Tuesday, August 05, 2008

Difficulties in matching IP address to MAC address explained to Judge by Tufts University in Zomba v. Does 1-11

In a John Doe case targeting Tufts University students, in Massachusetts, the University has submitted an extensive report to Judge Gertner indicating the difficulties in matching IP addresses to MAC addresses.

The memorandum explains that the systems used for management of the University's network "were not designed to facilitate forensic investigations of user activity, but to ensure smooth operations and to manage capacity issues".

July 28, 2008, Report of Tufts University to Hon. Nancy Gertner

Commentary & discussion:

Ars Technica

Keywords: digital copyright law online internet law legal download upload peer to peer p2p file sharing filesharing music movies indie independent label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs intellectual property


Anonymous said...

From their submission:
"it is entirely possible that the date and time supplied in the subpoena are inaccurate (this has occurred on at least one occasion in the past)."

The fact that the RIAA are trying to sue IP addresses that the university's records show didn't existed speaks volumes about the accuracy of the RIAA's methods. That particular statement needs to be brought more closely to the judges attention by the defense lawyers.

The bulk of that submission makes observations that IP addresses don't map clearly to computers and that computers don't map to individuals which is certainly crucially important and needs to be brought clearly to the judges attention as the report does. But if MediaSentry's data is rubbish to begin with then even the best university systems aren't going to magically turn it into individuals.

That report implied that 2 out of 11 of MS' accusations were simply garbage data. It is, of course, unknowable how many more of the rest are also garbage which happened by chance to correspond with a real IP address. So that's at least an 18% failure rate from MS' IP-identifying processes. What would have been helpful is a statement by the university IT dept about how likely garbage data is of matching by chance to one of the records. ie if MS sends an IP and time to the university and says "who's this?", what are the chances of it actually being in use at the time? Such a statistic might be difficult to obtain, but would allow a more precise calculation of the inaccuracy rate of MS' methods.


Anonymous said...

Know you frequent /. Ray, and it's possibly been pointed out...

Even this 'evidence' supplied by the university is...trash. I can (and often do) change the MAC address of my systems with a single command. The most frequent (and legitimate) use of this is when using public wireless points at a location like starbucks--in order to make sure they are not profiling me by my hardware address (it's like a new network card and computer every time I walk in)

"ifconfig eth0 hw [some other address]" does the trick -- as the university points out, they require registration of MAC addresses. But on nearly all tcp/ip networks (including switched networks) you can read *any* mac address in the traffic, and it will presumably be allowed by the university (having transited the network)

All you'd have to do is wait until you saw the traffic on that address stop, and it would be yours to use (or abuse) as you wished.

This whole brief still seems like wishful thinking to me... they say they have problems, and then name a process that still doesn't properly identify the user.

Anonymous said...


I strongly believe that that would be fertile ground if a defendant were able to get discovery granted. I think that defense attorneys should try to get a response from the RIAA about how many times they were told that the IPs in question did not exist or no account could be identified. And if that's too broad, restrict it to the last X months (but don't give them a chance to cherry pick!). The Doe cases they've filed should be on the public record, and the responses from the ISPs they've gotten discovery from should have been filed with the courts, so it's not like that information doesn't exist.

IPs aren't quite like phone numbers, after all. They DO dial up a particular computer, but computers change IPs all the time. And when you sue thousands of people and your clocks aren't synchronized with the ISPs, you WILL catch a few "dolphins" in the RIAA's parlance. But when they do, they just sue them anyhow...


Anonymous said...

One more technical detail they forgot to put in the memo.

While MAC addresses usually do not change over the life of the machine, it is possible to change the MAC address on some network cards. If it is stored in EEPROM non-volatile memory, it can be changed.
I used to design network hardware, and, as a result, have designed network hardware with MAC addresses in EEPROM. It's really the only way to do it, as the address must necessarily be different for each card manufactured. The address is usually assigned and written into the card's memory during final test. Anyone with the inclination and the appropriate software can change it.

Anonymous said...


I bet there are a few more holes in their data. I noticed that once a MAC address had been validated with a username/password combo, that registration was good for 1 year. There also appears to be no limit on the number of MACs that a single username/password combo can register. Therefore:

1) How much username/password sharing is there?

2) Of those that they had valid DHCP data, the unanswered question is how many total MACs were registered with the username/password combo?

I suggest this because in almost every university environment I have ever visited in the last few years since the existance of wireless networks at these places, there is a known username/password combo you can find out from the current students that will allow you to log onto the network.

The "shared" username/password may not in fact be intended to be shared, but might have been sniffed by someone previously, MAC and Password sniffing on a wireless network can be quite trivial in most cases.

The "bad" part is the student whose username/password is being shared might be blamed for this act. However, when an inspection of the username/password server is made (They did say there was logs of this), they are likely to discover hundreds or thousands of MAC addresses registered to this username/password pair.

Also, there could be sharing that was unintended. For example, I am a student and I borrrow a laptop for a day. I bring it to campus and log it in. The MAC address of this machine is recorded and authorized for 1 year. Now the original owner visits the campus with the laptop and because the MAC is already registered, it "just works" from the point of view of the owner. However anything done by that owner is going to be blamed on the student that borrowed it earlier.

Bottom Line For RIAA: Even if you have a MAC address and a student name, your proof against that student might not be so strong if hundreds or thousands of other MACs are also registered with that student's username/password.

Because of the issue brought up by Peter about MAC's being changeable, and also because of my desire to not leave my real mac around other peoples records, I do use a user-assigned MAC address on my wireless card, and thus would not leave my real MAC behind if i visited this campus. I have been let right in at several campuses, but I am using a well known MAC address that spells a couple of words, and these addresses were very likely registered by other students.

Wonder what their MAC log would look like if they were grep thru it looking for words like "beef" or "dead".


Anonymous said...


Further on the MAC address -- back in DECnet times, the MAC address of the NIC card was always changed, to conform to the DECnet over Ethernet protocol (and to a non-globally-unique value, also).

--johnE (groklaw ID)

Anonymous said...

Its very easy to change MAC address on windows, I just google "mac address changer" to find TMAC which changed MAC address in seconds.link for the lazy ppl.

Anonymous said...

Does no one else see the downside of this? It supports the RIAA's application for ex parte orders, because the information, contra to Judge Kravchuk's quote "I see no reason for the court to take immediate action in this case as there is no evidence that records are about to be destroyed," clearly are being lost by delay.

Anonymous said...

If you run DECnet (which on Linux is trivial and does not interfere with tcp/ip at all) your IP address will reflect only your decnet address (which can of course be pretty much any 16 bit number). This will happen automatically on boot and obviously tells nothing except that someone is running a DECnet package. You can get also a few interesting abilities by doing so. One of the more useful is the FAL checksum, where file copies over DECnet get checksummed end to end, giving some fault recovery that is more than normal ftp has.

Scott said...

The Slashdot article contains at least one cogent example illustrating how DHCP logs can MISidentify the user of a particular IP address at any given time. (Search for "petecarlson" to find the post.)

This single, credible example posted by an ISP employee ought to blow a big hole in the validity of any evidence provided by an ISP or by MediaSentry/SafeNet. An expert witness could use this as a seed to develop further scenarios demonstrating the unreliability of logs for identifying computers.

Anonymous said...

In regard to anonymous comments to justify Ex Parte Orders and the downside:

This is a case-by-case matter. Where the lie happened in that past case is the University had already told the RIAA lawyers they had captured the information and it would be preserved. After being so told, they filed with the Court declaring an "emergency" because the information would be soon overwritten. That was the lie. That did not happen here.

I have been watching these cases for a while and seen some of them with as many as 3 months of IP addresses lumped together in a related John Doe action. If they had done that here, guess they would not have gotten very far with only a 10 day dhcp log retention period....

I further note that even if they have a MAC address match, that does not "Prove" the person did it. Many people will "sniff" a network looking for authorized MAC addresses and use them after the original user stops.

Also, in Dorm enviroments, the MAC address might actually belong to a wireless router which is open to all....

I am lucky to be in a district (Middle District of FL) where the RIAA has not done so well. Not only do they sever their John Doe filings here and randomly assign them but the major Cable provider here has a very short DHCP lease and logging time, such that it is nearly impossible for them to get the customer ID. And from the Cable ISP point of view, why not? What do you gain by ratting out your own customers other than making them mad??


Anonymous said...

It is curious that the university says they can identify the MAC addresses of users of their wireless access points based on IP address information. This would imply that rather than NAT-ing at the wireless access point, that the users there receive unique IP addresses at each wireless point and that these addresses are passed through the access point unaltered. Either that, or the wireless access point itself assigns IP addresses through DHCP and keeps its own log of IP and MAC addresses, meaning that any investigation of an infringer using a wireless access point would have to first have the access point identified through its IP address, and then the user from those logs. Typically wireless access points, at minimum, lose the MAC address information at that point because they must use their own MAC address for the next hop of the IP data packet. And NAT-ing is very common for wireless routers. Tufts is being very imprecise here on just how their wireless access points/routers are operating in their system overall and it would be nice for them to provide a better explanation of just which way it is.

Of course, now that Tufts admits to only a 10-day retention period of their DHCP logs this will only inflame the RIAA's arguments as to the need for expedited discovery, and calls for legislation to require keeping of these logs forever – an immense privacy violation as you will find out years down the line.

I'm certain that, were they technically savvy enough (a point of contention, to be sure), that the RIAA is a big booster of IPv6 protocol whereby each Internet device can have a permanent IP address, rather than all this DHCP and NAT stuff.

Of course, none of this actually identifies an individual.

Also DHCP log information may easily be inaccurate, although Tufts fails to point that out. Consider the following scenario:

Computer A logs onto the system and requests an IP address through DHCP. It's given that address for a 6 hour lease and that assignment is logged.

Computer A then shuts down or disconnects without releasing the leased IP address after 6 minutes.

Computer B then connects one minute later and instead of requesting its own DHCP leased IP address simply uses Computer A's IP address for the remainder of the lease, and even beyond. There would not be any problem with Computer B until the original lease expired, the IP address was returned to the pool, and eventually reused to another computer, which could be days depending on the size of the pool itself.

Don't think that college computer science students aren't smart enough to see and exploit this hole.

And none of it discusses students having routers in their own rooms that NAT many computers onto an individual IP/MAC address combination. Tufts says they have a reasonable probability that a single matched MAC address from the DHCP records identifies a single computer. This is so wrong of them to say that. Even if only a single computer was connected to the wall, it might have been running its own Ad Hoc wireless network for other computers or allowing connection sharing. Students do these kind of things.

And of course the RIAA isn't interested at all in how imprecise the ARP data might be as long as they can sue somebody with enough pseudo-scientific "evidence" that the judge doesn't toss the individual case immediately.

At least the university recognizes the severe burden placed on any student and their family by an improper identification. I would hope that the court would as well, and not allow a zeal to pursue infringers at any and all costs override protections against unreasonable suits that all citizens "should" enjoy.

Lastly, Tufts points out that the RIAA has supplied bogus data before, and likely has done so here again – which casts ALL of their data into the Highly Questionable arena. This is something that every defense lawyer in these cases absolutely must take note of. That bad information has been supplied as attested to by this reliable source.


Anonymous said...

Guys, guys, guys.

Stop giving RIAA ideas. Next thing you know, they'll be lobbying Congress so that anyone buying a NIC card will also have to register a major credit card with RIAA so that they can just assess their "settlement fee" automatically without that pesky thing called evidence.

Phil Howard said...

As pointed out by an anonymous poster, the MAC address, at least on many NIC controllers, can be changed at will. Even if most hardware did not allow this, someone intending to hijack MAC addresses on a dorm based or other LAN could make sure they have one that does allow changing the MAC address. Then it is just a matter of scanning the IP's of the LAN subnet(s), collecting the visible MACs, and see which ones turn off and then assume them. The switch may take a few seconds to dump its routing cache to associate the MAC with a different port, but that is usually quick when some computer continues to send frames to that MAC address, and the hijacking computer is sending frames out with that MAC as the source.

I had to use this capability when doing development last year on embedded device project to test the device's network behaviour.

Anonymous said...

To everyone who says this justifies ex parte discovery: You are wrong, for two reasons.

1. Tufts might preserve logs even without a court order, so that non ex parte proceedings can be used later. Somebody should ask them their policies. If so, there's no need for ex parte.
2. If not, then a timely court order is still needed only to preserve log files, not to provide the RIAA with names.


Anonymous said...

Didn't a project at ISU called the Digital Citizen propose a solution? They used products from redlambda, etelemetry and packeteer. They were able to map IP to MAC to people.

Anonymous said...

Don't forget that most routers on the market, wireless or otherwise, allow you to set the MAC address to either a clone of your computer's MAC, or a totally made-up one. This allows them to be used on Cable Modems, where the ISP ties the modem to your MAC address, therefore your computer, to prevent multiple computers using it.
- K -

Mark Kaepplein said...

Using other's MACs or IPs is not always possible. Some switches defend aganst ARP spoofing or poisoning with (default) 10 min. MAC timeouts and not learning on another port. Better to choose obscure vendor ID+random MACs.
Some devices also do DHCP release on shutdown to free IP for others so there is no exhaustion, no wait for lease expiry or blackout.