Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tufts Tells Judge, We Can't Tie IP To MAC Addresses

Posted by kdawson on from the we're-cooperatin'-here dept.

NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

4 of 419 comments (clear)

  1. DHCP lease logs by Ted+Freeman · · Score: 5, Interesting
    Nice job from the IT department. They say how difficult it is to extract meaningful information from the ARP cache records, but you don't need them anyway. All they would need to do is keep the DHCP lease logs. Conveniently they

    In both cases the retention notice arrived in such close proximity to the expiration of the ten day retention period of the DHCP data that we were unable to access the data before it was overwritten.

    So they used the same excuse twice - log rotation - RIAAs new enemy.

    1. Re:DHCP lease logs by TerminaMorte · · Score: 5, Interesting

      DHCP logs will only contain the IP address and MAC address; information that cannot be used to identify anything other than a machine (assuming the MAC isn't spoofed; my laptop runs macchanger -A ath0 on startup :)).

  2. IT to RIAA: by nimbius · · Score: 5, Interesting

    you're the reason we aren't keeping logs of this stuff.

    --
    Good people go to bed earlier.
  3. Re:Generally? by zugmeister · · Score: 5, Interesting

    The "Clone MAC Address" feature is there because some ISP's (Cox comes to mind) will grab the mac addy. of the first device you hook up and refuse to provide service to anything else. So when you plug your laptop straight in to check if they've turned up the line it works. Plug in your router and it's dead.

    Tech support swears they don't do this, so you have two choices: call/hold/bitch at tech support till they reset your account (locking you into your current router's MAC so you start over if you get another router) or just clone the MAC and start moving packets.