped by a judge, they won't even see the MAC addresses unless they wiretap the ISP.

Re:What, me change MAC address? I wouldn't do that

[vrmlguy]

That's more than a little disturbing. That, or a great route to corporate espionage (I'm betting it'd be trivially easy to install keyloggers in your average corporate office, particularly given how small and discrete those things are). Not to mention the fun a disgruntled employee could have...

1) Install hardware key logger on your own computer.
2) Wait for someone from desktop support to log in for some reason.
3) Profit! (Or at least install all that stuff that requires admin rights.)

Re:What, me change MAC address? I wouldn't do that

[Eil]

Actually, a MAC address is more permanent than an IP. Except in very rare cases, a MAC address stays the same on a particular network device no matter what network it's connected to nor where the device is physically located.

There's nothing saying it can't be spoofed by those knowledgeable enough to do so, though, which is what I presume you were getting at.

Re:What, me change MAC address? I wouldn't do that

Get your ass kicked for talking like a moron much?

Hardware Keylogger: $30. Ebay.

Inexpensive, easy to get.

Not to mention, asking stupid college kids for their password over the phone would probably have about a 75% success rate.

Fear & Loathing on the Internet

[catdevnull]

Our unnamed university uses Cisco Clean Access which registers every MAC address to a particular user. If the RIAA/MPAA were to subpoena that information from us, we'd not have the luxury to make that argument. We make a point to tell our students this and it has somewhat reduced the number of nasty cease and desist letters. (I think they've found other solutions like "Tor" to keep themselves anonymous).

We have a visitor wireless network that is the preferred "anonymizer" for students. The networking guys throttled this network to make P2P sharing a total pain although many students use it.

It's kind of a shame because there are plenty of legit uses for P2P sharing but the overwhelmingly negative reputation for them is for piracy.

It's funny how the RIAA/MPAA lawyers throw the book at people and basically blackmail them into a settlement but when one of their goons totally brings down a media company with a DoS, they pretend they didn't break federal laws.

Re:What, me change MAC address? I wouldn't do that

[clone53421]

The hard-coded MAC address in a network adapter is simply a number that's guaranteed to be different from every other hard-coded address in every other adapter; in other words, it's a matter of convenience. It allows the software to use an address that should avoid conflicts with other machines. It's still nothing more than a recommended value, and using a different value is hardly drastic. "Spoofing", although I kind of like the term, makes it sound more drastic than it really is (maybe that's why I like it). Oh well...

Re:First post!

Some of us get 15 mod points at once!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Maybe I just listen

[Skapare]

Maybe I just listen to songs online. Maybe I listen just long enough to figure out which album, band, or song I like or dislike, and go buy the CD of the ones I like. BTI (before the internet), people had to choose albums based on slick marketing and faux cover art. Now days, people can hear just what is on the album by sampling what's online. This really does result in fewer album sales, and the RIAA members hate that. Their business model was based on people buying way more than they really wanted to keep. Just look at the efforts they have made to stop people from selling the CDs they bought (through used CD stores).

Re:About the only way to ensure who's doing what..

[Skapare]

This still requires using an authenticated tunnel to maintain the user login state, rather than the traditional IP-over-media routing. That means a lot of servers the school has to deploy to hash all the bandwidth the students are using. This is a high cost for that last one percent of bandwidth. The school's basic concern is stolen bandwidth (at the cost of their infrastructure and upstream pipe). Once that cost is below the cost of security to decrease the loss, they are at the sweet point. The {RI,MP}AA want schools to expend much greater costs which do not benefit the school, but without paying the school for it. Maybe in the future these shysters might get something like that into law. But today, schools generally do not have 100% authentication of bandwidth used simply because it is not economical to do so. And as soon as schools are forced to pay this cost, we will see higher tuition, higher taxes, and some schools completely shutting off internet access.

Someone broke into my house and stole property. Maybe the local police should be required to keep track of every vehicle and person who has traveled on the road in front of my house, and retain these records for at least 10 days.

Arp

[blackjackshellac]

I have this vision of the RIAA lawyers as a group of seals clapping their fins and barking, "arp, arp, arp, arp".

not sure why.

Re:Arp

[NewYorkCountryLawyer]

I have this vision of the RIAA lawyers as a group of seals clapping their fins and barking, "arp, arp, arp, arp". not sure why.

I think of them more as hyenas, vultures, or wild dogs.

Re:Arp

[mdenham]

I have this vision of the RIAA lawyers as a group of seals clapping their fins and barking, "arp, arp, arp, arp". not sure why.

I think of them more as hyenas, vultures, or wild dogs.

On behalf of hyenas, vultures, and wild dogs, I'm insulted.

10:5E:01:AA

[CBravo]

that would be 2C:00:1B:AB:E5 or look for more combinations here:
http://www.nsftools.com/tips/HexWords.htm

Re:What, me change MAC address? I wouldn't do that

[HTH+NE1]

"Spoofing", although I kind of like the term, makes it sound more drastic than it really is (maybe that's why I like it).

Unfortunately juries can't get over the silliness of the word and don't believe it enough to give them reasonable doubt. They'd understand that a machine can be configured to lie about its identity to frame someone else, but calling it "spoofing" makes it laughable, so that defense fails.

There are lots of precise answers...

I don't know about the "legally speaking" part, but in purely technological terms, those have pretty easy answers:

> What, exactly, legally speaking, is a 'website'?

All files available from a particular domain. Note that multiple, distinct websites may be served from a single computer, that a single person can own many different websites, and that multiple domains can be aliases for the same website.

> Where does one 'website' end and another begin?

At the boundaries of what is served by that domain, with exceptions for websites that act as proxies and solicit the content from other webservers.

> How does a 'site' differ from a 'page', if at all?

A page is the content addressed by a single URL. The site is a collection of all pages served from a given domain, subject to the caveats above. Website and site are synonyms, as are page and webpage, unless otherwise qualified (does anyone even have a gopher page these days?).

> Is a 'forum' part of a 'website', or only attached to it?

It's a part of it, even though the posts were made by various authors.

> Is there, as the media often says, a 'file sharing website' called 'BitTorrent' on which pirates trade music?

No. There's a BitTorrent protocol, and there's a website called bittorrent.com, but the two are different entities. There are many 'bittorrent sites' which serve torrent files. These files reference computers called 'trackers' that keep track of people using the bittorrent protocol, to the best of their knowledge, that are sharing pieces of the file(s) the torrent file enables them to share.

The tracker's information is not always reliable, though, for many different reasons and you cannot take the trackers word for it that someone is actually a part of any given 'swarm' or 'torrent' (the group of all computers sharing pieces of a given torrent).

Strictly speaking, the torrent sites only offer torrents, which are almost always created (and therefore copyrighted) by their users. The files the torrent enables others to download, however, may have any copyright status. While the use of torrents to share pirated content is not uncommon, the bittorrent protocol is often used to share legal content that could not otherwise be made available.

> What exactly is this 'Web' thing anyway, and how is it distinct from the 'Internet', if at all?

The web is one part of the internet. The web consists only of web pages, which are HTML files communicated via the http and https protocols. The internet is more expansive, including the web and everything else connected to the largest worldwide computer network we call the internet. Many computers transmit information via FTP, BitTorrent, and other means. These information channels are not part of the web, strictly speaking, even though the web may be used during some protocols (e.g. BitTorrent files are commonly available from websites, even though the actual distribution of the content referenced by the BitTorrent file happens using the BitTorrent protocol).

> A lot of terms bandied about in common parlance regarding Internet services are very vague, and I'm glad to hear of judges demanding that they be defined clearly and unambiguously when in court.

And I'm hoping they get the right definitions, so that they don't come to ridiculous conclusions from reasoning carefully about some of the absurd misinformation they've been given by the RIAA :-(

Re:What, me change MAC address? I wouldn't do that

[xeoron]

Does tying them together like that defeat the following: but some motherboard BIOS's let you change the MAC Address of an embed NIC, thus tricking the booting OS into believing the software encoded MAC Address is the hardware encoded one.

DHCP logs are no proof

[mysidia]

1. Sniff broadcast arp traffic for a bit, to find another active user's MAC address.
2. Change your MAC address to target user's
3. Request an IP from the DHCP server (using other user's MAC address)
4. Change your MAC to something else
5. Bind obtained IP to the interface
6. ???
7. Profit

Um, what?

[Estanislao+Mart�nez]

[A website is] all files available from a particular domain. Note that multiple, distinct websites may be served from a single computer, that a single person can own many different websites, and that multiple domains can be aliases for the same website.

Just because you say so, Mr. I-Decide-What-The-Hell-Words-Must-Mean? So I guess that all these years I've been wrong to think that all those Geocities accounts were separate websites, when in fact, they are all the same site!

Come to think of it, actually, I once got a Geocities account on the basis of representations, made by Geocities, that such an account constituted a "website." Can I now sue Geocities for misrepresentations, or can they be otherwise penalized by making such misrepresentations to customers?

The term "website" has no more of a definite sense than "book." Is the Bible one book, many books, or both? Is the OED one book, or many books? What about a one-volume edition of the collected works of Shakespeare?

Remember, kids: classifications are contextual

[Estanislao+Mart�nez]

Very few things outside mathematics or physics have an absolute carved in stone definition. This is either because theres a whole spectrum of similar things with no clear demarcation anywhere , or , simply because of limitations of human language. Law courts must take this into account and this applies when talking about the internet.

There is a common intellectual fallacy, that we ultimately inherit from the ancient Greeks, that there is such a thing as the definite classification of all the kinds of things that exist in the world, according to their essences. One example that's in the news a lot in recent years is the (pseudo-)question as to whether Pluto is a planet or not; too much of the debate about it presupposes that there is some essential sense in which Pluto really is or not a planet.

We should all reject that kind of thinking, because rejecting it clears the intellectual muddle that I think you're suffering here. The problem isn't that clear demarcations cannot be made; the problem is that clear demarcations can only be made for equally clear purposes, and that the demarcations made for one purpose may not be applicable for other purposes.

In the case of cars and vehicles, the relevant context is provided by the law in which the terms appear. In the case of court cases about "web sites," then the correct distinctions to apply for that case will depend on the body of law that the judge decides to apply to the case.

I suspect, however, that in a lot of cases, a good judge will have to conclude that the cases brought before them don't hinge on the meaning of the term "web site." I bet you most cases really hinge over who has what control over the content that is shown to other parties over the Internet, and what responsibilities are implied by that control. In a typical blog, for example, the blog's admins have the power to publish and retract entries, and to decide how user comments are handled. Readers may or may not have the power to cause comments to be added to blog entries right away. The admins have the power to delete comments after the fact, and may have legal obligations to delete some such comments within a reasonable time after coming to learn of them.

Re:What, me change MAC address? I wouldn't do that

Maybe he didn't like that you changed it to a multicast address?

Not if you have Cable phone service

[Mal-2]

Cable modems equipped to also provide VoIP service have battery backup built in so that your phone still works when the power goes out (assuming of course that the upstream router's power didn't also go out). I was told this battery holds enough charge for two hours of standby (less if you're actually on the phone), though I have never tested it.

Mal-2

Re:What, me change MAC address? I wouldn't do that

You can change your MAC in windows too, for most cards. The option is in the device properties for the hardware device.

Re:What a congressman costs...EFF/ACLU

[Tuoqui]

Well if you like your 2nd Amendment Rights to be protected there is always the NRA to pick up the slack...

That said is the one or two incidents where they piss you off erase the rest of the good that they actually do?