Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tufts Tells Judge, We Can't Tie IP To MAC Addresses

Posted by kdawson on from the we're-cooperatin'-here dept.

NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

17 of 419 comments (clear)

  1. Re:hehe by drspliff · · Score: 5, Insightful

    How long until it makes law?

    We were recently required to explicitly keep something like 6 months worth of call data records (although we keep many years worth already due to customer requirements) so that wasn't such an issue.

    However, if ISPs (and universities or other large organisations) were suddenly required to keep track of all IP allocations for 6 months or more it'd cost a bucket load to implement.

  2. Remember, kids... by Anonymous Coward · · Score: 5, Insightful

    Remember kids: Just because an IP address doesn't necessarily identify a person doesn't mean that copyright infringement is OK.

  3. DHCP lease logs by Ted+Freeman · · Score: 5, Interesting
    Nice job from the IT department. They say how difficult it is to extract meaningful information from the ARP cache records, but you don't need them anyway. All they would need to do is keep the DHCP lease logs. Conveniently they

    In both cases the retention notice arrived in such close proximity to the expiration of the ten day retention period of the DHCP data that we were unable to access the data before it was overwritten.

    So they used the same excuse twice - log rotation - RIAAs new enemy.

    1. Re:DHCP lease logs by TerminaMorte · · Score: 5, Interesting

      DHCP logs will only contain the IP address and MAC address; information that cannot be used to identify anything other than a machine (assuming the MAC isn't spoofed; my laptop runs macchanger -A ath0 on startup :)).

  4. Re:What, me change MAC address? I wouldn't do that by huge · · Score: 5, Insightful

    People should understand that MAC address is no more permanent than IP address is.

    Unfortunately they don't.

    --
    -- Reality checks don't bounce.
  5. Re:And the judge understood it? by meringuoid · · Score: 5, Insightful
    I suppose in the US you have judges with clue. In the UK it's fuddy duddy old men in wigs who go "What is this 'internet'?"

    You mean judges who know meaningless jargon when they hear it, and want all terms of reference used in their courtroom to be clearly defined.

    What, exactly, legally speaking, is a 'website'? Where does one 'website' end and another begin? How does a 'site' differ from a 'page', if at all? Is a 'forum' part of a 'website', or only attached to it? Is there, as the media often says, a 'file sharing website' called 'BitTorrent' on which pirates trade music? What exactly is this 'Web' thing anyway, and how is it distinct from the 'Internet', if at all?

    A lot of terms bandied about in common parlance regarding Internet services are very vague, and I'm glad to hear of judges demanding that they be defined clearly and unambiguously when in court.

    --
    Real Daleks don't climb stairs - they level the building.
  6. Re:hehe by Sophia+Ricci · · Score: 5, Funny
    Nobody is addressing real problem. Students are facing hard time downloading music.

    The universities should provide a server within campus to download music. Problem solved.

  7. Re:What, me change MAC address? I wouldn't do that by apathy+maybe · · Score: 5, Informative

    Username/password is still better then MAC or IP. Yes there are problems, but as I outline below...

    Encryption much? Prevents password sniffing. The protocol that my old Uni used was, I think, something based on http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol EAP. No more sharing a single password amongst everyone.

    My own computer much? Prevents keylogging. (Not to mention, software keylogging is prevented on lab machines by locking them down and drawing the image down the network when you login. So even if you install keylogging software, if it works at all, it would only work for your login. Hardware keyloggers are expensive/hard to get.)

    Brute-forced... Joking much? The password file is stored at the other end of the network, you can't just grab it. And good luck tapping in different passwords by hand, with an enforced three second delay.

    --
    I wank in the shower.
  8. Re:hehe by Paolone · · Score: 5, Funny

    We should address the real issue here and provide sex to all students!

    Corrected for you.

  9. IT to RIAA: by nimbius · · Score: 5, Interesting

    you're the reason we aren't keeping logs of this stuff.

    --
    Good people go to bed earlier.
  10. IP To MAC Addresses? by houghi · · Score: 5, Funny

    Anybody have some MAC addresses from the RIAA? That way people can use those in some semi-random rotating system and they can sue themselves.

    After all if the IP can be linked to the MAC, the MAC can be linked to the user, so anybody with that MAC will be guilty.

    --
    Don't fight for your country, if your country does not fight for you.
  11. Re:What, me change MAC address? I wouldn't do that by Ratbert42 · · Score: 5, Funny

    One of the IS guys at work came by, checked the number on my ethernet port, then asked if I was the f*cker that changed my MAC address to DE:AD:BE:EF:CA:FE. Yes I was. B00B1E5.

  12. Re:You don't have a loghost? by sgbett · · Score: 5, Insightful

    And, of course, nobody has *ever* spoofed a MAC Address ....

    --
    Invaders must die
  13. Re:That's one smug grin i would love to see. by petecarlson · · Score: 5, Informative

    I run an ISP which uses multiple DHCP servers on each layer2 segment. DHCP assignments are logged and kept for a month but quite frequently we get a notice of claimed infringement, spam, or malicious behavior that can't be mapped to an active DHCP assignment at the time stated in the notice. That is not to say that the claimant is making things up, rather that DHCP is not authoritative. A DHCP offer does not need to be taken and even if taken it does not need to be kept. Mac (Not MAC) users seem to have the habit of taking an IP address they have received in the past and setting it as a static IP. I don't use a Mac but this must be in the gui somewhere because it happens all the time.

    A dhcp server can't match ip to mac ? Oh sure why not ... if I were the RIAA's lawyer I'd say "then I'm sure you won't mind if I take a look at those logfiles, now will you ?". And then accept their apology in trade for a promise not to persecute this guy personally for lying in court (2 years).

    1) User 1 receives a DHCP assignment and sets it as static. They then turn off their laptop after some time.

    2) Lease runs out and the address is returned to the pool.

    3) User 2 requests an IP and is assigned the same IP (IP1).

    4) User1 gets home and turns on their computer and starts sharing "The Wire ...".

    5) User2 gets IP conflict message and repairs connection. Gets different IP (IP2) from other DHCP server.

    6) HBO sends me a "Notice of Claimed Infringement" for IP1 at time X.

    7) I look up who was assigned IP1 at said time and come up with user2.

    Looks like we got our match.

  14. Re:Be honest by tooyoung · · Score: 5, Insightful

    How many kids have any clue whatsoever on how to do this? I'd wager most CIS and IS students don't even know how to do it

    True, but I bet that most CIS and IS students know that you CAN do it. Then it becomes a simple matter of googling. The key here is that anyone who has taken a bAIX networking course has enough knowledge to dispute evidence crucial to the RIAA's case. The fact the RIAA is able to continually present this evidence in a court room tells me that
    1. Judges and juries do not know enough about the technology that they are ruling on.
    2. The RIAA's experts are deliberately misleading the judges and juries. This is not ethical and should have consequence.

  15. Re:You don't have a loghost? by MoeDrippins · · Score: 5, Insightful

    Spot on. The lack of clue within the RIAA is mindnumbing.

    I suspect the RIAA knows EXACTLY what the technical facts are. But if they can still sue w/o having those get in their way, so much the better! (For them)

    Remember this is law, not logic.

    --
    Before you design for reuse, make sure to design it for use.
  16. Re:Generally? by zugmeister · · Score: 5, Interesting

    The "Clone MAC Address" feature is there because some ISP's (Cox comes to mind) will grab the mac addy. of the first device you hook up and refuse to provide service to anything else. So when you plug your laptop straight in to check if they've turned up the line it works. Plug in your router and it's dead.

    Tech support swears they don't do this, so you have two choices: call/hold/bitch at tech support till they reset your account (locking you into your current router's MAC so you start over if you get another router) or just clone the MAC and start moving packets.