Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tufts Tells Judge, We Can't Tie IP To MAC Addresses

Posted by kdawson on from the we're-cooperatin'-here dept.

NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

10 of 419 comments (clear)

  1. And the judge understood it? by Bazman · · Score: 4, Interesting

    I suppose in the US you have judges with clue. In the UK it's fuddy duddy old men in wigs who go "What is this 'internet'?".

    http://www.theinquirer.net/en/inquirer/news/2007/05/17/judge-has-beatles-moment-over-internet

    or maybe he didnt:

    http://www.theinquirer.net/en/inquirer/news/2007/05/18/judge-didnt-have-beatles-moment-after-all

    Apparently the original story of the judge saying 'Who are the Beatles?' might be a myth anyway...

    1. Re:And the judge understood it? by bloobloo · · Score: 4, Interesting

      Judges ask questions like that in order to ensure clarity. Remember, their cases will still be sitting in archives in hundreds of years' time, potentially to be used as precedent.

      While I expect Elvis, Sinatra, The Beatles and other artists of that calibre will be known for a LONG time, at what level do you draw the line? Radiohead? S Club 7? The Cheeky Girls?

      By adding less than 30 seconds to the case by the exchange:

      "Who or what are the Beatles?"
      "A popular beat combo musical band, m'lud. "

      not only will humour be created by people saying "Oh, how ignorant judges are!", it ensures that 500 years down the line a case about cockroaches isn't confused by people pulling out the wrong information.

  2. DHCP lease logs by Ted+Freeman · · Score: 5, Interesting
    Nice job from the IT department. They say how difficult it is to extract meaningful information from the ARP cache records, but you don't need them anyway. All they would need to do is keep the DHCP lease logs. Conveniently they

    In both cases the retention notice arrived in such close proximity to the expiration of the ten day retention period of the DHCP data that we were unable to access the data before it was overwritten.

    So they used the same excuse twice - log rotation - RIAAs new enemy.

    1. Re:DHCP lease logs by TerminaMorte · · Score: 5, Interesting

      DHCP logs will only contain the IP address and MAC address; information that cannot be used to identify anything other than a machine (assuming the MAC isn't spoofed; my laptop runs macchanger -A ath0 on startup :)).

  3. Re:What, me change MAC address? I wouldn't do that by Carthag · · Score: 3, Interesting

    At the dorm I used to live we had to authenticate our computers in order to gain access to the network, this was done via username/password combos. There were several that multiple people knew (mostly to get around bandwidth limits - you'd just jump on another account if you exceeded your quota).

    It registered the MAC address at this point, but I doubt they were actually saved, as the quota was obviously tied to the user account and not the MAC.

  4. Re:What, me change MAC address? I wouldn't do that by Anonymous Coward · · Score: 3, Interesting

    And with Wifi, it's even easier (useful for these Kiosk-type nets wthat present you with a login page on first access):

    • tcpdump traffic for a while
    • chose a low-activity mac and matching IP
    • configure victim's mac and IP on your card.
    • no need to even disconnect or remove victim's computer
    • surf ahead!

    Well, occasionally you (or the victim) might get one or the other dropped connection, but in practice, this is extremely rare.

  5. IT to RIAA: by nimbius · · Score: 5, Interesting

    you're the reason we aren't keeping logs of this stuff.

    --
    Good people go to bed earlier.
  6. What a congressman costs... by zerofoo · · Score: 3, Interesting

    The RIAA and the courts will eventually figure out that any computer forensic logs can be faked, and will not be a reliable means of identifying computer users.

    Trying to pin criminal or civil liability on someone based on DHCP logs or ARP tables is sheer stupidity. These records could easily identify multiple users - we aren't talking about DNA evidence here.

    The justice system is slow - intentionally. It will take a while before judges get the technical details of this and realize that these identification methods are unreliable.

    What worries me is that the RIAA/MPAA will buy enough of congress to legislate unique tokens for computer users and mandatory log retention. It is possible that congress will make all of us (network admins) do the dirty work for private industry. It happened in banking, and it will probably happen again.

    I think I need to make another donation to the EFF and to the ACLU. Those organizations might be our only hope.

    -ted

  7. Re:You don't have a loghost? by IceCreamGuy · · Score: 3, Interesting

    Why don't you go a step further and just assume that everyone does their illegal sharing in a virtual machine? Hell, you could change the MAC every day. The possibilities for error by tying an IP to a MAC are pretty boundless.

  8. Re:Generally? by zugmeister · · Score: 5, Interesting

    The "Clone MAC Address" feature is there because some ISP's (Cox comes to mind) will grab the mac addy. of the first device you hook up and refuse to provide service to anything else. So when you plug your laptop straight in to check if they've turned up the line it works. Plug in your router and it's dead.

    Tech support swears they don't do this, so you have two choices: call/hold/bitch at tech support till they reset your account (locking you into your current router's MAC so you start over if you get another router) or just clone the MAC and start moving packets.