Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tufts Tells Judge, We Can't Tie IP To MAC Addresses

Posted by kdawson on from the we're-cooperatin'-here dept.

NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

18 of 419 comments (clear)

  1. And the judge understood it? by Bazman · · Score: 4, Interesting

    I suppose in the US you have judges with clue. In the UK it's fuddy duddy old men in wigs who go "What is this 'internet'?".

    http://www.theinquirer.net/en/inquirer/news/2007/05/17/judge-has-beatles-moment-over-internet

    or maybe he didnt:

    http://www.theinquirer.net/en/inquirer/news/2007/05/18/judge-didnt-have-beatles-moment-after-all

    Apparently the original story of the judge saying 'Who are the Beatles?' might be a myth anyway...

    1. Re:And the judge understood it? by bloobloo · · Score: 4, Interesting

      Judges ask questions like that in order to ensure clarity. Remember, their cases will still be sitting in archives in hundreds of years' time, potentially to be used as precedent.

      While I expect Elvis, Sinatra, The Beatles and other artists of that calibre will be known for a LONG time, at what level do you draw the line? Radiohead? S Club 7? The Cheeky Girls?

      By adding less than 30 seconds to the case by the exchange:

      "Who or what are the Beatles?"
      "A popular beat combo musical band, m'lud. "

      not only will humour be created by people saying "Oh, how ignorant judges are!", it ensures that 500 years down the line a case about cockroaches isn't confused by people pulling out the wrong information.

  2. DHCP lease logs by Ted+Freeman · · Score: 5, Interesting
    Nice job from the IT department. They say how difficult it is to extract meaningful information from the ARP cache records, but you don't need them anyway. All they would need to do is keep the DHCP lease logs. Conveniently they

    In both cases the retention notice arrived in such close proximity to the expiration of the ten day retention period of the DHCP data that we were unable to access the data before it was overwritten.

    So they used the same excuse twice - log rotation - RIAAs new enemy.

    1. Re:DHCP lease logs by TerminaMorte · · Score: 5, Interesting

      DHCP logs will only contain the IP address and MAC address; information that cannot be used to identify anything other than a machine (assuming the MAC isn't spoofed; my laptop runs macchanger -A ath0 on startup :)).

    2. Re:DHCP lease logs by Ted+Freeman · · Score: 1, Interesting
      Yes, that is all you can hope to identify people from. MAC addresses can be changed, machines can have multiple MAC addresses, people can use common access terminals or access the network through NAT / masquerading routers or use a friends computer. All this is possible but the MAC address(es) of your computer:

      When a computer is first connected to the Tufts network the user must register their MAC address with their individual username and password.

      So it is not a perfect system but it is the best they have and would "catch" most ( non/semi technical ) users.

  3. Re:What, me change MAC address? I wouldn't do that by Carthag · · Score: 3, Interesting

    At the dorm I used to live we had to authenticate our computers in order to gain access to the network, this was done via username/password combos. There were several that multiple people knew (mostly to get around bandwidth limits - you'd just jump on another account if you exceeded your quota).

    It registered the MAC address at this point, but I doubt they were actually saved, as the quota was obviously tied to the user account and not the MAC.

  4. Re:What, me change MAC address? I wouldn't do that by Anonymous Coward · · Score: 3, Interesting

    And with Wifi, it's even easier (useful for these Kiosk-type nets wthat present you with a login page on first access):

    • tcpdump traffic for a while
    • chose a low-activity mac and matching IP
    • configure victim's mac and IP on your card.
    • no need to even disconnect or remove victim's computer
    • surf ahead!

    Well, occasionally you (or the victim) might get one or the other dropped connection, but in practice, this is extremely rare.

  5. IT to RIAA: by nimbius · · Score: 5, Interesting

    you're the reason we aren't keeping logs of this stuff.

    --
    Good people go to bed earlier.
  6. Re:Why? by NewYorkCountryLawyer · · Score: 2, Interesting

    For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit.

    Why? The RIAA is not a court of law or even a government agency. Surely the university would have no obligation to comply with its requests? Talking about the RIAA in these terms ("notices", "forensic") lends it unwarranted legitimacy and authority.

    That's what I want to know. Why?

    --
    Ray Beckerman +5 Insightful
  7. Well, if you can't... by Anonymous Coward · · Score: 2, Interesting

    ... then you're liable! I'm expecting the courts to come up with that simple principle. Kinda like when your car is caught speeding: identify the driver or pay the fine.

    That, of course, will make not only university LAN's but also corporate LAN's much more expensive to build. It'll also make it difficult to support multi-user machines as you'd have to tie each and every TCP connection to a user.

    And after that liability scheme collapses under its own weight, we'll be rid of the whole copyright nonsense.

  8. Re:Also by the4thdimension · · Score: 2, Interesting

    This only compounds the fact that a loghost doesn't really help whether you have it or not.

    --
    Crackin' Wise - Blogging about whatever we want
  9. What a congressman costs... by zerofoo · · Score: 3, Interesting

    The RIAA and the courts will eventually figure out that any computer forensic logs can be faked, and will not be a reliable means of identifying computer users.

    Trying to pin criminal or civil liability on someone based on DHCP logs or ARP tables is sheer stupidity. These records could easily identify multiple users - we aren't talking about DNA evidence here.

    The justice system is slow - intentionally. It will take a while before judges get the technical details of this and realize that these identification methods are unreliable.

    What worries me is that the RIAA/MPAA will buy enough of congress to legislate unique tokens for computer users and mandatory log retention. It is possible that congress will make all of us (network admins) do the dirty work for private industry. It happened in banking, and it will probably happen again.

    I think I need to make another donation to the EFF and to the ACLU. Those organizations might be our only hope.

    -ted

  10. Re:You don't have a loghost? by IceCreamGuy · · Score: 3, Interesting

    Why don't you go a step further and just assume that everyone does their illegal sharing in a virtual machine? Hell, you could change the MAC every day. The possibilities for error by tying an IP to a MAC are pretty boundless.

  11. Re:Also by ByteGuerrilla · · Score: 2, Interesting

    If I change my name via deedpoll, I'm not 'spoofing' everyone I meet from then on into referring to me with a name that isn't mine. That is my name. If I change my name and then change it back, or simply cut out the actual changing of the name and just introduce myself with a different name for a week, I've spoofed them into thinking my name is something that it isn't.

    Technologically I don't think there's a difference. If you consider intent, then you can draw a small, pretty inconsequential difference.

    --

    A block of code, sufficiently well-written, is indistinguishable from magick.

  12. Re:That's one smug grin i would love to see. by Piranhaa · · Score: 2, Interesting

    What you need to do then is restrict traffic based on IP leases.

    My ISP will refuse to let traffic pass if the IP address set is not dynamic. They require you to enable dhcp, even if you're a static customer. In rare occasions if my dhclient has acted up, my internet will no longer work.

    This not only makes administering your network easier and network safer (less chance of spoofing), but also better for your customers so they don't get conflicting IPs if someone decides to be 'naughty'.

  13. Re:Generally? by zugmeister · · Score: 5, Interesting

    The "Clone MAC Address" feature is there because some ISP's (Cox comes to mind) will grab the mac addy. of the first device you hook up and refuse to provide service to anything else. So when you plug your laptop straight in to check if they've turned up the line it works. Plug in your router and it's dead.

    Tech support swears they don't do this, so you have two choices: call/hold/bitch at tech support till they reset your account (locking you into your current router's MAC so you start over if you get another router) or just clone the MAC and start moving packets.

  14. Re:hehe by electrictroy · · Score: 2, Interesting

    I've always prefered the word "steal". It's so much more accurate (and honest). Of course if you own the CD you are ripping or burning, then it's really just copying ("I copied my CD over to my Ipod."). I try to avoid slang like "burn" or "rip", because it's just so imprecise. Can you imagine if we used that kind of slang back in the 80s:

    - "I 'ripped' an INXS tape to my Commodore=64."
    - "Awesome! 'Magnetize' me a copy onto a floppy."

    - "Wouldn't you prefer I 'etched' a record instead?"
    - "No man, etching records is so 1970s."

    --
    The government is not your daddy. Its purpose is not to raid middle-class neighbors' wallets and give it to you.
  15. Re:You don't have a loghost? by Cramer · · Score: 2, Interesting

    You missed the point... on the wireless network, one must login to get an address. Thus, there should be records of who logged in and was given a specific address. So, they should have one and only one name for the two wireless addresses.

    Of course, if they expire those logs as fast as the dhcp logs, there's nothing to search.