FBI & DEA Warn That IPv6 May Be Too Damn Anonymous
from the they-just-woke-up? dept
IPv6 has been around for quite some time at this point, but as we get closer and closer to moving the internet over to the system, it appears that American and Canadian law enforcement has just noticed that it’s not as easy to identify and track users, and they’re frantically raising concerns.
FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes. The FBI has even suggested that a new law may be necessary if the private sector doesn’t do enough voluntarily.
The issue has more to do with record-keeping than technology. As Declan McCullagh explains at the link above:
ARIN and the other regional registries maintain public Whois databases for IP addresses, meaning that if you type in 64.30.224.118, you can see that it’s registered to CNET’s publisher. ARIN tries to ensure that Internet providers keep their segments of the Whois database updated, and because it’s been handing out IPv4 addresses blocks every few months, it currently enjoys enough leverage to insist on it.
But for IPv6, ARIN will be handing out much larger Internet address blocks only every 10 to 15 years, meaning it loses much of its ability to convince Internet providers to keep their Whois entries up-to-date. That means it may take law enforcement agencies — presumably armed with court orders — longer to trace an IPv6 address such as 2001:4860:4860::8888 back to an Internet service provider’s customer.
Of course, some might see that as a feature, not a bug. Either way, I would imagine that most service providers will bend over backwards to make sure that law enforcement can, in fact, track people down if necessary. Too many service providers fold when the feds come knocking seeking information on people already. As long as this is presented as a way to protect children or stop terrorists or whatever the favorite of the day is, it seems likely that ISPs will get things in order themselves.
Comments on “FBI & DEA Warn That IPv6 May Be Too Damn Anonymous”
You know, these fancy automobiles make it harder for us to catch fleeing suspects. We should just get rid of them.
In fact, Polio helped make sure that suspects couldn’t get away at all, we should just start warning that the Polio vaccine is also hindering our work.
Re: Re:
First comment that I ever “Insightful”‘d AND “Funny”‘d. You earned it.
Re: Re: Re:
Thanks, makes me think that I should actually register an account. But then again procrastinating is so much easier.
The early bird may get the worm, but the second rat gets the cheese! =P
How would a law banning anonymous communication possible pass constitutional muster?
Oh, wait. Silly me, that doesn’t matter anymore.
So,the FBI’s problem is that it takes too much effort to just ask the internet providers for the information?
Oh, right, I forgot. For that you need to follow procedures and “ask politely”, whereas, currently any idiot can run whois from the command line and get that info without asking anyone.
Re: Re:
I just ran a whois on my IP address (127.0.0.1) and it told me that the call was coming from inside my own network!
Re: Re: Re:
Just rename your network to something other than Jill Johnson, and you should be ok.
Re: Re: Re:
OMG, get out, NOW!!!!
Re: Re: Re: Re:
I liked him, had some really good comments, going to miss him.
Re: Re: Re:
Try running it on 255.255.255.0
Re: Re: Re:
BUT THEN WHO WAS PHONE!?
Re: Re: Re:
Dude, 127.0.0.1 is your local address, not your global address. Of course it’d be inside your own network.
Re: Re: Re: Re:
Techdirt needs a “Whoosh!” button for comments.
Re: Re: Re: Re:
Dude… You are trying to explain common knowledge to a sarcastic comment. I vote “Woosh!”
Oh the humanity!!!
We might have to get actual warrants rather than just a post-it to get information!
Anyone else scared that these great minds just now figured out they might have more difficulty with IPv6, not like its been on the horizon for a while…
Re: Re:
Yes, it’s a problem when they don’t understand things because they lash about wildly and blindly.
What does anybody expect?
They want their jobs to be easy, and a policeman’s job is easy only in a police state.
Re: What does anybody expect?
And not even then – after all, you never know when someone will watch you do a stupid thing.
Re: Re: What does anybody expect?
As long as it is illegal to film you, they can watch as much as they want
I think the fbi and dea need to stay the feck off the internet. if someone really wanted to hack and do harm they can got to a public library use there pc under a phony name and do as they please,,, i don’t blame hackers for hacking the fbi’s page they seem to be getting a little noisy…FBI aka federally being ignorent needs to grow up and leave things and people alone if they have a hard time catching criminals then they shouldn’t have start it hint they are a criminals
Re: Re:
Great, there goes library-provided Internet access.
Re: Re:
if someone really wanted to hack and do harm they can got to a public library use there pc under a phony name and do as they please,,,
So just get rid of public libraries, duh! Problem solved.
Re: Re: Anonymous Library Usage
“if someone really wanted to hack and do harm they can got to a public library use there pc under a phony name and do as they please”
Not in my Library System. To log onto their public computers, I need to supply my Library Card Number and I am then granted 120 minutes (or until 15 minutes until closing – which ever is less) of access. Since I have to prove my identity to get the card I am not anonymous (unless I supply someone-else’s number which might qualify as a phony name).
Every service provider is going to know where the IP address exists and who is using it or they won’t be able to run their business very well. The traceability already exists and works very well, they are just not going to be making that information public, or making it available to law enforcement without proper warrants. A lot of them are already in this situation now, meaning IPv6 will change nothing. The only problem here is that law enforcement seems to think that getting warrants is not worth their time.
Do they not realise that it is only on TV that IP addresses can be accurately used to track people down?
Re: Re:
Especially if they’re using the 532.813.914.772 /24 subnet.
Re: Re: Re:
Obviously you got someone to create a GUI interface using Visual Basic to trace the IP address
Of course, some might see that as a feature, not a bug.
I certainly see it as a feature.
For the last year or so one (or more) of the AC’s around here has been saying that IPv6 will spell the end to anonymity on the internet*. I’m guessing that this story might be a wee bit of rain on his parade.
* Not that I ever was really worried about it – if I really want to be anonymous on the internet I can always spoof my hardware MAC address on the WiFI at my local Burger King or public library anyways.
Re: Re:
OS X and Windows both support privacy extensions when using Stateless Address Autoconfiguration (the method that encodes your mac addr into the address). … so your source IP won’t include the mac addr with privacy extensions.
DHCPv6 also doesn’t include the mac.
Re: Re:
Gad, yet another poster dooming public library-provided Internet access, and Burger King to boot!
The more they overthink the plumbing, the easier it is to stop up the drain.
~Montgomery Scott (AKA Scotty) – Streak Trek III
Too true – isn’t it?
Err *Star Trek*
What a typo! lol
Re: Re:
Oh great.
Now I have a mental image of old, fat Scotty running naked across the Engine Room to go along with the “It’s no good Captain, I cannot reach the control panel” scene from The Simpsons.
Re: Re: Re:
Thank you for that wonderful mental image. Now if you’ll excuse me, I need to inject bleach into my brain to try and get rid of it.
The Problem is Figuring Out Which ISP
The issue isn’t individual address anonymity, the issue is ISP anonymity.
You can’t ask an ISP who owns an address if you can’t figure out who issued the address in the first place. That’s what the old registry used to do.
Re: The Problem is Figuring Out Which ISP
I can understand that new IP addresses might be hard to track, but by using a simple “tracert” command and look at the last few nodes before the end point. Chances are these will be the main routers of the ISP which are likely using an IP range that was assigned to their network. I’m sure that the IP block for the ISP backbone are recorded into a global database and rarely change.
But yes, I guess having someone magically tell me the answer without me needing to understand the system or even do a tiny bit of work would be nice.
Re: The Problem is Figuring Out Which ISP
the issue is ISP anonymity.
That makes no sense at all.
If an ISP wants its traffic to be routable, it can’t be anonymous. IPv6 isn’t going to change anything in this respect. ISPs still need to buy bandwidth from larger ISPs, all the way up to the Tier 1 providers.
ARIN hands out address blocks to ISPs under IPv4. They’ll do the same under IPv6. That ISP is then responsible for keeping records of what addresses they give to their customers – exactly the same as now. I don’t see how IPv6 changes anything in regard to finding out what ISP is responsible for what IP address.
Re: Re: The Problem is Figuring Out Which ISP
As it stands now many ARIN, RIPENIC, etc. whois records are out of date. Some people in my office still get calls about address blocks related to a company that went under and no longer control those address blocks, but those blocks *are* in use by other companies, are world routable, and are not on the bogon lists.
Re: Re: Re: The Problem is Figuring Out Which ISP
As it stands now many ARIN, RIPENIC, etc. whois records are out of date.
Yep – and I’m willing to bet real money those are IPv4 blocks. My point is this will be no different under IPv6. Thanks for giving me an example that proves it.
Re: Re: The Problem is Figuring Out Which ISP
If an ISP wants its traffic to be routable, it can’t be anonymous.
Au contraire: it can not only be anonymous, it doesn’t even have to exist. Please read — in its entirety, which will take some time: 47-usc-230c2.org
Re: Re: Re: The Problem is Figuring Out Which ISP
Excerpt from chapter 2:
“The hard part comes when you have to find some legitimate or at least semi-legitimate company that has it’s own properly-registered Autonomous System Number (ASN) and who is willing and able to announce routes to your shiny new IP address block.”
That is exactly what I’m saying. An IP address does you no good at all unless someone will route to it – and thus cannot be completely anonymous.
Yes, tracking spam and malware through shell companies, uncooperative ISPs, and fraudulent and out-of-date entries in lookups is a serious pain in the ass. But all that traffic has to pass between networks that have agreements with each other to do exactly that.
Also, that page needs some kind of overview or introduction – it just kinda feels like a random grouping of unrelated facts/events. Give me a plot, man!
Re: Re: The Problem is Figuring Out Which ISP
If an ISP wants its traffic to be routable, it can’t be anonymous. IPv6 isn’t going to change anything in this respect. ISPs still need to buy bandwidth from larger ISPs, all the way up to the Tier 1 providers.
Let’s say that someone from 235.54.98.125 is trying to hack your system. How do you find out who they are? You ask the ISP that issued that IP address, right? And how do you figure out what ISP issued that address? You use WhoIs to look up what company owns that IP address.
What the article is saying is that when thousands of IPv6 addresses are handed out, the records may not properly updated. So they might know that someone from 6543:4539:7654::8634 is doing something illegal, but how do you ask the ISP for the name of the person paying for that account, if you can’t figure out which ISP that address is assigned to?
Gee. That’s too bad.
they will use any reason/excuse imaginable to get the information they want and will ably aided by the thick fuckers in Congress (who dont know anything about the internet in the first place) who will be too scared to stand against them
Pardon me, but one feature of IPv6 is, no more daily interruption/disconnect, one IP address (almost) forever, or am I wrong?
And that will make it much easier to track a single user, or at least the IP of her/his router. The IP will be as unique as the phone number.
Please correct me, if I’m wrong.
Re: Re:
“The IP will be as unique as the phone number.” This is correct.
It won’t be any easier to track a “single user”, but it will be just as easy to track an account. Give the IP to the ISP, and they can tell you who gets billed for it.
Re: IPv6 Address Ownership
With IPv6 you own a IPv6/64 network. The low 64 bits identify the device and can be changed on a connection by connection basis (although the default is the MAC address of the device’s interface). Thus all you can track is the network not the user (ie: It is like trying to identify a user who is on a NAT protected LAN – All you see is the WAN facing address not the LAN address).
Well DUH, of course it’ll take longer to find an IP address when you have millions more records in the database. That’s kind of the whole point of IPv6, because we were going to run out of IP addresses under IPv4 (and we did run out of them in the last year).
Re: Re:
Scale is a critical factor when it comes to learning IPv6. I know just enough to be dangerous, and I still can’t get my head around it.
IPv4 has about 2^32 or four billion addresses, significantly less than the current world population. IPv6 has about 340 undecillion addresses, or enough for every atom in the universe to be assigned its own address. With IPv6, a /48 is generally assigned by an ISP and you add 16 bits to identify subnets in your network. That means your home could have 65,535 subnets with 2^64 addresses each, or 65,535 * 4 billion IPv4 Internets, if you will.
On the upside, IPv6 has more organization features than IPv4, making those 340 trillion trillion trillion addresses easier to manage than it might seem at first.
Whew!
Re: Re: Re:
Bonus points for use of ‘undecillion’ 🙂
Should have used the documentation prefix in your article.
Anything from 2001:db8::/32.
government enforcement agencies & content industries take on IPv6:
it great! its horrible! its dangerous! it’ll help! it’ll hinder! it’ll solve all our problems and make all our problems worse at the same time!
would someone shove some thorazine down their throats please?
It's a trick?
They are trying to get people to switch to IPv6, and not getting much cooperation…
“All of the sudden” law enforcement says that they can’t track IPv6 addresses? Pull the other one.
It’s just a ploy to try to get better IPv6 adoption.
And on a side note, I read that IPv6 has enough range to give every star in the universe an address, even if there were several billion times more stars in the universe. Why not just give every single network capable device it’s own burned in IPv6 address that can’t be changed no matter what. Then, all the sudden an IP address is a person, or at least a specific machine owned by a person.
Re: It's a trick?
– It’s enough addresses for many trillions of addresses to be assigned to every human being on the planet.
– The earth is about 4.5 billion years old. If we had been assigning IPv6 addresses at a rate of 1 billion per second since the earth was formed, we would have by now used up less than one trillionth of the address space.
– The earth’s surface area is about 510 trillion square meters. If a typical computer has a footprint of about a tenth of a square meter, we would have to stack computers 10 billion high blanketing the entire surface of the earth to use up that same trillionth of the address space.
Re: Re: It's a trick?
I think maybe you’re not accounting correctly for volume here since the earth is a sphere and not a cube.
Re: Re: Re: It's a trick?
You’re thinking of volume. He used the correct formula for the surface area of a sphere (4 x pi x r^2), since he’s talking about stacking computers ON the Earth, not how many you could squeeze into it. Remember, you can theoretically stack an effectively infinite number of computers onto the surface.
Re: It's a trick?
A couple things.
1 – how would you know when to retire old addresses from obsolete machines?
2 – what do you do about machines with multiple IP addresses, like a server running VMWare, or some monster cloud server?
Re: It's a trick?
Burned in IP addresses is a pointless idea. That is what MAC addresses are for.
It's often instructive in such cases...
…to read what the people who actually run networks have to say about such things. So let me point you to the current discussion thread on NANOG concerning this issue.
I’d also like to point out that WHOIS data has never been of sufficient accuracy as to facilitate law enforcement activity, not without multiple independent corroborating sources of information. That’s not a knock on ARIN: while I often disagree with their policies, I have to admit that they do a pretty good job under difficult circumstances. It’s just a recognition that the incidence rate of fraud and network hijacking is significant and likely to continue increasing.
One can not simply be, Too Damn Anonymous
Re: Re:
Well there does come a point where you could become “too anonymous” where you don’t even know who you are yourself.
How IPv6 works
IPv6 normally does things differently than IPv4. With IPv4 the service provider uses something called DHCP to give your router an address. Your router then gives every PC in your house its own address, and uses NAT to talk to the outside world. This is one of the major reasons that IP addresses don’t even correspond to individual computers.
With IPv6, the ISP says we are network 2001:…./48 and your computer uses that to create a global unique IP address. Your computer also uses that information to create a random IP address that is used for all outgoing communications.
It’s sort of like having a permanent mailing address, but the post office lets you use another PO box for free. Oh, and you can change which PO box you’re using at any time.
An ISP can trace those addresses back to your cable modem or DSL box, but they would need one entry per computer in that house or business. However, those random addresses normally change at least once a day. So that’s one entry per computer per day.
If they’re doing there jobs properly and giving the house a whole /64 then you’re back to the way things are today. They know that every address that starts with those 64 bits comes from your house, but that’s all they know.
This whole complaint is about record keeping. Under the old system an ISP would have the DHCP server send the information about each address to the whois database. Under the new system, they have to have there routers doing essentially the same thing.
The problem with that is that it’s expensive to set all of this up, and after ARIN gave them the initial /48 or whatever they don’t have a stick to beat the ISP with.
Incidentally, without proper whois records geolocation doesn’t work properly.
Re: How IPv6 works
This is actually just plain wrong.
There are three ways to do IPv6 addressing.
1. DHCPv6 & DHCPv6-PD
2. SLAAC (stateless address auto configuration)
3. Static.
What you’re talking about is SLAAC. ISPs do not use SLAAC to deploy for two reasons. The first is it’s hard to do accounting with their IPAM. Secondly, you need to provide a the customer with a routed prefix for their network. So they use DHCPv6-PD.
Where SLAAC is used, is in the home to distribute that routed prefix around the LAN. A machine will see the advertised prefix and encode itself an address using its MAC. However, privacy extensions are used on most modern operating systems so it will hash a new address for sourcing.
The only time I’ve ever seen SLAAC used on an ISP network is for modem management interfaces. Since the ISP knows the MAC of the modem and the prefix being advertised, it can trivially calculate the address. In this case the provider has obviously disabled PE on the modems management interface.
stupid?
Why do people think that someone clever enough to be in Congress & weasel their way through lobbyists and bribery money while playing footsie with the spooks is “stupid” or “thick” or “just doesn’t get it”?
That’s still thinking along the lines that these are rational guys who don’t have their own reasons for being opaque? People smart enough to hide their own money, play the tax system & the investment system aren’t stupid.
I imagine they know quite enough about the internet, IPv6 and all the rest to make the policy that they want.
Re: stupid?
The policy they (as in the congresspeople with a reasonable understanding of networking and IP addressing) want will be clobbered to death by Lobbyists and politicians wielding the “Think of the childreeeeeen!” tree-sized club, and there won’t be any use to the resulting bill.
Remove the money and politics from the equation and we’ll have a proper law, keep both and the bills in favor of the wealthy will continue to strangle all others to death.
Re:
sorry did I miss the law that is says it “has” to be easy…
I always though it was a Job, or a vocation,When did law enforcement become “push button” easy?
Did I miss a day or something?
Criminal: my job is to break the law..
Law Enforcement person: My job is to catch the person breaking the law
why “should” it be made easy? If it becomes “easy” then whats the point of having the “job”????
When did WORK become easy?? and why is my Job hard work??
I call “Radishes” on this mind set…
If the work you have chosen is to difficult, maybe you should find ANOTHER Job…….(and quit whinning about it)
Naw, they just dont want to change with the future. Too lazy, too cheap.
If anything IPv6 will destroy all anonymity. Most devices will retain their IPv6 address statically. Web applications/sites will start using addresses as unique identifiers, or locking account access to a particular IP. Inevitably users will be tracked everywhere and have no choice in the matter because you can’t hide your IP. This will happen in spite of the bad practice of doing so because of inertia, the easiest, laziest outcome possible ALWAYS wins.
Now What?
“FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes.”
DEA agent #1: ?We caught this guy with a pound of cocaine in his hands.?
DEA agent #2: ?Did we get his IPv6 address??
DEA agent #1: ?No.?
DEA agent #2: ‘Damn it, we can’t identify him without it. Let him go.?
Can someone tell these fucking retards that isn’t how IPV6 works please?
And NSA says it’s an invasion of our privacy to tell us if they’ve been spying on us. What we have here is a failure to communicate.
Re: Re:
Man, I always get a little spooked when government agencies send out spokesbots with a message like “Black is white, until the legislation deeming it so is repealed or revised. We will not be responding to questions at this time.”.
They always do it with a straight face.
ref: Harry Reid justifying public employee payoffs via unneeded postal service offices because “Old people need junk mail to feel connected to society.”
or:
“We need to be able to determine citizens’ location, 24/7, or we will be unable to protect them from crime.” ~DEA, FBI, etc.
or (as noted above):
“It would be a violation of citizens’ privacy for us to tell them if we were spying on them. We will not be responding to questions at this time.” ~NSA
Totally straight-faced. Totally creepy.
Why not give me my own
Since there are so many IPv6 addresses, let’s kill 2 birds with one stone and issue one to me on a permanent basis. That way law enforcement can Identify my totally encrypted web services that can more competently rely on my own address. There is no need to lease them out anymore. How would you feel if you mail address changed every 3 days?
Good grief.
Imagine if these noofuses had been around when telephone tech was evolving in the US. Private start up companies would never have been able to afford to service these kinds of demands while trying to spread a revolutionary new technology. The Constitution is supposed to protect citizens against this kind of snooping. That is why law enforcement are supposed to get a warrrent to wire-tap or to access telephone records.
The internet is not alien. It’s just another evolution in communication technology. The content is novel but the fact of an emergent communication technology is older than speech itself (languages are probably our most significant communication technology to ever evolve). There is no rational justification for any communication technology to be “snoop ready” for so called law enforcement.
Just as the telephone system would have been hugely hampered and civil rights significantly degraded in the US if this kind of snooping had been accepted as reasonable and necessary when telephone communication technology was evolving into the modern land-line telephone system, so too is there a cost to imposing this snooping on new forms of communications. That cost is immeasurable but no less real.
If the US telephone could not have evolved at the speed and complexity as it did, might the Cold War have been lost? We’ll never know.
If we consider the basic premise that is necessary to all this “panic” over evolving communication technology, we are looking at an assumption that private law-abiding citizens do not have a default right to communicate without being snooped and spied on. That’s just wrong and it goes to show how much civil society has devolved and degraded in the US.
Lowery is a liar
This comment has been moved to http://www.techdirt.com/articles/20120619/11493419390/david-lowery-wants-pony.shtml#c5800
Re: Lowery is a liar
*uh. “label guys in suits.” Insert Cain and Abel joke here.
Re: Lowery is a liar
Oh, for fuck’s sake. This reply is to the wrong article. I have no idea why it was posted here – I hadn’t even viewed this article.
Is something going on with the Techdirt database?
Anyway, this was supposed to go here:
http://www.techdirt.com/articles/20120619/11493419390/david-lowery-wants-pony.shtm
Re: Re: Lowery is a liar
Which is a shame because it’s a really good rant* :?)
* I use that word in the best possible way
Re: Re: Lowery is a liar
In that case feel free to double-post 😉
Privacy
I love this one…..if I’m reading it right. They want the public sector to voluntarily make themselves vulnerable to spying or the government is gonna make a law to make the public sector vulnerable to spying. WTF?
Humans cause crimes, lets just exterminate the entire human race! Solved
Re: Re:
“The crime is life, the sentence is death!” – Judge Death
Italics
Did someone miss out an ?
Re: Italics
An < / i > ….
Don’t use PPTP VPN with IPV6.
Re:
I actually read it as “Steak Trek”, and imagined Shatner/Nimoy et al going on a quest for the perfect steak…
Italics
fixt!!1
Italics
or not…
Re:
Oh dear, another one that didn’t get the memo? You didn’t see it? It was, like, a piece of paper, with a bold header!
What did it say? Ummm…”getting an education and then taking a job you’re overqualified for”. I think that was it. Part of it, yeah. And you won’t get ‘rich’ but the work will be easy and you’ll still have a lifestyle that kings from 200 years ago would kill for. “Lowered expectations…” Yeah.
Something along those lines anyway.
Re:
I think I saw Abby Shuto get somebody’s fingerprint off their IP address using McGee’s IP Enhancement Program.