From owner-freebsd-net@freebsd.org Thu Mar 22 18:56:32 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B21DF60D26 for ; Thu, 22 Mar 2018 18:56:32 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CB51E85058 for ; Thu, 22 Mar 2018 18:56:31 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w2MIuRiO027693; Thu, 22 Mar 2018 11:56:27 -0700 (PDT) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd-rwg@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w2MIuRjH027692; Thu, 22 Mar 2018 11:56:27 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <201803221856.w2MIuRjH027692@pdx.rh.CN85.dnsmgr.net> Subject: Re: Same host or different? How can you tell "over the wire"? In-Reply-To: <9754.1521739967@segfault.tristatelogic.com> To: "Ronald F. Guilmette" Date: Thu, 22 Mar 2018 11:56:27 -0700 (PDT) CC: FreeBSD Net X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 18:56:32 -0000 > > In message <201803220250.w2M2owMf024292@pdx.rh.CN85.dnsmgr.net>, > "Rodney W. Grimes" wrote: > > >You are not going to prove the "control of the exact same Bad Actor" > >without a warrant to search and seize. > > Well, as someone else noted, if two IP addresses yield the exact same > SSH key, that is fairly definitive. Wrong, as someone else pointed out that is simply a mater of copying the /etc/ssh/*host* key files over to the other host. This also happens when people clone machines... so is actual more common than one might think. You can be pretty sure they are different machines, but you can not assertain they are the same machine with this information. You can assert nothing about control with this information. You can be pretty sure they are under the same control, but not provable. Anyone with elivated privledge access to A can copy the /etc/ssh/* files to A'. > If I planned to be going into a court of law, then yes, a warrant > would be both appropriate and required. But going into court is > not among my goals. > > >> >What you ask I believe could be done, but it non trivial and > >> >would require a very good understanding of both forensics > >> >and the differing ways that TCP/IP is implemented. > >> > >> I like to think that I am a quick learner. Please proceed with the > >> lesson. > > > >The rates for lessons in Forensics start at reasonable enough > >amounts, you can contact me off list if you wish to persue that. > > Thanks for your support. As i am doing what I am doing on a volunteer > (unpaid) basis, I'm afraid that I will not be able to take you up on > your generous offer. -- Rod Grimes rgrimes@freebsd.org