Is the IT Security Officer lying to me?
October 11, 2006 10:50 AM   Subscribe

Am I being lied to? I am receiving threatening/harassing emails from several yahoo accounts, but the person/people involved all have IP addresses that trace to a single university. The university has an IT Security Officer who tells me that he's done everything he could to track the IPs (they are all different but from the same institution) and he can't pin them to a single computer or person. I do not necessarily believe him. I have looked at other questions and answers, but would like to know what you think. I should mention that a login and password is used to access the network at this institution, even for the wireless network.
posted by anonymous to Computers & Internet (36 answers total)
 
he can't pin them to a single computer or person

Well, the student could be using computers in a computer lab to access the internet - different computers at different times and days.

Or it's possible that the computers have dynamic IPs. At my university, each student's personal computer had a static IP (registered), but the academic network computers had dynamic IPs.

In short, the IT is most likely not lying to you.
posted by muddgirl at 10:58 AM on October 11, 2006


Don't most lab computers require logging in these days? Those at my uni certainly do.
posted by fvw at 11:01 AM on October 11, 2006


It would be a strange university network administrator who wasn't able to tell you which IP was assigned to which username at which time. Well, strange or incompetent or lying. I know the tech guys here pride themselves on this sort of thing.

If he's unable to track the user associated with that IP, that means he would be able to trace the IP associated with postings to terrorist websites, or the IP associated with the download of child pornography, or the IP associated with hacking attempts.

You want to know what I think? Either he can do it and he can't be arsed, or he's incompetent.
posted by handee at 11:01 AM on October 11, 2006


He is mistaken, but perhaps not lying. Even in the case of dynamic IPs, there will be a log of the DHCP leases somewhere, and there are other ways of finding out who it is as well: it is very possible that someone under him knows exactly how to do this.
posted by brool at 11:05 AM on October 11, 2006


What the IT Security person is telling you is, "I'm not going to reveal the identity of any of my staff or students to you without a court order, because I'm generally protective of their privacy and you haven't presented any real evidence to me that they're doing anything wrong."

He's hoping you'll go away.

If the situation rises to the level of a criminal matter, you should contact the police. Alternately, you can file a lawsuit, and the court can compel the university to assist you.
posted by jellicle at 11:09 AM on October 11, 2006 [2 favorites]


or he's incompetent.

My limited experience points to this.

and he can't pin them to a single computer or person.

Could it be multiple people? (perhaps I'm being to literal).
posted by muddgirl at 11:12 AM on October 11, 2006


How does he know that you are on the level? If he does have this information, why should he give it to you without a subpoena? You have no legal right to the information you're requesting, and his institiution would be liable if they breached a privacy assurance they've made to their users.

Also, it's an increasing trend for institutions to keep only the absolute minimum amount of logs to avoid being in the situation of having data that could be subpoenaed. Speaking as an IT manager in a large institution with lots of public use, it's entirely likely that they do not have that information by design.

To look at it another way, it doesn't matter whether or not he's lying to you. You've gotten what you're going to get unless you lawyer up.
posted by ulotrichous at 11:16 AM on October 11, 2006


If the IPs come from public access workstations around the campus, there's not a thing he can do.

If the IPs come from anywhere else, a good network administrator would know how to track down the offending computer, and likely the username used to login to it.

He may be honest, he may be clueless, or he may be trying to brush away the whole issue. It's definitely hard to tell without more details.
posted by splice at 11:25 AM on October 11, 2006


If you are being threatened then report the threat to the policde department in the town where the university is located. They can convince the IT guy to cough up the name.
posted by caddis at 11:28 AM on October 11, 2006


They don't have to reveal anyone's name to shut the person down. If they can, they should let the asshole know (perhaps verbally, off the record) that he has been complained about and that he must cut the shit or be shut down. They could then stick to their story about being unable to trace the dickhead but ask you to let them know if it happens again.

Or, yeah, immediately call the cops if it feels like a real threat.
posted by pracowity at 11:34 AM on October 11, 2006


When I was in school the university policy was to not release any information without a court order. They decided to be as content-blind as they could and refused to examine traffic going to specific students or employees -- if they admit to policing any activity, they could be found liable for future activity.

It may be that he can technically pin them to a single username, but can not do it because of policy. File a police report if you feel threatened.
posted by mikeh at 11:35 AM on October 11, 2006


It's possible if the university is using NAT that the IP address is not traceable to a specific computer. What other posters have suggested, though, is more likely -- they want you to go away and/or there are policies that prevent them from disclosing the student's name.

You should file a police complaint, and let the police do the work.

I had a similar situation once, got some harassing emails/phone calls from a school in Denver. The school figured out rather quickly which students were responsible, but would not disclose that information due to policy -- however, they did agree to pass on a message from me to the parents involved that I would file a complaint with police and seek charges if I did not 1) stop receiving calls, and 2) receive an apology directly from the students within 24 hours. I got the apologies, dropped the matter, and haven't had a problem since.
posted by jzb at 11:46 AM on October 11, 2006


If the single IP traces back to the university's firewall then there isn't enough information to trace it back to a single user easily. I'd imagine that at a university there would be hundreds or thousands of people using yahoo. To actually trace the source they'd need to know specific time frames etc and check log files.
posted by substrate at 11:58 AM on October 11, 2006


What is the university? Maybe someone here has experience with the university that will help you find out if you're being lied to.
posted by jayder at 12:02 PM on October 11, 2006


Call the cops. That's what they're there for.
posted by bshort at 12:09 PM on October 11, 2006


Look at it it from the security officer's perspective:

Someone from outside his organization, who is neither a lawyer nor a police officer, is attempting to extract the name of one of his users based on some (allegedly) unprovoked harrassing emails. If that person goes on to do anything improper with that information, be it violence or just harrassment in return, he loses his job and could probably be sued personally on any number of grounds. Barring a court order, he'd have to be crazy to do this. Would you want -your- system administrator, or, say, community website moderator, handing out your real name to anyone who claims to have a greivance with you?

Even if he were inclined to help, there are many reasons that an IP address might not yield a name. The DHCP logs might not record enough data to identify one particular machine on the network. It may be a public lab computer that the last user forgot to log out of. It might be someone using a roommate's machine. I wouldn't bet my career, or five bucks, that I could pick the right user out of thousands given a very heterogeneous university computing environment. (You mention that login/pw is required to access the network - most likely this refers to accessing servers or intranet sites, not simply getting internet connectivity.)

If you really want to pursue this, contact the police.
posted by a young man in spats at 12:09 PM on October 11, 2006


handee writes "It would be a strange university network administrator who wasn't able to tell you which IP was assigned to which username at which time."

Not strange at all. Take our setup for an example: We don't log anything unless we are having a specific problem. Leases on public/ hostile vlans and lab vlans are for 2 hours. Staff vlan IPs lease for 3 days. Unless you contact us within the lease window we can't tell you who had the IP address.

handee writes "Either he can do it and he can't be arsed, or he's incompetent."

I think you have a false dilemma here. As I've said we don't log this information unless we're trouble shooting. Why would we? All logging does is create work setting up the logs, create FOIP issues from storing the logs, and create more work querying logs every time someone on the net gets offended. All at no gain for us.
posted by Mitheral at 12:20 PM on October 11, 2006


Mitheral - obviously works differently at your place. At the uni I work at, you cannot get lab access without a login. Same with wireless, and they need to know who's doing what.

Not sure about lease windows or storage times, though.
posted by handee at 12:41 PM on October 11, 2006


Reiterate what Jellicle said first. He ain't giving it up without some higher authority. Call the local cops in the Uniuversity's town. Call the Univ police. Make a big stink.
posted by JohnnyGunn at 12:56 PM on October 11, 2006


I should mention that a login and password is used to access the network at this institution, even for the wireless network.

This probably isn't true absolutely everywhere. For instance, at my undergrad school it was true everywhere except the library, and probably all sorts of small miscellaneous networks that weren't part of the centralized campus network. Also, it was possible to plug a laptop in at various places without a login. It is a rare campus that has a truly homogeneous completely centralized computer network with one login for everything you could do.

And also, the legal stuff too probably.
posted by advil at 1:07 PM on October 11, 2006


umm... call the police if you're scared, otherwise brush it off...

two options, pretty simple if you ask me
posted by hatsix at 4:46 PM on October 11, 2006


Foetry Guy,

I used to work at UNCW (not in the IT department). I don't know the security guy or anything about UNCW's security policies, but I can tell you it's possible to get a temporary guest login to the wireless network — not sure what information you've got to provide to get one, but I'd be really surprised if you needed, say, photo ID.
posted by IshmaelGraves at 5:25 PM on October 11, 2006


(I'm also fairly sure it's possible to plug a non-UNCW laptop into an ethernet connection and get a basic Net connection with no authentication — but I wouldn't swear to that.)
posted by IshmaelGraves at 5:29 PM on October 11, 2006


If I were you, I'd get a new email address. Then I'd head over to spamgourmet.com and generate a bunch of disposable addresses linked to my new address, for handing out to other people. As I handed them out, I'd register the people I handed them to as spamgourmet trusted senders. Bullshit harassment mailings would then have an implicit audit trail - I'd be able to find out which of my contacts had made my address available to the harasser - and would automatically get shut off after N mails.

If your harasser can't get at you via email, and isn't willing to risk more traceable methods of contact, problem solved.
posted by flabdablet at 6:15 PM on October 11, 2006


I'd say, from reading the two anonymous e-mails (admittedly cryptic), that your wife has been threatened. Whenever someone receives an anonymous e-mail warning of a "lynching," it's a threat. And then, the second e-mail, in which the person claims a kind of omniscient control over your (or your wife's) life, suggests that you are being observed without your knowledge, which, combined with the threat of the "lynching" e-mail, arguably takes this into the realm of at least threatened stalking (which, in its legal definition, usually requires some threat of violence, which is present here).

So, Zachery M, MSA, is an idiot, and he is failing you and the university by not acting on this. He is playing completely into the stalker's hand by saying, in effect, "no rules have been broken"; the stalker's cryptic phrasing, an obvious ploy to leave you unsettled, confused and vulnerable, has further succeeded in insulating the stalker from investigation.

Go to the police. And report Zachery M to the highest officials at your university, for his incompetence.
posted by jayder at 6:29 PM on October 11, 2006


Foetry Guy-

Now is the time to go to the police, like the man said. You should have done that straightaway, seeing all the details here. Why waste time tangling with some self-important IT department functionary if you believe there's a real threat to your or your wife's safety?

Don't bother following through with the other threats you made - proving a point not nearly as important as ensuring your safety. And, while I understand you're upset at the moment (I would be too), the tone of your message to the university administration makes you sound hysterical, and will probably just put them on the defensive. Hell, it's making -me- feel defensive.

Jayder-

I'll grant you that Security Officer M, MSA, is probably straight-up wrong in claiming that these emails didn't violate policy - any reasonable terms of service for network use will have clauses about harassing or threating behavior. He's probably just covering his ass now that Foetry Guy has threatened to go nuclear.

That said, it's not his responsibility or even his right to 'act on this'. He's not the police, and luckily he's not some sort of fucking internet vigilante. Even if he had it I'm sure he's not empowered to relay the name of the offending user to anyone -but- the police. Doing so would open him and the university up to lawsuits regarding violation of privacy, plus the consequences of whatever the submitter does with the information (slander? pre-emptive violence?)... Security Officer M would get himself shitcanned instantly, and rightly so.
posted by a young man in spats at 7:15 PM on October 11, 2006


There's more hurdles than you realize to this process.

1) Universities, especially large ones, are incredibly decentralized. Security and logging policies, as well as practices, vary wildly from school to school and from department to department. Even a top level networking guy may have very little control over what actually happens.

2) If these were public or staff machines that were compromised (very common, as universities are delicious, juicy targets to hackers), the magical username/login/ID wouldn't be on there. That computer can be just a waystation.

3) As previously mentioned, many institutions, particularly libraries, log as little as possible to avoid Patriot Act record grabs and Hollywood lawyers looking for downloads.

4) Logs are not kept forever and ever. I know a bunch of places that don't even log DHCP leases, much less hang onto them.

5) The administrator may suspect that you're trying to social engineer him for information you shouldn't have - after all, it's trivially easy for you to, say, want to find out who was on IRC from those IP addresses, then forge emails and "forward" them to him or her.

6) Plenty of places in a conglomerate network like a university using Network Address Translation to conserve IP addresses - that one IP you see might be a dozen or more machines.

7) A lot of labs have guest accounts.

These are just the immediate problems that come to mind. Might not be incompetent at all. They've got an entire class B subnet, from my immediate investigation. It's not like they've got five computers and one of them is the network logger.
posted by adipocere at 7:30 PM on October 11, 2006


young man in spats --

luckily he's not some sort of fucking internet vigilante

I'm not asking Zachery to be a vigilante, just to do his job and identify who sent the harassing e-mails.
posted by jayder at 7:33 PM on October 11, 2006


Were I Mr. M, I would not give you iota one of personal information. You are not entitled to it, even if an offense has been committed under the university's rules, merely by asking for it.

Were I a police officer and I thought that you were being threatened, and I was able to get information about this person, I would not provide it to you. I would conduct my own investigation. You might not learn the person's name from me until and unless he or she was charged.

Were I the chancellor of the university and a court ordered me to divulge information about a student or employee, I would ask my legal team to ensure that this information is held voir dire.

No matter what you do, I suspect that you will never learn the idenity of the person that may be harassing you.

And making threats to go to the media, as you have done, virtually guarantees that you will be stonewalled forever.

You need to rotate your contact info. Pick several e-mail addresses. Give those addresses to your contacts, but only give each person one contact. If you keep getting harassive e-mail, then you know that one of those people is the harasser. Then repeat the process. Eventually, you will narrow it down to the culprit.

Or you'll never hear from him or her again. Either result is a win.
posted by solid-one-love at 7:44 PM on October 11, 2006 [1 favorite]


solid-one-love --

Heck, why stop there --- why not hold the identity of the person "voir dire" (that's funny) until they are CONVICTED of a crime?
posted by jayder at 8:09 PM on October 11, 2006


Is it not voir dire? A hearing before a trial where the judge determines whether evidence is admissible? I don't know the legalese.

Anyway. Happens all the time that privileged info revealed to a court is not made available outside the court before a trial begins, including to one or more parties of the case. So, you may ask the cops to investigate. They may get a warrant to get the guy's name. The DA may take this to a judge for a hearing. You may not learn the name at any point, because the university may fight to keep that information privileged until a judge orders an actual trial.

You're being pretty combative. This will not serve you in getting help, here or legally. As I said, threatening the university with media attention virtually guarantees that you will be stonewalled at every turn.
posted by solid-one-love at 9:08 PM on October 11, 2006


Per wikipedia: "Voir dire (IPA /vwaɻ diɻ/) is a phrase in law which derives from Middle French; in modern English it is interpreted to mean "speak the truth" and generally refers to the process by which prospective jurors are questioned about their backgrounds and potential biases before being invited to sit on a jury."

Of course, once a charge is made, the name becomes public record.

As for being combative, are you referring to the OP, or to Jayder?

The OP hasn't posted since he outed himself. Perhaps his wasn't the best method of eliciting information, but he seems to have felt that his family was threatened and that he was getting the run around. Frustration makes people somewhat impatient.
posted by Meep! Eek! at 9:51 PM on October 11, 2006


Ah, I wasn't paying due attention to who was who. I thought jayder was the poster, from his comment of "I'm not asking Zachery to be a vigilante, just to do his job and identify who sent the harassing e-mails," because nobody except the poster is actually asking Zachery to do his job.

As per Wikipedia, "Voir dire may also be a special hearing where a judge decides whether evidence can be presented at trial. It is a trial within a trial, where the victim may be called to testify."

So we're both right.
posted by solid-one-love at 10:11 PM on October 11, 2006


I'd consider asking Matt or Jessamyn to edit the names out here - unless they're false, of course, but...
posted by handee at 12:57 AM on October 12, 2006


Mod note: a few comments removed and I edited out the names - please do not use AskMe to include names/phone numbers of people you are having a dispute with
posted by jessamyn (staff) at 5:43 AM on October 12, 2006


They may think you're overstating the situation, or that the threats aren't as specific as they actually are. When I first read your question, I thought you were getting spam-type emails, similar to "Is your refridgerator running??" prank phone calls. (ie. annoying, but ultimatly harmless) Clearly the excerpts you posted here are far worse. Your note to the school didn't really say anything about the content of the emails, but if they saw the threats of lynching & stalker-ish language, they may be more likely to act...especially since your wife is a former prof. If you told Zachary about the specifics of the emails and this was his response, I would be much more upset with his inaction.

On the other hand, they probably won't release the name of the person responsible to you without really good reason -- maybe something like what jzb worked out would go over better: they find the person responsible, and pass along a message to them or their parents. (I don't know how to link to comments yet...sorry. It's way up top though.) Many colleges prefer to handle things internally, releasing the least amount of info possible.

I would suggest writing a follow up email, with some excerpts of the threats. If they still say they can't/won't do anything, definately take it to the police. They may give your the run-around because this is internet-based, but it's still threatening & perhaps (IANAL) stalking, so it's in someone's jurisdiction. (obviously if any lawyers say providing them with excerpts of the emails is a bad idea, listen to them instead of me)
posted by good for you! at 6:15 AM on October 12, 2006


« Older roadtrip!   |   GameCube kids games? Newer »
This thread is closed to new comments.