From owner-freebsd-net@freebsd.org  Thu Mar 22 17:32:48 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DAF27F59CD2
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 22 Mar 2018 17:32:48 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com
 [69.62.255.118])
 by mx1.freebsd.org (Postfix) with ESMTP id 7577D8104F
 for <freebsd-net@freebsd.org>; Thu, 22 Mar 2018 17:32:48 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1])
 by segfault.tristatelogic.com (Postfix) with ESMTP id 95B993AE87
 for <freebsd-net@freebsd.org>; Thu, 22 Mar 2018 10:32:47 -0700 (PDT)
From: "Ronald F. Guilmette" <rfg@tristatelogic.com>
To: FreeBSD Net <freebsd-net@freebsd.org>
Subject: Re: Same host or different? How can you tell "over the wire"?
In-Reply-To: <201803220250.w2M2owMf024292@pdx.rh.CN85.dnsmgr.net>
Date: Thu, 22 Mar 2018 10:32:47 -0700
Message-ID: <9754.1521739967@segfault.tristatelogic.com>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 17:32:49 -0000


In message <201803220250.w2M2owMf024292@pdx.rh.CN85.dnsmgr.net>, 
"Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net> wrote:

>You are not going to prove the "control of the exact same Bad Actor"
>without a warrant to search and seize.

Well, as someone else noted, if two IP addresses yield the exact same
SSH key, that is fairly definitive.

If I planned to be going into a court of law, then yes, a warrant
would be both appropriate and required.  But going into court is
not among my goals.

>> >What you ask I believe could be done, but it non trivial and
>> >would require a very good understanding of both forensics
>> >and the differing ways that TCP/IP is implemented.
>> 
>> I like to think that I am a quick learner.  Please proceed with the
>> lesson.
>
>The rates for lessons in Forensics start at reasonable enough
>amounts, you can contact me off list if you wish to persue that.

Thanks for your support.  As i am doing what I am doing on a volunteer
(unpaid) basis, I'm afraid that I will not be able to take you up on
your generous offer.