Using MAC Address to Uniquely Identify Computers

An anonymous reader writes "One of Australia's gaming networks, GamesArena has recently imposed a third party program required to access their gaming servers. One of it's features is that it records your NIC's MAC address to identify your computer, and subsequently in future, ban you if you cheat/break the rules etc. The response from players is mixed. It is not open source software, nor is it optional to install. "Install it or find another server to play on". Question remains, is it going too far?" Definitely not- unfortunately it won't work since MACs are changable.

buy a new network card

[Brian Boitano]

not banned anymore :D

Shh...

[terradyn]

Don't go telling the general public MAC addresses are changeable. If someone creates a program to easily do the change, we could have some major routing issues should people choose the same MAC addresses.

Re:buy a new network card

[shird]

Why bother? The MAC address is usually stored in flash eprom. Besides, whats to stop you from writing your own rogue '3rd party' program which is reverese engineered from the original, only reports a random MAC address.

Implementing security/restrictions client side doesnt work. period.

This will work for a while...

[MagicFab]

...until the MAC address generators have gone through all the "MAC-space" of possible addresses...

Wireless APs like Linksys' already come with a web admin that lets you specify *any* MAC address, apparently to please some cable/adsl providers that measure traffic/authenticate (partly) based on this.

Why not provide a public key server and ask people to submit they public OpenPGP key, signe by P. Zimmermann himself ? Get your identity trusted by Z. or go play somewhere else... After all, this seems to imply they want "real" players!

Open source

[tsa]

Of course it's not open source; the last thing they want is users making changes to this program. Then it would be of no use to them.

Maybe not such a bad thing....

[isa-kuruption]

"Install it or find another server to play on". Question remains, is it going too far?"

No, it's not going too far. The game server admins can run the server however they choose fit. If you don't like the rules, don't use the server!

Definitely not- unfortunately it won't work since MACs are changable.

However, the majority of people don't know how to reset their MAC addresses. Also, as I believe to be true, some broadband providers specifically use MAC addresses to verify access. For instance, my Comcast cable modem does everything by MAC, so if I change my NIC in my machine, I need to power off/on the cable modem in order to get back through to the Internet. Although this is sort of a minor issue, some other ISPs may be more strict about MAC changes.

Overall, the admins figure they will cut out 99% of the hacking attempts as people would just go elsewhere, or once they did cheat, just wouldn't know how to change their MAC.

IPv6 == MAC address

[Bookwyrm]

Does not the current IPv6 address allocation standard specify using your MAC address as the suffix portion of the IPv6 address? This is merely a taste of things to come if/when IPv6 becomes widely deployed, when your very IPv6 address can uniquely identify the hardware you are on (unless you use IPv6 NAT, of course.)

And yes, presently, you can probably change the MAC address of your system. However, once software vendors and DRM technologies and other things start locking themselves to your computer hardware, I suspect changing the MAC address would cause problems. The only thing this game company has to do is when the game is installed is to lock the licence to the present MAC address so it will not run with a changed IP address without a new licence.

Re:buy a new network card

[quigonn]

And usually, the network card's MAC address is stored in RAM, to make it easily accessible by the different drivers that need it (e.g. Ethernet). This makes it changeable with e.g. Linux's ifconfig:

ifconfig eth0 down
ifconfig eth0 hw ether DE:AD:BE:EF:BA:BE
ifconfig eth0 up

NICs are sometimes shipped with duplicate MACs

[KeithH]

When I was involved with the initial deployment of DSL service in Canada, our customer ran into an interesting problem: many of the low-cost NICs that they shipped with the DSL modem had the same MAC.

Under most circumstances, this is seldom an issue since the NICs aren't likely to be deployed on the same network segment. However, when the MAC is used for other tracking services (in this case, a layer-2 NAT), you have a problem.

And of course, as others have said, most NICs permit the factory MAC to be overridden.

Re:Oh this will be pissing people off

[SkankhodBeeblebrox]

Who the heck is going to buy a used network card?? You can pick up a realtek 8139x based card for $10 CDN retail, and probably for close to the price of a pack of gum online ;)

Re:Maybe not such a bad thing....

[kris]

However, the majority of people don't know how to reset their MAC addresses.

Welcome to the digital age, where knowledge can be cristallized into programs, and where the majority of people will soon be able to reenable their access to the gaming server by running some magic program without ever knowing what a MAC address is.

Kristian

Re:buy a new network card

[shird]

Actually, now that I think about it more -- These cable companies (Telstra , optus) force you to use their cable modems, which they have tight control over. If everyone using these servers are using it through these modems, which have their own MAC, they could ban based on this MAC address because it would be sent to them directly via ethernet. - this wouldnt require a client side program however, so probably isn't what theyre doing.

Re:Ban the IP.

[micromoog]

And ban the ~252 other potential hosts on that network?

Why not use internet Public Key Infrastructures?

[1nhuman]

I think PKI would be ideal for this purpose. MAC addresses obviously not. Maybe adding PKI code to games would even encourage people to buy a personal certificate. I never had a good reason to buy one but a cheater free CS-server is certainly worth it. They could even bundle games with Verisign certificate vouchers or something. If some people are worried about there privacy you could just create games certificates. Of course people should keep there private keys private.

Nothing new

[quantax]

This has been going on for a while, though without MAC addresses, a much simpler system. Most multiplayer games thesedays come with a CD-Key thats authenticated by a central server whenever you play a game. The CDkey usually has a unique ID strapped to it that is publically accessible by admins or players. You ban the ID, they cannot connect to the game without changing their CDkey (which means either buying a new copy or finding another cdkey that works online, neither are 'easy'). If MAC addresses can be changed, then as soon as a couple of like-minded gamers find out about that, you can count on their being a guide on how to do it for gamers eventually. The best way handle this is on both a MAC, and CDkey-ID level. Ban their MAC, and ban their ID, that will stop all but the most determined/knowledgable.

Re:Ban the IP.

[lennywood1]

After a certain number of violations, sure. Look at anti-spam organizations that do the same thing on a much larger scale like SPEWS. They blacklist larger blocks than /24. Now this isnt on the same legality level as spam, but it sure is just as annoying.

MAC addresses over an IP network?

[mrwiggly]

Call me crazy, but how, exactly, does ones MAC address end up being sent over anything but your local ethernet network?

Once that packet hits your internet gateway, the ethernet header containing your MAC is stripped, and an HDLC or FR packet is constructed from the ethernet payload and sent out over the WAN link.

Are they really embedding MAC addresses into the payload? This will only work if you actually have an ethernet card in your computer. So only those lucky enough to have broadband will be effected?

Re:Nothing new

[quantax]

Oh yea, I should mention that if you are going to ban a player, whether by IP, CDkey-ID, or MAC address, you are banning them. A ban is a ban; if your goal is to keep that player off the server, how is that 'going too far'? One does not 'kinda' ban someone, you either do or don't bother at all. Its the same concept as an IRC channel: there are multiple ways to ban someone, using different nick/user/host options. Each of these has different properties, but in the end they are all doing the same thing, which is stopping the banned person(s) from joining the channel. If you are going to do something, you might as well do it to completion.

Details

[A nonymous Coward]

The MAC is 48 bits, split in two, don't remember how many bits each part. One part is the manufacturer id, the other is the specific card, such as a sequential serial number. MACs are assigned when built, non-changeable, a truly unique card id.

However, you can tell the OS to report a different MAC. That's what "changing your MAC" means, it doesn't actually change the MAC on the card, but it changes what the OS reports.

This is also a good example of why Palladium and trusted computing can't have just any old OS running on a computer. DRM requires complete control, not just a little bit of special software.

Re:Hurrumph

[shird]

Your average person who cares that it's recorded can change it easily, and your average 12 year old cheating 5||21p7 |1DD13 probably won't even know why he got banned...

Except the reason people get banned is for using cheats etc, which are distributed in the same way as information on how to change your MAC.

The first thing someone will do when they are banned is do a search on google for "telstra banned game unban" or something, and get hundreds of hits on how to get around it.

Re:And after a firewall ?

[Xentax]

Given the description, it will send the one of the PC running this 3rd party program -- which means the PC you're playing/working from.

Basically, they know how easy it is to change or mask IP addresses, and how (particularly for dialup users), banning an IP can punish a lot more people than just the original offender.

So, in the mind of some idiot who failed his CSC networking class before he went to business school, he figured "Hey, MAC addresses are unique! Let's grab that, and ban based on that!"

Just like back then, he didn't do his homework. As others have pointed out:
1) These days, altering your MAC address at run-time is easy, either on your machine or at a router (which is a common component of broadband connections these days)
2) Hackers will have little trouble cracking this "closed source" program, so they can make it emit any or a random MAC address, rather than the machine's actual MAC address. This will not affect connectivity, since its use in this context has nothing to do with the actual connection to the server.
3) If all else fails, network cards are dirt cheap; cheaters/griefers that can't manage #1 or #2 will just buy another network card.

Basically, this "solution" will only keep out the stupidest and poorest grief players. Smart cheaters won't be affected; smart NON-cheaters will probably hack the thing just to show them what a bad idea it was.

I've yet to see an access control system that can't be broken or circumvented; this one doesn't even come close.

Xentax

An interesting question...

[goldspider]

This is a VERY interesting question, as it has implications well beyond gaming, and I think the answers will expose an interesting hypocricy.

Now we all know that that cheating in online games is for the most part a Bad Thing (tm). We all remember the original Quake bots (my personal favorite was the StoogeBot) that required a certain measure of circumventing of built-in precautions. Generally when people were caught, they heard about it. Flames, kicks, bans, you name it.

Now we have issues of people using similar circumventions to get around copy protection instead of anti-cheating measures. I realize that this isn't exactly the same thing, but the two scenarios have a common theme: people using third-party software to use a product in a manner in which it was never intended.

What I find amusing is that generally (at least on Slashdot) the circumvention of copy protection is usually regarded as a Good Thing (tm), but becomes less desirable when it comes to games.

Could it be that third-party circumvention is a good thing as long as it doesn't negatively affect you?

Re:Close Source is not secure

[LordKaT]

The whole point of not making it open source is so your average script kiddie can't easily screw around with the system they have in place.

But the whole argument for this particular program to be open source is really pointless because they've chosen to break the #1 rule of multiplayer programming: Never trust the client. So it really does not matter if it's open source or closed source; the protection will be broken very easily, either by a script kiddie with a very basic understanding of a MAC address, or by somone who can reverse-engineer the data sent between the client and server.

--LordKaT

Why MAC?

[mnordstr]

If they want something static, why go with MAC? They could just make an MD5 of some system specific info. That can't be easily tampered with. I'm not suggesting this, just making a statement :-)

High road to the Locked Down Computer(tm)

[Dr. Spork]

I hope you're catching on to the dialectic here: this move will fail miserably. because NIC addresses are trivially easy to spoof. The next dialectical step: "We need some sort of unspoofable hardware key--maybe processor-based DRM." People will buy it if you can't play games without it. The end result will be a computer that protects you from yourself.

Whether it's in the name of catching cheaters or catching terrorists, our freedom and autonomy are about to evaporate.

Perhaps it reads the permanent MAC address?

[mrfiddlehead]

Perhaps this third party software can read the permanent MAC address on a number of different types of nics -- there really aren't *that* many different chipsets out there so it wouldn't be unthinkable that this would be part of their implementation. The point is, you can change the MAC address but the original permanent HWaddr remains encoded on the nic. And if you did change your MAC address the software might detect the change and disable your access to the site.

That's what I would do if I were writing the software. Bwa ha ha ha, etc.

Re:Shh...

[phil reed]

Well, then I pity your ISP for having to add to their workload by updating the DHCP table whenever a customer get a new or changed Ethernet card. That's essentially the same workload as manually handing out static IP addresses, so DHCP really hasn't not saved your ISP much.

Also note: DHCP is still usually a local segment function. Yes, I know that there are modifications to various protocols to allow DHCP to function across routers, but that's the router temporarily providing IP service for a local node that hasn't picked up an IP address yet. The actual MAC address is still only used for communications on the local segment.

Further, anybody who's smart enough to figure out how to change MAC addresses can also figure out that they can assign their own static IP address from the DHCP pool and the DHCP server will often allocate around it.

Re:buy a new network card

[Unkle]

Why bother? The MAC address is usually stored in flash eprom. Besides, whats to stop you from writing your own rogue '3rd party' program which is reverese engineered from the original, only reports a random MAC address. Implementing security/restrictions client side doesnt work. period.

Not everybody knows how/has the ability to change the MAC address of their NIC. Also, three things stop people from writing that rogue program-Time, Skill (in both programming and reverse engineering), and Desire. Not being a huge online gamer I cannot say with 100% confidence, but I doubt that the majority of gamers using this system want to cheat.

As for the statement that client side security doesn't work, well that isn't completely true. No, this system is not foolproof as I understand it, but that does not mean that there is absolutely no way this could work 90% of the time, which for a gaming network is not that bad. Sure, for the slashdot crowd, this might be easy to crack, but joe-average on the street probably doesn't have a clue what a MAC address is (or they think they don't have one because they use Windows).

Simple solution

[Lord Bitman]

Set up a few computers with bots hacked onto them and have the clients send out increments of MAC addresses, until all of them have been marked as cheaters.
Once nobody can connect they wont be able to use the system anymore. Shouldnt take too long if a few people here help out.

What's the Big Deal?

[reallocate]

What's the big deal? If a private network doesn't want to let you in, why should they? A unique MAC addess is just another way of establishing who you are.

Re:buy a new network card

[Znork]

Sure it will work 90% of the time. For the 90% that dont cheat, that is.

The average Cheater Joe off the street will definitely know exactly how to change it. Which makes the whole exercise pointless.

Heck, client side security with no passwords and disks shared to the world works great 90% of the time. Unfortunately it isnt the 90% that is the problem. It's the rest. And for the rest, repeat after me, client-side security will never ever ever work. If you dont have physical control over a computer you cannot trust anything it tells you.

Anonymity and privacy

[Tomster]

It seems people tend to confuse privacy with anonymity. Privacy means preventing others from getting information about you -- whether it's what kind of toothpaste you use or your SSN. Anonymity means preventing others from finding out who you are. The two are related, in that in practice they often go hand-in-hand. But they are distinct.

-Thomas

Anonymity and responsibility

[Tomster]

For many people, being anonymous online means "I can do whatever I want" because there are no significant consequences for their misbehavior. To these people, I say: life is much nicer when you are nice to other people. Try it, you might be surprised.

-Thomas

Re:Banning the /24 may be justified

[Anonymous Custard]

You have to weigh the damage that a cheater is causing against the damage that loss of about two legitimate players on the same /24 would cause. If a fellow is making a big enough fool of himself, and the service isn't yet popular enough that a ban might cause a financially significant number of cancellations of service, a "Too many cheaters from your ISP" message may be warranted.

No, friggin', way. I will NOT be held accountable for what other users, whom I have absolutely zero control over, do while online. To group me with them just because we pay the same provider for service (and in some areas there may be only one available provider), is discrimination. It's ridiculously thin guilt by association.

ifconfig man pages

[bobKali]

Since the ifconfig man pages contain instructions on how to change MAC addresses and
Since changing the MAC address would allow a cheater to circumvent access controls
Then are the ifconfig man pages now illegal in the US under the DMCA?

Re:It's even simpler..Is it?

[Anonymous Coward]

Call me dumb, but it seems to me people are overlooking the fact that this is a client software download and install. Perhaps the client software somehow records your MAC address at the time, and that is what is sent to their servers for authentication ever after. Perhaps they are aware of how easy it is to spoof a MAC address? So they could be generating an ID from the installation and initial connection to their servers, then stored on your machine inside their client. Change the MAC address any way you want (new nic, change direct, whatever), and they still know it's coming from you.

I'm not saying this is what they did, just wondering why everyone is so quick to assume they are smarter than they guys who designed this. Are you trusting their FAQ to give you COMPLETE details on how they are authenticating? Like a virus, once you let them install a game client, you are no longer in control. Still beatable, but the hassle of getting rid of the client completely (they could be writing files ANYWHERE once you let them install), combined with the fact that even if you succeed, you will have wiped out your client (and presumably therefore lose access to any history or scores on the servers), means this could be more effective than people are giving it credit for.

Spoofing MAC's is easy. I just wouldn't be so arrogantly sure that they've overlooked how simple it is to change a MAC address.

Re:I disagree

[susano_otter]

Ah, but the average cheater does know how to change the MAC address: visit their favorite warez/cheats site, download the application or instructions for changing the address, and change the address.

The smart cheater who writes the utility is central to the argument after all, since historically the smart cheaters have published tools for the ignorant ones not "eventually" but almost immediately. The smart cheaters have already published a workaround, and the rest of them already know where to find it.

Re:IPv6 == MAC address

[OttoM]

When I started using NAT rather than a computer directly interfaced to an ADSL modem, the number of attacks dropped from about a dozen a day to one or two a month

You are using NAT for outgoing connections. If you do not specify redirect rules for incoming connections, you effectively have very strict firewall rules for incoming traffic.

My IPv6 traffic is filtered by my OpenBSD machine, which also does the IPv6 in IPv4 tunneling to my provider xs4all.nl.

Re:buy a new network card

[Anonymous Coward]

Congratulations, you just violated the DMCA.

While I have no deep love for the anticircumvention portion of the DMCA, this is incorrect.

DMCA applies if you circumvent or make a program or service for circumventing a "technical protection measure that protects a copyrighted work".

As far as I can see, this security measure does not protect a copyrighted work. Sorry, no Sklyarov for you.

Re:buy a new network card

[Anonymous Coward]

ifconfig eth0 hw ether DE:AD:B:AD:F:ED

You miss the point - it's not a MAC...

[B747SP]

I think you guys are missing the point. The MAC addresses aren't being used as MAC addresses. They're being used as ID Numbers. This dodgy little bit of software grabs the number, and uses it, out of context, as a component of the authentication process. This isn't a network issue, it's an authentication issue.

So long as you don't change things that break your local segment (ie: duplicate MACs), then you're fine - go for your life.