The life of Aaron Swartz was a great, inspiring journey, with a tragic end. When the 26 year old activist died earlier this month, he was facing serious charges in federal court, and many think that this played a key role in why he decided to commit suicide. Aaron was seen by many as a prodigy, a very intelligent person who contributed in many technological projects, including being part of the invention of RSS, something used by millions of websites, before he became a political activist, believing strongly that information ought to be free.
His troubles with the law started with the PACER incident in 2008. This was a system that held all of the US federal court documents, and which charged people for access. Since these were all in the public domain, Aaron decided that they should be available for free. He purchased access and then released for free around 20 percent of the entire database, or 18 million documents. This quickly brought an investigation from the FBI, but after two months, the case was closed, since he never broke any law. But he was not done, and last year he secretly accessed the JSTOR database, which provides research journals for a fee. He downloaded 4 million documents by hooking up a laptop in an MIT closet, and saving them on a removable hard drive.
Changing a MAC address equals fraud?
This time, the prosecutors were all over him, and he faced up to 35 years in jail, although it now appears that they were willing to make a deal for 6 months plus probation. But the key issue here is how they even managed to pile up so many charges on him that could bring such severe consequences? The main issue that prompted this was nothing more than breaking terms of services. Every major website has a link at the bottom of the page that links to a ToS, which specifies what you can and cannot do on that site. As a casual reader of this or any other site, chances are you never looked at them. Terms of services are not laws, but courts have upheld them in some cases. Still, breaking a site’s ToS usually results in being banned from the site, not going to jail for decades. So in order to push the case forward, even after JSTOR refused to press charges, prosecutors instead focused on the fact that Aaron had hidden his identity in order to add wire and computer fraud charges. Those are the charges which carry a much heavier penalty.
Let’s forget the legal side for now and simply look at the technology behind it. The key concept is that his laptop was using a fake identity. This, by itself, should send a chilling effect to many people in the technical field, whether you work in IT, as a security researcher, or you are simply a geek. Anyone who has dealt with networking before can tell you how trivial it is to change your MAC address. Many adapters offer the option right in their configuration screen, and in Windows you simply have to click a few buttons to access it:
Even if you can’t do it through a GUI, you can change a registry setting, or use one of many free tools to do the same thing. The problem here is that a MAC address is not a security issue. If you take a networking course, such as a Cisco or CompTIA certification, one of the very first things you learn in security modules is that filtering MAC addresses is a useless proposition. While those addresses are supposed to be unique for each network adapter, there are many cases where they will not be, including in virtual networks, or if someone changed the address at some point through one of those methods.
The exact same thing is true for IP addresses as well. Whether you’re supposed to use a DHCP server or set your own address in a static way, anyone can configure their adapter to use the address they want, and as long as the router accepts to route it, then it will, with no idea of who is using it. So the idea that changing your MAC or IP address equals to computer or wire fraud is very scary, since those are not authentication mechanisms; there is no security behind them. At no point should a network adapter, or any sensibly made login system, ask a user to identify itself through those means. Instead, this is why we use things like user names, passwords, public key cryptography, digital signatures, certificates, and so on.
So the bottom line is that what the prosecutors went after, the fact that changing something like a MAC address to hide the presence of a laptop is a crime, should be looked at very carefully. From the information we have, at no point did the JSTOR system ask Aaron to identify himself, and blocking access based on MAC addresses is misunderstanding what these addresses are. It’s not security, and spoofing a MAC address is not hacking — it’s a normal networking process. Even MIT itself does it. For example, if you go on the campus, you can see two publically announced wi-fi hotspots: “00:21:d8:49:98:61” and “00:21:d8:49:98:62” which correspond to “MIT” and “MIT GUEST”. However, both of these addresses actually link to the same adapter. So in effect, MIT is spoofing a MAC address. There is a very good reason in this case, and it’s to provide two virtual networks to various people, but on the technology side, it’s the exact same process.
This is why a case like this is so important, and why it never should have been allowed to go forward for so long. Technology can be complicated, especially for non-technical people. To a layman, spoofing a MAC address may seem like a case of fraud, before you realize that it was never designed that way, and that instead, it is used in many very reasonable cases. This is why authentication does not rely on these technologies, and instead use other concepts which were created for authentication. Technical people have been working on e-commerce systems for a long time, and confronting the problem of selling digital goods while making sure someone can’t copy them and then distribute them freely. There are many options, including DRM, but none of them are completely effective. Unfortunately, what it does look like is that in the case of Aaron Swartz, aggressive litigation appears to have been the solution of choice for the prosecutor’s office.