Accused of Filesharing

2Scoops

The music industry has e-mailed my boss saying that my MAC address and IP (a company wireless network) has been logged as sharing music. The e-mail was legit, it listed my correct MAC address and IP. The problem is, there has never been any music on this computer... EVER!

Now, there is a copy of BitTorrent that I haven't used since probably 2008. It was set up not to share and it definitely didn't run in the background (at least, it was never in the process list).

I'm thinking that someone spoofed my MAC address, got onto the wireless network and that they are responsible. The IT guys reject this, saying logs would show the traffic originating from an off-site address. Is that true or are they exaggerating to get a quick case-closed?

Or is it possible that BitTorrent can use my computer as some kind of relay for other people's music?

Smallcats

I wouldn worry about because I dont think its writing in our law that it is illegal to share stuff through peer to peer. Correct me if im wrong. Its just the music industry throwing a wobbaly.

wolfric

Demand proof with logs or it doesn't exist. If they never bothered installing monitoring software that's their issue.

Overheal

pics or it didnt happen.

get yourself a good lawyer all the same but they need some strong evidence to accuse you of anything.

TeaServer

2Scoops wrote: »

The music industry has e-mailed my boss saying that my MAC address and IP (a company wireless network) has been logged as sharing music. The e-mail was legit, it listed my correct MAC address and IP.
...

I'm curious to know how they (the Music industry) have your MAC address? Surely all they could have is the Public IP address? Does the BitTorrent Protocol transmit your MAC address in exchanged messages?

/T

F-Stop

Unless you somehow supplied the MAC address, or they are on your internal network!!! I don't see how they could have it. Could someone internally be stitching you up?

F-Stop

Or what TeaServer said. And I really should have phrased it: could someone be stitching you up internally.

Webmonkey

They shouldn't have your MAC address as it's local to the LAN, ie - between you and your router.

You sure it not an internal joke from your work mates or anything?

FruitLover

The only people who should be able to see your (router/modem) MAC address are you and your ISP. Can you post up the headers of the email and we'll track it back to source?

Webmonkey

FruitLover wrote: »

The only people who should be able to see your MAC address are your ISP. Can you post up the headers of the email and we'll track it back to source?

And that is the router interface's MAC.

TeaServer

F-Stop wrote: »

Or what TeaServer said. And I really should have phrased it: could someone be stitching you up internally.

Yeah, I was going to let the OP draw that conclusion themselves. If there is an email from the 'Music industry' with your MAC address listed its a fake. Either the IT Dept, or a colleague/manager trying to scare you

Smallcats

Lets say for what ever reason there was illegal files downloaded and your ISP reported you. Would that not be how they got it? Im not accussin you that you did.:) Cause the music industry is coming down hard on the ISPs.

2Scoops

I should probably point out that I'm in the US. The e-mail was from the Recording Industry Association of America (RIAA) - they identified the IP and the port; our IT guys pinpointed my MAC address. And it's definitely not a wind-up.

The people I work for operate a 3-strikes rule, whereby if you get caught 3 times they sell you down the river to whoever wants to prosecute, but as of right now my identity is shielding from RIAA. But I strongly resent in principle having a 'strike' when I didn't do anything. Nothing is going to happen me legally (unless my MAC gets spoofed 2 more times :eek:) but they simply won't allow me to clear my record.

Webmonkey

How do you mean they pinpointed your MAC address? - that's going be fixed to your PC anyways.

2Scoops

Webmonkey wrote: »

How do you mean they pinpointed your MAC address? - that's going be fixed to your PC anyways.

Well, all I know is that RIAA gave them the IP address and IP port of the filesharing, then the IT dept. identified my MAC address as the one responsible. (The MAC addresses and owners of all hardware are logged with IT before you can access the network).

blubloblu

If indeed you weren't sharing anything, you are just another victim of the RIAA's mass litigation letters. They send out legal threats everywhere and hope that some of them hit the target. There's stories of people without computers, and printers being sued.

FruitLover

Have the IT people clarified how they tied your MAC address to the IP given? Maybe they're just going by DHCP server logs. It's entirely possible that someone else may have been using the IP you usually use at the time of the alleged file-sharing.

Presumably they've given dates that this sharing has supposedly happened - have the IT people passed these dates on to you, and were you in fact using the current computer you're using on those dates? It might be possible that a) someone else had used the computer you're now on for sharing at an earlier date that you started to use it, b) someone else used your computer in your absence, or c) someone else used the IP you usually use (as above).

Ask the IT guys if they have firewall or router logs from those dates too. If so, they might be able to confirm your side of the story (i.e. if they don't see any p2p-type traffic from your system).

2Scoops

FruitLover wrote: »

Have the IT people clarified how they tied your MAC address to the IP given?

Nope.

FruitLover wrote: »

Presumably they've given dates that this sharing has supposedly happened - have the IT people passed these dates on to you, and were you in fact using the current computer you're using on those dates?

They gave me the date and time and I was connected to the network at that time but the computer was idle (I was in the same room though - definitely no one else using it then, or ever).

FruitLover wrote: »

It might be possible that a) someone else had used the computer you're now on for sharing at an earlier date that you started to use it, b) someone else used your computer in your absence, or c) someone else used the IP you usually use (as above).

I am the only one with access to the computer. I think it's highly likely that someone switched their MAC address to mine and then used the same IP. But the IT dept. just stonewalls the suggestion - getting no satisfaction from them at all.

FruitLover wrote: »

Ask the IT guys if they have firewall or router logs from those dates too. If so, they might be able to confirm your side of the story (i.e. if they don't see any p2p-type traffic from your system).

Thanks, will do.

ttm

OK OP you stand accused of file sharing, so what were you sharing?

If you walked out of a store and didn't pay for stuff they'd accuse you of stealing a list of specific items so I can't see how you can be accused of sharing anything unless there is a list of stuff and the stuff is on your PC.

2Scoops

ttm wrote: »

OK OP you stand accused of file sharing, so what were you sharing?

I wasn't sharing anything. They said I was sharing a Lil' Wayne album called the Weezy Effect 2. LOL. There is no music on this computer whatsoever.

ttm

2Scoops wrote: »

I wasn't sharing anything. They said I was sharing a Lil' Wayne album called the Weezy Effect 2. LOL. There is no music on this computer whatsoever.

I'm sure you've searched but if you could check with a little program called Handy Recovery 1.0 get the free original and take a look at whats been deleted on your PC.

Problem is you should have stopped using your PC and got a forensic copy of the HDD made so if at a latter stage this continued you could go back and prove there was nothing on your PC, but at this stage its not going to prove anything (nor will not finding anything) but worth a look with Handy Recovery anyway it does no damage and will list 99% of stuff thats ever been on your PC.

I'd also do a search of all the common music formats just to see if anything is there? Include zip and rar files and don't forget to include system folders and hidden files and folders + subfolders in your search

Edit> Sorry should have said don't put anything on your works PC with out checking if its OK with the IT guys first you don't want a second strike.

2Scoops

ttm wrote: »

I'm sure you've searched but if you could check with a little program called Handy Recovery 1.0 get the free original and take a look at whats been deleted on your PC.

I'm fully confident that there is no music on this computer. No one else has ever owned it or even used it. Certainly not some Lil' Wayne stuff that only came out in the last year. And nothing was uploading last Thursday (the alleged time of the crime, m'lud).

I'm more interested in finding out if someone could successfully spoof my MAC address and have all the traffic inside the network. Would there be any way to distinguish the real me from the identity thief in that situation?

Dorsanty

If the machine hasn't had so much as an mp3 on it then does the machine have it's own logs that show what it was doing at that date and time. If idle for extended time could it have been in sleep/suspend mode?

If the IT people have identified you then they ave already gone through either proxy, router, or firewall logs. So definitely ask to see evidence.

Also what p2p app is installed? Was a specific app mentioned in the accusation letter, because clients do share this info with the other peers down to version numbers too. So this info should be available from them. If your p2p app isn't equal to the one that was used, then end of.

In any case mac spoofing is a legitimate defence especially on wireless networks unless they are the only IT crowd in town who think wireless security is 100%.

ttm

2Scoops wrote: »

I'm fully confident that there is no music on this computer. No one else has ever owned it or even used it. Certainly not some Lil' Wayne stuff that only came out in the last year. And nothing was uploading last Thursday (the alleged time of the crime, m'lud).

I'm more interested in finding out if someone could successfully spoof my MAC address and have all the traffic inside the network. Would there be any way to distinguish the real me from the identity thief in that situation?

Yeh but you don't know if someone cleverer than you is using your PC remotely so you still need to check.

Also I can't see how anyone could spoof your MAC address if they are on the same network as you. I won't go into detail but it would confuse your network and cause connectivity issues at the very least, thats why they are unique. I could spoof your MAC address and there would be no issue as I wouldn't be going through a swtich or router anywhere near you but if I was on the same network routing would get messed up as would any swtich seeing the same MAC address on two ethernet ports- my understanding anyway.

You don't connect on a wireless network do you?

btw I do believe you but I've been in similar situations with email (used to work for a company that sold a forensics logging program) and found some very strange goings on

2Scoops

Dorsanty wrote: »

If the machine hasn't had so much as an mp3 on it then does the machine have it's own logs that show what it was doing at that date and time. If idle for extended time could it have been in sleep/suspend mode?

The computer may have timed out but I'm not certain either way. It goes into standby after 2 hours, but I can't remember when I stopped using it. And I don't know how to get logs from my system...

Dorsanty wrote: »

If the IT people have identified you then they ave already gone through either proxy, router, or firewall logs. So definitely ask to see evidence.

Yeah, I've asked them already, no reply yet (it's been a couple of hours - guess they're not that pushed about getting them!).

Dorsanty wrote: »

Also what p2p app is installed? Was a specific app mentioned in the accusation letter, because clients do share this info with the other peers down to version numbers too. So this info should be available from them. If your p2p app isn't equal to the one that was used, then end of.

They said it was BitTorrent, and there was a copy of it installed on the computer, although unused and not running in the background. They didn't give a version number though.

Dorsanty wrote: »

In any case mac spoofing is a legitimate defence especially on wireless networks unless they are the only IT crowd in town who think wireless security is 100%.

This is it - I think they're playing me for a fool because they don't want to go through the bother of finding the real culprit. Much easier to treat it as an open and shut case, and since it's only the 1st strike out of three, maybe they weren't expecting me to object.

2Scoops

ttm wrote: »

Yeh but you don't know if someone cleverer than you is using your PC remotely so you still need to check.

Did a full search and used Handy Recovery - no signs of any music, Lil' Wayne or otherwise!

ttm wrote: »

Also I can't see how anyone could spoof your MAC address if they are on the same network as you. I won't go into detail but it would confuse your network and cause connectivity issues at the very least, thats why they are unique. I could spoof your MAC address and there would be no issue as I wouldn't be going through a swtich or router anywhere near you but if I was on the same network routing would get messed up as would any swtich seeing the same MAC address on two ethernet ports- my understanding anyway.

What if my computer had timed out, and then the spoofer connected once he saw it leave the network?

ttm wrote: »

You don't connect on a wireless network do you?

I do. There are two computer at my workspace; one is connected by an ethernet cable and one by wireless. The one with the wireless connection was identified.

ttm wrote: »

btw I do believe you but I've been in similar situations with email (used to work for a company that sold a forensics logging program) and found some very strange goings on

Heh heh - I can only imagine!

ttm

2Scoops wrote: »

This is it - I think they're playing me for a fool because they don't want to go through the bother of finding the real culprit. Much easier to treat it as an open and shut case, and since it's only the 1st strike out of three, maybe they weren't expecting me to object.

Intersting point as the IT department could easily do a quick scan of all the systems in the place and if at the time yours was the only one they found with file sharing software then they made the rest of the evidence fit.

If you are in a Windows Domain then the admins can just look at your C drive anytime you are connected to the network.

Jumpy

The RIAA snooping companies can only find out the IP address of the edge device that passes you onto the network.
Your company uses NAT. I am willing to bet on it. Unless they have logged records stating that your given private IP was communicating BitTorrent style traffic via their edge firewall/router then they are talking absolute bollocks.

Ask them for the technical reason that they think it was you, in writing. Then get a techie to rip the reason to pieces.

Of course if it was you, and they have a log server, then you are screwed.

But I assume you are telling the truth.

Dorsanty

Jumpy wrote: »

Ask them for the technical reason that they think it was you, in writing.

+1

Jumpy wrote: »

Then get a techie to rip the reason to pieces.

+2 ( I get as many votes as I want :cool: )


Also if I had to pick people in an office who might be filesharing via bittorrent I'm afraid I'd pick the IT department workers every time. Joe Soap office worker doesn't have a clue.

Also your IT department blows goats if they actually allow bittorrent in their network, it is designed to use up all available bandwidth. There may be legitimate reasons to use bittorrent but it shouldn't be free reign for an entire office to each download the latest ubuntu image for example.

ttm

Dorsanty wrote: »

Also if I had to pick people in an office who might be filesharing via bittorrent I'm afraid I'd pick the IT department workers every time. Joe Soap office worker doesn't have a clue.

Also your IT department blows goats if they actually allow bittorrent in their network, it is designed to use up all available bandwidth. There may be legitimate reasons to use bittorrent but it shouldn't be free reign for an entire office to each download the latest ubuntu image for example.

Can't disagree with that, so lets make up a conspirecy theory to go with it.

Someone in IT is or was downloading stuff using BitTorrent, the **** hits the fan when the letter from the RIAA arrives so they find BitTorrent on your PC and point the finger at you.

It could be that you were always blocked as a normal user from using BitTorrent but the IT guys added there own rules to the firewall just so you they could use it themselves - hmmmmm now who do I know who has done that

2Scoops

ttm wrote: »

Can't disagree with that, so lets make up a conspirecy theory to go with it.

Someone in IT is or was downloading stuff using BitTorrent, the **** hits the fan when the letter from the RIAA arrives so they find BitTorrent on your PC and point the finger at you.

It could be that you were always blocked as a normal user from using BitTorrent but the IT guys added there own rules to the firewall just so you they could use it themselves - hmmmmm now who do I know who has done that

I think you just blew my mind - this could go all the way up to the president!

Cuddlesworth

Let get some things straight here.

• A wireless network is not secure. Certain hacks on encryption require spoofing the other persons MAC address if the network is MAC filtered which yours from previous posts could be. You would have noticed this if you were only working on the machine at the time. A quick google will prove that to you.
  
• As a company worker, I can't think why they have a wireless network with full port access to the outside which torrents would need and its a huge security risk to have them open. A wireless access point with logs that could go back that far is unlikely at best considering the above.
  
• Torrents share. There is no way to turn it off.

Sounds like a lot of bull to me. I would happily call them on it. And as somebody said before in this thread, the first port of call when filesharing is reported in a company I would look at IT workers first.

ttm

Cuddlesworth wrote: »

• Torrents share. There is no way to turn it off.

Application blocking should sort that out, not too difficult on something like ISA server - have it here so might try it.

Edit> Should have said signature blocking with an HTTP filter

Cuddlesworth

ttm wrote: »

Application blocking should sort that out, not too difficult on something like ISA server - have it here so might try it.

Edit> Should have said signature blocking with an HTTP filter

Ahh nothing beats nerd arguments. You want to check with two scoops if he did the above?

Personally I don't think it would work, as any torrent-tracker would see the lack of upload and cut you off.

Trojan

I'd also have a word with your union representative or HR rep, clearly stating your innocence, proof of your innocence (take a screenshot of the Handy Recovery results - it's as good as any evidence against you so far), and tell them your commitment to fighting your case to clear your name.

ttm

Cuddlesworth wrote: »

Ahh nothing beats nerd arguments. You want to check with two scoops if he did the above?

Sorry not with you on this? What would two scoops do?

Cuddlesworth wrote: »

Personally I don't think it would work, as any torrent-tracker would see the lack of upload and cut you off.

Wouldn't that be as good as blocking? Again not sure what you mean?

I have an ISA server on my home network to keep my hand in just in case I ever get back to work in IT. I tested blocking MSN and Yahoo Messanger from the these signatures a while back and that seemed to work OK so I suspect the others can be blocked up to a point.

As far as nerd arguments go can we agree that you can block anything UNTILL someone finds away round it . If I found that I could block BitTorrent I would never say that BitTorrent would never work as someone will always find away around it, as long as the app doesn't work from a std install job done, most non technical users will give up. Don't give the average joe a chance to mess your network up and then chase down the few that have the knowhow.

Next line of defence has to be network monitoring, at the most basic level you can get software to parse the network logs that give fancy graphs for managment that show what users are doing. I've just created some reports from my ISA server and I can see what internal IP address has downloaded the most data (me;)) what messenger progs are in use, MSN, Xfire and which are the top ten most visited websites and that my son still spends most of his time online playing NWN etc etc. Nothing I didn't expect in the logs but if there was I could then monitor for specific traffic to see whats going on.

There are so many logs and alerting systems on a basic Windows Domain that its difficult to do anything without it being logged somewhere; not that many seem to know where to look or bother setting up alerts as they can be annoying. As an example if you think someone is downloading loads of pr0n then check the cached DNS lookups on your DNS server to see the domains that are being visited (only allow users to use the companies DNS server) then you can see exactly what sites users are connecting to (mess with their heads by adding your own DNS settings if you must) next do a bit of network monitoring so you can see what internal IP address is connecting to the specific IP addresses you don't want visiting.

I'm just making the point that its the network admins job to lock down the network (sorry users) and then monitor it so in the OP's case the IT dept should have known what was going on before the RIAA letter. I wouldn't be supprised if they got a doing over for allowing this to happen so if they found a scapegoat they aren't going to be providing logs to prove otherwise.

In some cases the IT department will have a setup that logs everything on the Windows domain but not what goes on between the bells and whistles domain firewall and the actual hardware internet connection. This is also a handy spot to leave a network connection to plug in a PC for trouble shooting and testing so the IT guys can then have an unmonitored system connected to the internet, bit of a tempation not to use it

The OP might also like to check company policy and anything he signed about internet use as there is always the chance its out of date and created long ago with no mention of p2p, file sharing or uploading files.

I've been thinking about this..

Cuddlesworth wrote:

You would have noticed this if you were only working on the machine at the time.

.... and trying to work out the various connection senarios, good mental ARP and DHCP brush up and sorry to get nerdy but I think the hacker would really have to be just tooo darn clever. If he used a DHCP address then he'd get the same IP address as your PC which would leave a msg on your screen saying that there is another computer with the same IP address, so the hacker would have to provide his own IP settings, then if he uses the internet at the same time as the OP my best guess is the internet would slow down and become virtually unuseable.

Cuddlesworth

ttm wrote: »

Sorry not with you on this? What would two scoops do?

I was joking saying the odds of him actually manipulating the firewall are slim.

ttm wrote: »

Wouldn't that be as good as blocking? Again not sure what you mean?

No it wouldn't. Your assuming you can block every program without a huge amount of time and effort spent finding and researching all the new versions and types of possible connections. The simple and effective solution is to block everything and allow access as they come along, rather then allow everything and desperately monitor and block as you see or know of them.

ttm wrote: »

I have an ISA server on my home network to keep my hand in just in case I ever get back to work in IT. I tested blocking MSN and Yahoo Messanger from the these signatures a while back and that seemed to work OK so I suspect the others can be blocked up to a point.

I haven't had the time or opportunity to play with a ISA server yet, its on my list of things to do. Sounds like fun though.

ttm wrote: »

As far as nerd arguments go can we agree that you can block anything UNTILL someone finds away round it . If I found that I could block BitTorrent I would never say that BitTorrent would never work as someone will always find away around it, as long as the app doesn't work from a std install job done, most non technical users will give up. Don't give the average joe a chance to mess your network up and then chase down the few that have the knowhow.

Exactly, the far more easy option of the two.

ttm wrote: »

Next line of defence has to be network monitoring, at the most basic level you can get software to parse the network logs that give fancy graphs for managment that show what users are doing. I've just created some reports from my ISA server and I can see what internal IP address has downloaded the most data (me;)) what messenger progs are in use, MSN, Xfire and which are the top ten most visited websites and that my son still spends most of his time online playing NWN etc etc. Nothing I didn't expect in the logs but if there was I could then monitor for specific traffic to see whats going on.

Depending on the size of the company that could become quite difficult. At over two thousand people here on machines I know quite well that nobody monitors the network. Its next to impossible. We block all external network access outside of port 80, and internal is limited to needed ports.

[/QUOTE]There are so many logs and alerting systems on a basic Windows Domain that its difficult to do anything without it being logged somewhere; not that many seem to know where to look or bother setting up alerts as they can be annoying. As an example if you think someone is downloading loads of pr0n then check the cached DNS lookups on your DNS server to see the domains that are being visited (only allow users to use the companies DNS server) then you can see exactly what sites users are connecting to (mess with their heads by adding your own DNS settings if you must) next do a bit of network monitoring so you can see what internal IP address is connecting to the specific IP addresses you don't want visiting.[/QUOTE]

Any company worth its solve already uses third party vendor firewalls that do the above anyway and update their own lists. To do it yourself would not be cost effective.

ttm wrote: »

I'm just making the point that its the network admins job to lock down the network (sorry users) and then monitor it so in the OP's case the IT dept should have known what was going on before the RIAA letter. I wouldn't be supprised if they got a doing over for allowing this to happen so if they found a scapegoat they aren't going to be providing logs to prove otherwise.

Exactly, which is why I think he is being used as a scapegoat. Question is what did he do to piss them off?

ttm wrote: »

.... and trying to work out the various connection senarios, good mental ARP and DHCP brush up and sorry to get nerdy but I think the hacker would really have to be just tooo darn clever. If he used a DHCP address then he'd get the same IP address as your PC which would leave a msg on your screen saying that there is another computer with the same IP address, so the hacker would have to provide his own IP settings, then if he uses the internet at the same time as the OP my best guess is the internet would slow down and become virtually unuseable.

Hack wireless encryption, spoof live mac address, get ip address from lease, change to valid ip from end of lease range, rape company bandwidth. Doesn't seem that difficult, if time on same ip was limited and he wasn't using his second machine at that time xp is unlikely to pick up the fact that for a brief time there were two machines on the same ip.

2Scoops

Cuddlesworth wrote: »

Exactly, which is why I think he is being used as a scapegoat. Question is what did he do to piss them off?

I'm just a hapless dupe! :pac: Still no reply 24 hours after I asked for the logs...

ttm

Cuddlesworth wrote: »

Exactly, which is why I think he is being used as a scapegoat. Question is what did he do to piss them off?

Don't think he pissed anyone off but when they were looking for a scapegoat he was the first one they found with a loaded gun, it might not have been fired but not easy for the OP to prove that.

btw I also give the users SSL as well of HTTP perhaps I'm too big harted

FruitLover

ttm wrote: »

If he used a DHCP address then he'd get the same IP address as your PC which would leave a msg on your screen saying that there is another computer with the same IP address

Nope. This will only happen if the second computer has a different MAC address (and sends at least one broadcast packet).

ttm

FruitLover wrote: »

Nope. This will only happen if the second computer has a different MAC address (and sends at least one broadcast packet).

So the DHCP server will give the same IP address to another computer with a different MAC address?

Dorsanty

ttm wrote: »

So the DHCP server will give the same IP address to another computer with a different MAC address?

No not until the lease is deleted or expires. But lets say his computer was in standby/suspend mode due to extended idle time. There's nothing to stop a second computer using the IP with zero communication with the DHCP server and without his computer spotting or logging a conflict.

Only since XP I believe does Windows use 'rarp' to spot if a IP conflict exists, but it has to be on and not sleeping to do this.

ttm

Dorsanty wrote: »

No not until the lease is deleted or expires. But lets say his computer was in standby/suspend mode due to extended idle time. There's nothing to stop a second computer using the IP with zero communication with the DHCP server and without his computer spotting or logging a conflict.

Only since XP I believe does Windows use 'rarp' to spot if a IP conflict exists, but it has to be on and not sleeping to do this.

So the hacker is there in the same room or overlooking the OP so just before the OP uses his computer they stop file sharing and this is whats been going on for long enough for the RIAA to have taken an interest?

Dorsanty

ttm wrote: »

So the hacker is there in the same room or overlooking the OP so just before the OP uses his computer they stop file sharing and this is whats been going on for so long enough that the RIAA have noticed it?

I was under the impression the OP has this computer but doesn't use it much, seems like a second computer in the same office and the OP has a different primary computer or just doesn't use this machine much in general. I may have got that wrong though.

FruitLover

ttm wrote: »

So the DHCP server will give the same IP address to another computer with a different MAC address?

No, it will most likely give the same one. The OS will only prompt that another computer is using the same IP address if it sees a device with a different MAC address sending packets with the same IP address.

ttm

Dorsanty wrote: »

I was under the impression the OP has this computer but doesn't use it much, seems like a second computer in the same office and the OP has a different primary computer. I may have got that wrong though.

OK then, can we agree if there was someone spoofing the OP's MAC address then they'd have to be in the same office or at least close enough to notice when the OP was going to use his system to avoid any dupilcate IP address messages?

but discuss... is just as good

Dorsanty

ttm wrote: »

OK then, can we agree if there was someone spoofing the OP's MAC address then they'd have to be in the same office or at least close enough to notice when the OP was going to use his system to avoid any dupilcate IP address messages?

but discuss... is just as good

Definitely. For the spoof to work you'd need good information on when the IP/MAC was available to be used or the user of the computer would notice network disruption and no doubt some nice windows notifications.

So rather then speculate further I'll wait to see if 2scoops ever gets some evidence that the IP assigned to his computer via DHCP was actively running a bittorrent client while it held that lease.

ttm

Dorsanty wrote: »

Definitely. For the spoof to work you'd need good information on when the IP/MAC was available to be used or the user of the computer would notice network disruption and no doubt some nice windows notifications.

So rather then speculate further I'll wait to see if 2scoops ever gets some evidence that the IP assigned to his computer via DHCP was actively running a bittorrent client while it held that lease.

I'm really only trying to blow a hole in the whole idea of spoofing a MAC address I know it's possible but last couple of people who I've talked to who were going on about it how easy it was couldn't explain to me how to do it and couldn't even name a well known app that could do it for them.

It is possible but then the chances of having your MAC addressed spoofed and having an unused copy of BitTorrent on your laptop and being in the office at the specified time start to push the odds one way. The MAC address is unproved but the IT department would have known that the OP's PC had the software installed and would have known when his laptop logged on and off the domain. Just having the software installed is all management will think about. I rest my case; sort of

Blowfish

ttm wrote: »

I'm really only trying to blow a hole in the whole idea of spoofing a MAC address I know it's possible but last couple of people who I've talked to who were going on about it how easy it was couldn't explain to me how to do it and couldn't even name a well known app that could do it for them.

It is easy and you don't need a seperate app. One line should do it:

$ifconfig wlan0 hw ether 01:23:45:67:89:01

2Scoops

Still waiting on the logs...

Couldn't a spoofer monitor the wireless network with NetStumbler or something similar, wait for a connected computer to disconnect and then go in with the same MAC address?

ttm

2Scoops wrote: »

Still waiting on the logs...

Couldn't a spoofer monitor the wireless network with NetStumbler or something similar, wait for a connected computer to disconnect and then go in with the same MAC address?

Lots of things are possible, just as likely as you getting any logs.

I just don't see the MAC address spoofing is worth the effort if it wasn't a Wireless connection it definitley wouldn't be.

So just how many other people are in your office that connect Wirelessly?