undefined | Better HN

0 pointsfreehunter13y ago0 comments

Perhaps its different for me since I work in information security, but if there's someone connected to our guest network (where we have no identity information) and their computer is misbehaving, the only recourse we have to demonstrate that they are not welcome anymore is to terminate their session and block their MAC address. There's literally no other way to get in contact with them.

I would say it's safe to assume that if your MAC address gets banned, it was for a reason. It means you're not welcome on the network anymore.

0 comments

13 comments · 3 top-level

RobAley13y ago· 6 in thread

The retort would be : If you want to be able to address me, you don't have to have an open network, you can require registration and/or other physical verification first. You have chosen to run a network where you can't identify or talk to me, you should therefore know that I won't necessarily know what you're wanting. Some places have a policy that older versions of OSes aren't permitted on the network, and you'll get booted for that. Doesn't mean that you aren't welcome after you've updated your system or changed to another PC. But you haven't told me why you booted me, so I can't know for sure that I'm not welcome again.

danielweber13y ago

But you haven't told me why you booted me, so I can't know for sure that I'm not welcome again.

Because Aaron is not an idiot, he knew exactly the reason he was being booted from the network: because he kept on abusing it to access JSTOR.

Courts, for good reason, have very little sympathy for the "duuuhhhhhh, they didn't explicitly tell me not to do that" defense for adults.

RobAley13y ago

The courts can and do, particularly when a particular crime specifies that you violate a specific placed prohibition. In Arrons case (without knowing precisely what went on), it may very well be possible to argue that he thought the banning of the mac address was e.g. a warning, an automated trip/response that the administration may not agree with in his deserving case, related to a period of overload on the system (i.e. temporary ban) etc. And the court would need to believe "beyond reasonable doubt" that none of those were the case. The courts (usually) take a common sense approach like you suggest when your argument of "duuuhhhhhh, they didn't explicitly tell me not to do that" has very little to back it (i.e. no plausible explanation of why you thought it necessary for them to explicitly say it). But backed by a reasonable, or at least feasible, alternative, the courts often side with the defendant.

freehunterOP13y ago

If you were able to access the network before, then you did something questionable, and now you're not able to access the network, I'd say that's a pretty good sign. At the very least, you should be able to guess why you were able to access the network again once your spoofed your MAC address. There are many layers of security on networks like these, and to be banned from an open network you have to be doing something you really know is questionable (even if you don't believe it's illegal or immoral).

The argument of "well I didn't know why you kept banning me" doesn't fly. After the first MAC filter, you should know you're no longer welcome, for whatever reason.

RobAley13y ago

"you should know" and "you did know beyond reasonable doubt" are two different things, particularly when it comes to prosecution.

Running open networks without explicitly communicating and agreeing terms of use with your users really does muddy the water in these cases.

nsmartt13y ago

I like this idea, but there's a problem with it. His MAC address, which is meant to be specific to a machine, was banned. The intent is clear-- "your machine is no longer welcome on our network."

RobAley13y ago

"His MAC address, which is meant to be specific to a machine"

The article (which I tend to agree with) tends to argue that a MAC address is exactly NOT that, especially in a technical sense (thus a technical user may indeed have more reason for the intent not to be "clear").

I think a better description in plain english is : A MAC address is an address that a particular interface on a particular machine asks to be identified by in a particular session.

I.E. it's not an identity of a machine, its an identity of an interface. Its not an identity assigned by the network, its an identity offered by the machine/interface itself. Its not guaranteed to be unique, or stable beyond a session.

If it was meant to be a specific identifier for a machine, we would have many technical problems on the "legitimate" side of things, think multiple network cards and virtualised machines.

There was no agreement between Arron and MIT that arron would use a particular MAC address as an indentifier on their network. Its a downside of running an open network.

maxerickson13y ago· 2 in thread

The meat of the question is how much legal weight a MAC filter should carry. To me the answer is not much. Attach the MAC filter to a simple advertisement of the network rules and it goes way up. This business about safe to assume is scary stuff.

freehunterOP13y ago

I wouldn't say it's scary. Imagine you're in a club and you start a fight. The bouncer takes you outside. Every time you try to get back in, he's standing in your way. You can come back with a disguise and get in, but without the disguise you're banned. It's safe to assume that you got thrown out because you were fighting.

A lot of the US legal system is based on reasonable belief and reasonable assumption. If an average, reasonable person would believe X, then X is the interpretation the law is likely going to take. It doesn't matter if the rule was actually supposed to be Y, X is what is being communicated and a reasonable assumption would be that X is correct.

maxerickson13y ago

I don't like the bouncer analogy. The network people surely know that the MAC filter is ineffective and no bouncer would be fooled by a fake mustache.

I agree that it is clear enough that Aaron Swartz was intentionally circumventing their attempts to keep him off the network. Where I have trouble is that any notional security mechanism is apparently enough to make the circumvention a serious crime.

I suppose where I am going is that severe penalties should be for circumventing security features, and easily altered implementation details of network hardware should not qualify as security features.

2 more replies

darkarmani13y ago· 2 in thread

> It means you're not welcome on the network anymore.

I thought it meant, that specific MAC address is not welcome anymore. Otherwise, why would you allow that person to reconnect again just because they changed their MAC address?

freehunterOP13y ago

That's a disingenuous argument and you know it. Shame on you for even pretending you believe that.

Dylan1680713y ago

No it's not. What if they blocked the MAC because they detected botnet activity? There is absolutely no desire in this case to ban the person, or even to ban the entire computer if it has multiple OSs.

There is really no way to tell just from a MAC ban what the intent is.

1 more reply

j / k navigate · click thread line to collapse

0 comments

13 comments · 3 top-level

RobAley13y ago· 6 in thread

danielweber13y ago

But you haven't told me why you booted me, so I can't know for sure that I'm not welcome again.

Because Aaron is not an idiot, he knew exactly the reason he was being booted from the network: because he kept on abusing it to access JSTOR.

Courts, for good reason, have very little sympathy for the "duuuhhhhhh, they didn't explicitly tell me not to do that" defense for adults.

RobAley13y ago

freehunterOP13y ago

The argument of "well I didn't know why you kept banning me" doesn't fly. After the first MAC filter, you should know you're no longer welcome, for whatever reason.

RobAley13y ago

"you should know" and "you did know beyond reasonable doubt" are two different things, particularly when it comes to prosecution.

Running open networks without explicitly communicating and agreeing terms of use with your users really does muddy the water in these cases.

nsmartt13y ago

I like this idea, but there's a problem with it. His MAC address, which is meant to be specific to a machine, was banned. The intent is clear-- "your machine is no longer welcome on our network."

RobAley13y ago

"His MAC address, which is meant to be specific to a machine"

I think a better description in plain english is : A MAC address is an address that a particular interface on a particular machine asks to be identified by in a particular session.

If it was meant to be a specific identifier for a machine, we would have many technical problems on the "legitimate" side of things, think multiple network cards and virtualised machines.

There was no agreement between Arron and MIT that arron would use a particular MAC address as an indentifier on their network. Its a downside of running an open network.

maxerickson13y ago· 2 in thread

freehunterOP13y ago

maxerickson13y ago

I don't like the bouncer analogy. The network people surely know that the MAC filter is ineffective and no bouncer would be fooled by a fake mustache.

2 more replies

darkarmani13y ago· 2 in thread

> It means you're not welcome on the network anymore.

I thought it meant, that specific MAC address is not welcome anymore. Otherwise, why would you allow that person to reconnect again just because they changed their MAC address?

freehunterOP13y ago

That's a disingenuous argument and you know it. Shame on you for even pretending you believe that.

Dylan1680713y ago

There is really no way to tell just from a MAC ban what the intent is.

1 more reply

j / k navigate · click thread line to collapse