When Aaron Swartz Spoofed His MAC Address, It Proved He Was A Criminal; When Apple Does It, It's Good For Everyone
from the only-the-second-one-is-true dept
Whenever we write about Aaron Swartz and the criminal prosecution against him, some of our (and Aaron’s) critics scream that it was “obvious” that he knew he was up to no good, because he chose to spoof his MAC address on the machine he used to download JSTOR articles. Of course, as many people explained, spoofing a MAC address isn’t some crazy nefarious thing to do, and often makes a lot of sense. In fact, Apple recently announced that iOS 8 will have randomized MAC addresses to better protect people’s privacy. Simply speaking: Apple is making “MAC spoofing” standard. And, as the folks over at EFF are noting, this is a very good thing for your privacy.
As Cory Doctorow points out, this highlights the ridiculousness of MAC spoofing being used as evidence against Swartz, when now it’s going to be a standard feature of iPhones and iPads (and, hopefully, other device makers will quickly follow suit).
This, of course, is one of the unfortunate results when you have law enforcement folks who simply don’t understand much technology. People who actually understand both privacy and the ways you might approach problems you face on the internet, recognize that things like MAC spoofing are perfectly reasonable to do at times — but such actions are twisted by law enforcement as being nefarious and dangerous because it makes it easier to “build a case” and because they don’t understand how perfectly common such actions are.
Filed Under: aaron swartz, ios, mac address, privacy, spoofing
Comments on “When Aaron Swartz Spoofed His MAC Address, It Proved He Was A Criminal; When Apple Does It, It's Good For Everyone”
The context is different
To be fair,t he context is different. Swartz was spoofing MAC addresses at a single location to gain connections he would have been denied without spoofing. Apple is rotating MAC addresses on a mobile device to make it harder for any person or company with a wifi router to track the mobile device user. So, not apples to apples. And I say that as someone who thinks Aaron Swartz was unfairly railroaded.
Re: The context is different
Apple is rotating MAC addresses on a mobile device to make it harder for any person or company with a wifi router to track the mobile device user.
Which is essentially what Aaron was doing. The argument is over when it’s criminal to do that.
Re: Re: Context counts in criminal trials
First off, let me say I favored Aaron Swartz goal of liberating public domain documents. However, in a criminal trial about whether his attempts to access those documents on a network were criminal, any extra steps he used to avoid the network security could be used as evidence against him, that he was taking extra steps to get around security that was designed to stop an individual from doing what he was doing on that specific network.
It isn’t as simple as “switching MAC addresses” is criminal when Swartz did vs “switching MAC addresses” is good when Apple does it any more than “driving” is bad when someone drives away from a bank robbery, but driving is good when Google Maps drives. The context does make a difference. And if MAC address switching had been a standard feature, enabled by default by the manufacturer, on his laptop, it wouldn’t have been an issue at trial. The issue was that he specifically invoked it to get around security measures. Now, I don’t think that rose to the level of criminality alleged by the publicity happy fed, nor that it necessarily was sufficient evidence that he violated the Computer Fraud and Abuse act, but it was evidence that he knew what he was doing wasn’t within the way the network was designed to be accessed.
Re: Re: Re: Context counts in criminal trials
“And if MAC address switching had been a standard feature, enabled by default by the manufacturer, on his laptop, it wouldn’t have been an issue at trial.”
Correct me if I’m wrong…but what I’m reading into this is that if someone does something bad with a laptop, at trial, any functionality that wasn’t present in the laptop at the time of its manufacture is deemed bad?
So let’s say I get an old laptop that at the time of manufacture has an 802.11b/g/n wifi module. I get a USB 802.11ac device, plug it in, and use that to hack into my neighbour’s 802.11ac router. Now suddenly, according to what you wrote, the fact that my laptop didn’t have ac functionality at the time of manufacture is deemed bad?
Re: Re: Re:2 Uh, no.
“at trial, any functionality that wasn’t present in the laptop at the time of its manufacture is deemed bad?”
No, it isn’t deemed “bad”.
The the point is that if you take specific steps to avoid the security in place that can be used as evidence that you A) knew there was security in place B) that you took steps to avoid it, which can be used as evidence that C) you knew what you were doing was prohibited.
Re: Re: Re:3 Uh, no.
You are talking about intent, whereas if in fact he did that to EVERY network he accessed then it would not be intentional to the specific case at hand the mens rae breaks down since it isn’t intent since the intent is in fact the norm!
In other words if you always spoof your address because you are either paranoid or otherwise , and it seems with good reason nowadays, the intent element doesn’t hold water. Also the onus is on the prosecution that someone in your field, doing exactly the same thing with same knowledge would NOT do that always. And as anyone in the networking or security field understands that would be pulled to shreds by any capable defense.
Oh and MAC address’s aren’t for the “security” purposes you are alluding that they are for.
Re: Re: Re:3 Uh, no.
“The the point is that if you take specific steps to avoid the security in place that can be used as evidence that you A) knew there was security in place B) that you took steps to avoid it, which can be used as evidence that C) you knew what you were doing was prohibited.”
Here, you aren’t defining what security is. Not very likely, but it could very well be that the neighbour’s security is the fact his router is ac (which is not very common yet), and his thinking is that since only a few people have ac wifi capability in their devices, it acts as a form of security through obscurity.
Now suddenly here I come with my laptop, I stick in my ac USB device into my laptop, and am able to access the neighbour’s router (let’s say he’s stupid enough to not have a password). Using your reasoning from above, I took a specific step to avoid his security (using an ac device), I knew the ac ‘security’ was there, thus this then means that anyone using an 802.11ac USB device has done something illegal.
Which is the problem with the mac address spoofing that is being focused on. Something that millions of IT professionals do on a regular basis, which is a basic concept (spoofing MAC address/using an ac wifi device) becomes determined bad by the court.
Re: Re: Re:3 Uh, no.
“[T]he point is that if you take specific steps to avoid the security in place that can be used as evidence that you A) knew there was security in place B) that you took steps to avoid it, which can be used as evidence that C) you knew what you were doing was prohibited.”
1. You’ve taken a big step back, from “criminal” to “prohibited”.
2. Step B seems superfluous; whether I know that something is prohibited or not does not depend on whether I’m doing it.
3. It’s extremely weak evidence in any case.
Re: Re: Re:3 Uh, no.
“The the point is that if you take specific steps to avoid the security in place that can be used as evidence that you A) knew there was security in place B) that you took steps to avoid it, which can be used as evidence that C) you knew what you were doing was prohibited.”
Like the specific step of choosing to use a device running iOS 8. It’s not like there aren’t other devices. So, usage of iOS 8 can be used as evidence that you A) knew there was security in place B) that you took steps to avoid it, which can be used as evidence that C) you knew what you were doing was prohibited.
Yeah, I see how that works.
Re: Re: Re: Context counts in criminal trials
And if MAC address switching had been a standard feature, enabled by default by the manufacturer, on his laptop, it wouldn’t have been an issue at trial.
I don’t doubt it, but it’s a strange world when “default option” Is what it takes to avoid prosecution.
Re: Re: Re: Context counts in criminal trials
An ability to edit the MAC address is standard in most network utilities on Linux systems.
Re: Re: Re:2 Context counts in criminal trials
The ability to edit the MAC address is REQUIRED for some protocols. There was a now-defunct protocol which changed the MAC address to identify the node (forgot which one it was); but there are also some modern router redundancy protocols like VRRP which share a MAC address between two (or more) routers (or hosts).
So, yeah, MAC address switching is a standard feature.
Re: Re: Re:3 now-defunct protocol which changed the MAC address to identify the node
DECnet changed the MAC address to correspond to the bottom 10-bits-or-something of the node address. Because the DECnet engineers were too bloody lazy to come up with an ARP.
Re: Re: Re:2 Context counts in criminal trials
They’ll argue Linux is not default on a computer you buy and so you must be a hacker for daring to not use Windows/OSX.
Re: Re: Re:3 Context counts in criminal trials
If you use the terminal, the ability to edit the MAC is also a standard function of OSX. Depending on the NIC driver, you can also do it through your advanced network properties tab in Windows.
Of course, they’ll probably argue that simply knowing where these things are and editing them constitutes hacking, even if the OS allows you to do it with no further work from yourself…
Re: Re: Re:4 Context counts in criminal trials
Of course they will. After all, they consider changing the URL to be hacking, don’t they?
Re: Re: Re: Context counts in criminal trials
But “switching MAC addresses” is a “standard feature, enabled by default by the manufacturer, on his laptop.” He didn’t have to write any code, or hack the operating system to change the Mac address. Its an option that is available to anyone using an off the shelf laptop.
Re: Re: Re:2 Context counts in criminal trials
“He didn’t have to write any code, or hack the operating system to change the Mac address. Its an option that is available to anyone using an off the shelf laptop.”
Entering stolen passwords (not that Swartz did that) would be utilizing a “standard feature” without writing any code, too. Yet doing so would be evidence of hacking. Context matters. Changing MAC addresses isn’t inherently criminal, but if you can show that it was specifically done to avoid network security measures (and I’m using that in the broad sense) then it can be evidence that the person doing that knew they were doing something they weren’t supposed to be doing on the network.
Re: Re: Re:3 Context counts in criminal trials
Okay, so you agree that the “standard feature” isn’t the reason that what apple is doing is different then what Aaron did. Then we dive into the why Aaron did it and why Apple is doing it. In this case Apple seems much more malicious. Apple is stating that they wan’t to avoid detection. Aaron was doing it to trouble shoot a network issue (granted, that was caused by the university).
There is nothing about a MAC address not working on a network that indicates a security reason, its just not working. The fact that changing a MAC address is as easy as it is, would indicate that a MAC address blocking is not be a security measure.
Re: Re: Re: Context counts in criminal trials
“[I]n a criminal trial about whether his attempts to access those documents on a network were criminal, any extra steps he used to avoid the network security could be used as evidence against him, that he was taking extra steps to get around security that was designed to stop an individual from doing what he was doing on that specific network.”
If he took steps to circumvent barriers, and those steps were of themselves criminal, then those actions were themselves criminal, not evidence about something else.
If those steps were not criminal in and of themselves, then I don’t see how taking them was evidence of anything except ingenuity (which, I’ll grant you, is being slowly criminalized).
Re: Re: Re: Context counts in criminal trials
When a watch company puts an intended scratch on a device, it is DRM, preventing the watch to be sold outside of normal channels.
But, when I accidentally scratch my watch and try to get a refund, or sell it, it is illegal.
—
When my garage door opener stops working, and I need a new one, and I go to a competitor for a replacement door (or Arduino)… that is DRM…and illegal?
——
No, I disagree. This is called innovation and progress…and DRM is flawed.
Re: Re: Re: Context counts in criminal trials
That’s right and covering your face momentarily is not an indication of illegal conduct, per se. However, when Swartz did it for the purpose of concealing his identity as he committed breaking and entering, it is.
Re: Re: The context is different
So now that Apple has revealed it’s criminal tendencies what is next bank robberies?
Re: Re: The context is different
No, he was spoofing MAC to bypass mac-based access control function s on a lan.
There’s a large difference between doing it on a private network to get around (weak) security and rotating what you present to random public access points.
Re: Re: Re: The context is different
what he did is equivalent of
going to the store, and buying a product where it says “Limit 2”;
putting on sunglasses, and doing it again
putting on a hat, and doing it again
Re: The context is different
Nope, disagree completely. Network admins were tracking and blocking Aaron by MAC address.
Apple rotates MAC addresses to prevent tracking, a PREREQUISITE to blocking.
It’s exactly the same thing.
Re: Re: The context is different
No, not the same thing. He was on their network and they wanted him off. That is not the same thing as tracking mobile users who are not on your network by their WiFi automatically scanning for hot spots.
Re: Re: Re: The context is different
He was on a publicly accessible network and accessing publicly available works. Any Joe Schmo off the street could have to to the central office and asked for permission as this was the school’s policy.
The only thing different is he change his MAC address and attempted to download a lot of works at once via a high speed connection that he shouldn’t have used.
Re: Re: Re:2 The context is different
No. MIT has a public network and a private network. Anyone can use the public network or if you have a legit need, you can sign up for access to the private network which you have to agree to their terms of service. Apple is preventing private networks from getting access about you without agreement; Aaron either agreed to terms of service which he then ignored them or used a private network without proper permission. He broke the law. You can argue that it should not be against the law but he did break the law. If you can’t do the time, don’t do the crime.
Re: Re: Re:3 The context is different
It is a bit more complicated than that.
What Aaron did, he was AUTHORIZED to do on a smaller scale. He had access to the system and was allowed to download the documents, but the system was designed to limit how many of them he could really get for a given time period (I don’t remember the specifics). He noticed that the system determined the limit based on the MAC address that was accessing it and he worked around that limit by rotating his MAC address.
This technical measure was, in fact, a violation of the TOS, but seems hardly worthy of prosecution for hacking.
While true, this is misleading. The random addresses are only used while scanning, and the usual (static) MAC is used once connected. It wouldn’t have helped Swartz bypass anything.
I hope this is just the beginning and Apple will eventually use random addresses all the time. There are 46 randomized bits, so collisions won’t be a problem until there are several million devices in the broadcast domain (and then you’ll have bigger problems than address collisions).
Re: Re:
“There are 46 randomized bits, so collisions won’t be a problem until there are several million devices in the broadcast domain (and then you’ll have bigger problems than address collisions).”
Actually that’s not quite correct. Vendors are supposed to use specifically unique addresses per device, but of course this has long been forgotten. I’ve run across several instances with specifically an HP laptop and HP Desktop using the same address and crashed a vlan, as well as two Linksys routers having the same MAC Address and take out a satellite link. Most network admins in large campus situations have experienced the same, I’m sure of it. And if you’ve ever run VMware ESXi, remember to change your vCenter ID per node….
Re: Re:
If you hook in Duplicate Address Detection or similar to the rotation, you could detect the collision and rotate the address again; a couple of rotations would be more than enough to find a non-colliding address.
as the first comment days t
Prosecutor Spoofing
Turnabout is fair play. The Justice Department has been doing prosecutor spoofing.
Sure, in reality the Justice Department’s prosecutor swear to uphold the law and the Constitution, base their actions on ethics, rationality and blah blah blah.
But just like “MAC spoofing is perfectly reasonable to do at times” – making your device appear like an entirely different device – it’s perfectly reasonable for the country’s Justice Department to appear to be from an entirely different country.
And so Aaron Swartz and others often get a what appears to be a Justice Department that appears to be from a totalitarian dictatorship. One which also which also leaves the wealthy and those in the secret police untouched.
Because prosecution is so much easier when you have the power to leave the accused wondering what country they’re in.
He used TCPIP and FTP through CAT5 two-way data communication cable or 2.4GHz IEEE 802.11n omni-directional mobile data connection to engage in malicious data copying and archiving with intent to distribute, and even had the audacity to store it on a NTFS Data Storage Partition to hide the evidence. He clearly knew what he was doing.
Re: Re:
I’m pretty sure you’re not serious, but… “malicious data copying” really gives rise to some hilarious mental images.
My favorite so far is similar to the Comfy Chair torture in Monty Python’s “Spanish Inquisition” sketch, but in a “Tron” setting, and with Vincent Price if at all possible.
Re: Re: Re:
It was more of an example of how something completely legitimate can be construed to mean something criminal by using scary jargon that common people don’t understand.
Does this make it illegal to use an iPhone?
Even with mac spoofing, they can still track you
Whenever it’s not connected to a wifi network, your ios device sends out beacons to every wifi network you’ve ever connected to — ie, “Network A, are you out there?” “Network B, are you out there?”
The collection of named wifi networks you’ve connected to more accurately identifies you than your mac address does, so mac spoofing does very little for that. Target uses this wifi-beacon approach, and probably does that to aggregate members of a household together.
Now, if Apple would let you delete saved info for wifis you’ve connected to in the past *even when you’re not currently connected to them*, that would be useful.
Re: Even with mac spoofing, they can still track you
Does it really do that? If it’s like Android (and I’d guess it is), it’ll only sends these probe requests if you added the network by its name (that is, it was a “hidden SSID” network) instead of choosing the network from the list of visible networks.
One more reason to never hide your SSID, by the way.
If you want to take a look, Wireshark has a mode where it captures raw 802.11 packets. It’s very instructive to look at the beacons and probe requests around you. Turn on your phone’s wifi while sniffing and you’ll see the probe requests.
Re: Re: Even with mac spoofing, they can still track you
In fact, I just tried it with an Android phone (no Apple device nearby for me to test). The result was as I expected: a few probe requests with the “broadcast” (zero-length) SSID, followed by it connecting to a known SSID from the probe responses.
Good
I’ve been spoofing random MAC addresses for years, for exactly the reason Apple gives for doing the same. I’m pleased that I might not be considered a black-hat for doing do.
Swartz’s MAC address changed when he switched from wireless to wired. That’s not spoofing, that’s what normally happens when you stop using one network interface and start using another.
A Neat Trick
The problem here is the same as the misunderstanding about the East Anglia University emails the climate change scientist sent using the term “a neat trick”. The word “trick” is picked up by people outside of science in the “tricky Dick” sense, not the “solution to a math problem” sense.
Similarly, MAC spoofing is something that sounds nefarious, because of the word “spoof”, but is really just a way to get some privacy, or to get services on a second device that were provisioned for your first device.
Some people just don’t understand the use of jargon inside of a trade or community. These same people would think card players are cheating at Gin when they win a “trick”, or that they are The Donald when they play a “Trump” card.
It's not just privacy issues
Many public wi-fi networks time-out and require users to re-login on a regular basis. This can mean that files in the process of downloading can be irretrievably lost when the wi-fi connection cuts out and switches to a login screen.
But there is an easy way around this problem. Spoofing your MAC address (and re-logging in) before starting a new download resets this clock, thereby giving you the full uninterrupted period that the “gatekeeper” software allows.
Re: Not really a good argument that spoofing is innocent.
What you are describing is how to spoof your MAC address so that you won’t be limited by the deliberate limitations of a free WiFi Hotspot. That really isn’t an example that demonstrates the legitimacy of MAC address spoofing but rather the opposite. If the WiFi hotspot wanted you to be able to stay logged in they wouldn’t have configured the connection they way they did.
Your advice may be practical and expedient, but it is an example that is in line with what Swartz was doing, knowingly working around deliberate limitations of the network.
Re: Re: really a good argument that spoofing is innocent.
Using a change of MAC address to force a public wi-fi’s timed re-logins to occur earlier, when they’re most convenient for me rather than following the preset cutoff schedule (dictated by the wi-fi router setup) is an appropriate and legitimate use of MAC spoofing. It’s not cheating ‘the system’ in the slightest — in fact, it’s helping the system, by eliminating the need for me to re-download files that got cut off the first time around due to an unexpected disconnection. So I save time – and they save bandwidth – so it’s a win-win situation all around.
Re: Re: Re: Right...
Right…because free public WiFi is totally made for you to download files from the internet that are so large that they may time out. It isn’t like they might have set up the automatic log outs to discourage people like yourself from using the network to download giant files or anything…
/s
Re: Re: Re:2 Right...
Sarcasm doesn’t really work when the position you’re mocking makes more logical sense than the alternative.
Re: Re: Re:3 Right...
Soo, tell me why you think zip is downloading so many large files through an unsecured WiFi connection that they need to spoof their MAC address to reset the connection between downloads? There are certainly legit reasons to down load large files, but I have to say that I wouldn’t be surprised if zip has some reason for using public WiFi and MAC address spoofing. Zip’s explanations really aren’t the best example to suggest that there is nothing possibly nefarious about MAC address spoofing.
Re: Re: Re:4 Right...
There is so much wrong with your question I’m not sure where to start. According to Zip’s description, first there is no need to reset the connection, it’s just a good practice. Second, interruption can occur in any download, even if it isn’t a large file. Third, it has nothing to do with how many files (large or small) there are. Fourth, Zip’s motives for downloading these files have nothing at all to do with the problem of interruption or the solution that involves changing the MAC address. Fifth, yes indeed, Zip has “some reason” for using MAC address spoofing (a misnomer in my opinion), as Zip has explained to you at least twice, and maybe some reason for using public WiFi (as many people do or it wouldn’t exist). Sixth, if you are moving the goalposts to “nothing possibly nefarious” then no evidence will convince you and no technology, medium, practice, or hobby can ever be entirely free of sinister overtones. Seventh, simple statements of fact and clear logic don’t seem to make any impression on you, even with repetition (so I doubt that this comment will make any headway).
P.S. Sorry to take so long replying– I didn’t check this thread for replies because I honestly didn’t think you’d keep at it.
Different laws for different folks.
Different laws for different folks. They’re getting to where they don’t even try to hide it anymore.
Putting it into Context
Sounds a lot like “That’s not a bug, it’s a feature.”
The article doesn’t say what was done was illegal, just indications (or proof) that he knew what he was doing was illegal. Those are two different things.
Is hiring a lawyer when asked to speak to police? Of course not, but some police (maybe most) would wonder why you would need a lawyer if you were not guilty?
Things can be legal or illegal depending on context. A cop carrying a gun isn’t illegal, but a NJ cop was charged with unlawful possession of a handgun (her service revolver) when she got drunk and emptied it out into someones car.
NO NO NO NO NO Apple Devs!!! NO! BAD DEVS!
This needs to be an option that is chosen by admin….esp if we have a mixture of BYOD and Company Devices (we use MAC filtering, and DHCP reservations to filter which devices are allowed access to the Internet. )
Isnt this kinda like having an LED license plate on your vehicle and using a random number generator while driving, but only your real license plate number while parked?