Slashdot Mirror
Tufts Tells Judge, We Can't Tie IP To MAC Addresses
NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."
Username/password is still better then MAC or IP. Yes there are problems, but as I outline below...
Encryption much? Prevents password sniffing. The protocol that my old Uni used was, I think, something based on http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol EAP. No more sharing a single password amongst everyone.
My own computer much? Prevents keylogging. (Not to mention, software keylogging is prevented on lab machines by locking them down and drawing the image down the network when you login. So even if you install keylogging software, if it works at all, it would only work for your login. Hardware keyloggers are expensive/hard to get.)
Brute-forced... Joking much? The password file is stored at the other end of the network, you can't just grab it. And good luck tapping in different passwords by hand, with an enforced three second delay.
I wank in the shower.
I run an ISP which uses multiple DHCP servers on each layer2 segment. DHCP assignments are logged and kept for a month but quite frequently we get a notice of claimed infringement, spam, or malicious behavior that can't be mapped to an active DHCP assignment at the time stated in the notice. That is not to say that the claimant is making things up, rather that DHCP is not authoritative. A DHCP offer does not need to be taken and even if taken it does not need to be kept. Mac (Not MAC) users seem to have the habit of taking an IP address they have received in the past and setting it as a static IP. I don't use a Mac but this must be in the gui somewhere because it happens all the time.
A dhcp server can't match ip to mac ? Oh sure why not ... if I were the RIAA's lawyer I'd say "then I'm sure you won't mind if I take a look at those logfiles, now will you ?". And then accept their apology in trade for a promise not to persecute this guy personally for lying in court (2 years).
1) User 1 receives a DHCP assignment and sets it as static. They then turn off their laptop after some time.
2) Lease runs out and the address is returned to the pool.
3) User 2 requests an IP and is assigned the same IP (IP1).
4) User1 gets home and turns on their computer and starts sharing "The Wire ...".
5) User2 gets IP conflict message and repairs connection. Gets different IP (IP2) from other DHCP server.
6) HBO sends me a "Notice of Claimed Infringement" for IP1 at time X.
7) I look up who was assigned IP1 at said time and come up with user2.
Looks like we got our match.