Using MAC Address to Uniquely Identify Computers 561
An anonymous reader writes "One of Australia's gaming networks, GamesArena has recently imposed a third party program required to access their gaming servers. One of it's features is that it records your NIC's MAC address to identify your computer, and subsequently in future, ban you if you cheat/break the rules etc. The response from players is mixed. It is not open source software, nor is it optional to install. "Install it or find another server to play on". Question remains, is it going too far?"
Definitely not- unfortunately it won't work since MACs are changable.
buy a new network card (Score:5, Insightful)
Shh... (Score:1, Insightful)
Re:buy a new network card (Score:5, Insightful)
Implementing security/restrictions client side doesnt work. period.
This will work for a while... (Score:4, Insightful)
Wireless APs like Linksys' already come with a web admin that lets you specify *any* MAC address, apparently to please some cable/adsl providers that measure traffic/authenticate (partly) based on this.
Why not provide a public key server and ask people to submit they public OpenPGP key, signe by P. Zimmermann himself ? Get your identity trusted by Z. or go play somewhere else... After all, this seems to imply they want "real" players!
Open source (Score:3, Insightful)
Maybe not such a bad thing.... (Score:5, Insightful)
No, it's not going too far. The game server admins can run the server however they choose fit. If you don't like the rules, don't use the server!
However, the majority of people don't know how to reset their MAC addresses. Also, as I believe to be true, some broadband providers specifically use MAC addresses to verify access. For instance, my Comcast cable modem does everything by MAC, so if I change my NIC in my machine, I need to power off/on the cable modem in order to get back through to the Internet. Although this is sort of a minor issue, some other ISPs may be more strict about MAC changes.
Overall, the admins figure they will cut out 99% of the hacking attempts as people would just go elsewhere, or once they did cheat, just wouldn't know how to change their MAC.
IPv6 == MAC address (Score:5, Insightful)
And yes, presently, you can probably change the MAC address of your system. However, once software vendors and DRM technologies and other things start locking themselves to your computer hardware, I suspect changing the MAC address would cause problems. The only thing this game company has to do is when the game is installed is to lock the licence to the present MAC address so it will not run with a changed IP address without a new licence.
Re:buy a new network card (Score:5, Insightful)
ifconfig eth0 down
ifconfig eth0 hw ether DE:AD:BE:EF:BA:BE
ifconfig eth0 up
NICs are sometimes shipped with duplicate MACs (Score:5, Insightful)
Under most circumstances, this is seldom an issue since the NICs aren't likely to be deployed on the same network segment. However, when the MAC is used for other tracking services (in this case, a layer-2 NAT), you have a problem.
And of course, as others have said, most NICs permit the factory MAC to be overridden.
Re:Oh this will be pissing people off (Score:3, Insightful)
Re:Maybe not such a bad thing.... (Score:5, Insightful)
Welcome to the digital age, where knowledge can be cristallized into programs, and where the majority of people will soon be able to reenable their access to the gaming server by running some magic program without ever knowing what a MAC address is.
Kristian
Re:buy a new network card (Score:4, Insightful)
Re:Ban the IP. (Score:3, Insightful)
Why not use internet Public Key Infrastructures? (Score:2, Insightful)
Nothing new (Score:4, Insightful)
Re:Ban the IP. (Score:2, Insightful)
MAC addresses over an IP network? (Score:2, Insightful)
Once that packet hits your internet gateway, the ethernet header containing your MAC is stripped, and an HDLC or FR packet is constructed from the ethernet payload and sent out over the WAN link.
Are they really embedding MAC addresses into the payload? This will only work if you actually have an ethernet card in your computer. So only those lucky enough to have broadband will be effected?
Re:Nothing new (Score:3, Insightful)
Details (Score:3, Insightful)
However, you can tell the OS to report a different MAC. That's what "changing your MAC" means, it doesn't actually change the MAC on the card, but it changes what the OS reports.
This is also a good example of why Palladium and trusted computing can't have just any old OS running on a computer. DRM requires complete control, not just a little bit of special software.
Re:Hurrumph (Score:3, Insightful)
Except the reason people get banned is for using cheats etc, which are distributed in the same way as information on how to change your MAC.
The first thing someone will do when they are banned is do a search on google for "telstra banned game unban" or something, and get hundreds of hits on how to get around it.
Re:And after a firewall ? (Score:3, Insightful)
Basically, they know how easy it is to change or mask IP addresses, and how (particularly for dialup users), banning an IP can punish a lot more people than just the original offender.
So, in the mind of some idiot who failed his CSC networking class before he went to business school, he figured "Hey, MAC addresses are unique! Let's grab that, and ban based on that!"
Just like back then, he didn't do his homework. As others have pointed out:
1) These days, altering your MAC address at run-time is easy, either on your machine or at a router (which is a common component of broadband connections these days)
2) Hackers will have little trouble cracking this "closed source" program, so they can make it emit any or a random MAC address, rather than the machine's actual MAC address. This will not affect connectivity, since its use in this context has nothing to do with the actual connection to the server.
3) If all else fails, network cards are dirt cheap; cheaters/griefers that can't manage #1 or #2 will just buy another network card.
Basically, this "solution" will only keep out the stupidest and poorest grief players. Smart cheaters won't be affected; smart NON-cheaters will probably hack the thing just to show them what a bad idea it was.
I've yet to see an access control system that can't be broken or circumvented; this one doesn't even come close.
Xentax
An interesting question... (Score:3, Insightful)
Now we all know that that cheating in online games is for the most part a Bad Thing (tm). We all remember the original Quake bots (my personal favorite was the StoogeBot) that required a certain measure of circumventing of built-in precautions. Generally when people were caught, they heard about it. Flames, kicks, bans, you name it.
Now we have issues of people using similar circumventions to get around copy protection instead of anti-cheating measures. I realize that this isn't exactly the same thing, but the two scenarios have a common theme: people using third-party software to use a product in a manner in which it was never intended.
What I find amusing is that generally (at least on Slashdot) the circumvention of copy protection is usually regarded as a Good Thing (tm), but becomes less desirable when it comes to games.
Could it be that third-party circumvention is a good thing as long as it doesn't negatively affect you?
Re:Close Source is not secure (Score:3, Insightful)
But the whole argument for this particular program to be open source is really pointless because they've chosen to break the #1 rule of multiplayer programming: Never trust the client. So it really does not matter if it's open source or closed source; the protection will be broken very easily, either by a script kiddie with a very basic understanding of a MAC address, or by somone who can reverse-engineer the data sent between the client and server.
--LordKaT
Why MAC? (Score:3, Insightful)
High road to the Locked Down Computer(tm) (Score:5, Insightful)
Whether it's in the name of catching cheaters or catching terrorists, our freedom and autonomy are about to evaporate.
Perhaps it reads the permanent MAC address? (Score:2, Insightful)
That's what I would do if I were writing the software. Bwa ha ha ha, etc.
Re:Shh... (Score:2, Insightful)
Also note: DHCP is still usually a local segment function. Yes, I know that there are modifications to various protocols to allow DHCP to function across routers, but that's the router temporarily providing IP service for a local node that hasn't picked up an IP address yet. The actual MAC address is still only used for communications on the local segment.
Further, anybody who's smart enough to figure out how to change MAC addresses can also figure out that they can assign their own static IP address from the DHCP pool and the DHCP server will often allocate around it.
Re:buy a new network card (Score:4, Insightful)
Not everybody knows how/has the ability to change the MAC address of their NIC. Also, three things stop people from writing that rogue program-Time, Skill (in both programming and reverse engineering), and Desire. Not being a huge online gamer I cannot say with 100% confidence, but I doubt that the majority of gamers using this system want to cheat.
As for the statement that client side security doesn't work, well that isn't completely true. No, this system is not foolproof as I understand it, but that does not mean that there is absolutely no way this could work 90% of the time, which for a gaming network is not that bad. Sure, for the slashdot crowd, this might be easy to crack, but joe-average on the street probably doesn't have a clue what a MAC address is (or they think they don't have one because they use Windows).
Simple solution (Score:3, Insightful)
Once nobody can connect they wont be able to use the system anymore. Shouldnt take too long if a few people here help out.
What's the Big Deal? (Score:3, Insightful)
Re:buy a new network card (Score:5, Insightful)
The average Cheater Joe off the street will definitely know exactly how to change it. Which makes the whole exercise pointless.
Heck, client side security with no passwords and disks shared to the world works great 90% of the time. Unfortunately it isnt the 90% that is the problem. It's the rest. And for the rest, repeat after me, client-side security will never ever ever work. If you dont have physical control over a computer you cannot trust anything it tells you.
Anonymity and privacy (Score:4, Insightful)
-Thomas
Anonymity and responsibility (Score:3, Insightful)
-Thomas
Re:Banning the /24 may be justified (Score:2, Insightful)
No, friggin', way. I will NOT be held accountable for what other users, whom I have absolutely zero control over, do while online. To group me with them just because we pay the same provider for service (and in some areas there may be only one available provider), is discrimination. It's ridiculously thin guilt by association.
ifconfig man pages (Score:5, Insightful)
Since changing the MAC address would allow a cheater to circumvent access controls
Then are the ifconfig man pages now illegal in the US under the DMCA?
Re:It's even simpler..Is it? (Score:1, Insightful)
I'm not saying this is what they did, just wondering why everyone is so quick to assume they are smarter than they guys who designed this. Are you trusting their FAQ to give you COMPLETE details on how they are authenticating? Like a virus, once you let them install a game client, you are no longer in control. Still beatable, but the hassle of getting rid of the client completely (they could be writing files ANYWHERE once you let them install), combined with the fact that even if you succeed, you will have wiped out your client (and presumably therefore lose access to any history or scores on the servers), means this could be more effective than people are giving it credit for.
Spoofing MAC's is easy. I just wouldn't be so arrogantly sure that they've overlooked how simple it is to change a MAC address.
Re:I disagree (Score:3, Insightful)
The smart cheater who writes the utility is central to the argument after all, since historically the smart cheaters have published tools for the ignorant ones not "eventually" but almost immediately. The smart cheaters have already published a workaround, and the rest of them already know where to find it.
Re:IPv6 == MAC address (Score:2, Insightful)
You are using NAT for outgoing connections. If you do not specify redirect rules for incoming connections, you effectively have very strict firewall rules for incoming traffic.
My IPv6 traffic is filtered by my OpenBSD machine, which also does the IPv6 in IPv4 tunneling to my provider xs4all.nl.
Re:buy a new network card (Score:1, Insightful)
While I have no deep love for the anticircumvention portion of the DMCA, this is incorrect.
DMCA applies if you circumvent or make a program or service for circumventing a "technical protection measure that protects a copyrighted work".
As far as I can see, this security measure does not protect a copyrighted work. Sorry, no Sklyarov for you.
Re:buy a new network card (Score:1, Insightful)
You miss the point - it's not a MAC... (Score:3, Insightful)
So long as you don't change things that break your local segment (ie: duplicate MACs), then you're fine - go for your life.