tl;dr - some people "Zoom bombed" an online class. School asked Zoom for the IP addresses of everyone involved. This kid shared an IP address with the trolls, so the school suspended him for three...
tl;dr - some people "Zoom bombed" an online class. School asked Zoom for the IP addresses of everyone involved. This kid shared an IP address with the trolls, so the school suspended him for three months (effectively an expulsion for the rest of the school year)
The school district retrieved from Zoom a list of the names and IP addresses in each waiting room, Malachi’s legal team said. The Zoom bombers’ public IP addresses matched Malachi’s — but four other students who did not appear to be Zoom bombers were also listed as having Malachi’s public IP address, an impossibility since they were not in the same house, said Scott Moulton, a Woodstock-based forensics expert hired by the attorney working on Malachi’s case.
Discussion thread on HN suggested what seems to me to be a likely explanation - this kid, as well as the actual trolls, may have been behind carrier-grade NAT which would have made their IP address appear to all be the same from Zoom's perspective.
Chris Gilliard, a fellow with the Technology and Social Change Project of the Harvard Kennedy School Shorenstein Center on Media, Politics and Public Policy, had not heard of a situation similar to Malachi’s but said “it’s hugely unlikely that this is the first time” a student had been disciplined based on questionable data from Zoom.
So, I don't have a thorough understanding of the nature of IP addresses, but in an instance where there is a collision, how can it be determined that it's "his" IP address rather than "an" IP...
The Zoom bombers’ public IP addresses matched Malachi’s — but four other students who did not appear to be Zoom bombers were also listed as having Malachi’s public IP address
So, I don't have a thorough understanding of the nature of IP addresses, but in an instance where there is a collision, how can it be determined that it's "his" IP address rather than "an" IP address that points equally to multiple people? If that's the smoking gun here, then it seems like there should be other students suspended as well.
the school suspended him for three months (effectively an expulsion for the rest of the school year)
Yup. This is flagrantly, egregiously punitive. It's also likely to come back and bite the district in the ass. Denying a student their right to an education in the US, especially for such a long time, is a BIG deal.
For background: The original idea, way back in the ~1970s, was that every device on the internet has a unique IP address. There were 4 billion possible IP addresses, which at the time was...
Exemplary
I don't have a thorough understanding of the nature of IP addresses
For background:
The original idea, way back in the ~1970s, was that every device on the internet has a unique IP address. There were 4 billion possible IP addresses, which at the time was obviously going to be enough for every internet device to have one...
And of course that didn't work, so NAT was born. Your internet router at home uses NAT, as does mine, as does virtually everyone else's. It's an essential part of how the modern internet works.
The idea with NAT is that your upstream ISP only has to give you one IP address, regardless of how many devices you have at home. Your router uses that IP address. Then, for each device on your home network, your router gives it a private IP address, which is only valid on your own home network. There are addresses set aside for this purpose that are required to never be used on the "public" internet, only the private side of your home network. This means they can be re-used - for example, your laptop in your house and my laptop at my house might both have a private IP of 192.168.1.100. That address reuse is fine, because both addresses are only valid within our respective home networks, and there's no collision. If I brought my laptop over to your house, your router would assign it a different IP address, in order to prevent the two private IPs from colliding.
Then, your router keeps track of which device on its private network is talking to which addresses on the public internet. When you open google.com in your browser, your router forwards that request on to Google's servers, and also remembers that it was your device that made the request. Then, Google's response comes back, and it's simply addressed to the public IP your router has. Your router remembers that it was your laptop that made that request, so it knows to forward the response to your laptop, rather than some other device on your home network. This is the "translation" in Network Address Translation.
The upshot of all this is that if you're Zoom, or Google, or Netflix, or any other company running internet services, you tend to see one IP address per household rather than one IP address per device in that household.
(this is all describing IPv4, the current version in use across the majority of the internet, and the vast majority of home internet routers. IPv6 solves this problem by using 128-bit addresses instead of 32-bit ones, which makes them effectively unlimited and allows for "each device gets a unique public address" again. but IPv6 adoption has been glacially slow)
So that's "normal" NAT. It kicked the can of "too few IPv4 addresses" down the road by moving from "one public IP address per device" to "one public IP address per household".
But naturally, "one IP address per household" didn't really solve the problem of running out of 4 billion IP addresses. So they came up with carrier-grade NAT. That adds a second layer of NAT, one step upstream at the ISP level.
With CGNAT, an ISP assigns a single public IP address to a large group of subscribers. They might do this at the neighborhood level, for example. That means each home network router still does its own NAT, but not with a full public IP address as before. Now it's a special private CGNAT address, and the CGNAT hardware run by the ISP does a 2nd level of NAT translation before it hits the public internet.
With CGNAT in play, internet services like Zoom no longer see one IP per household, they see one IP address per neighborhood (or whatever other grouping the ISP decides to use). This breaks all sorts of assumptions, like "you can get a troll's IP address, and ban them based on that IP". With NAT alone, you're also banning everyone else in that household, which is a reasonable amount of collateral damage, because you don't want the troll to be able to just switch to a different device on their home network.
When CGNAT is in play, the collateral damage of banning a single troll's IP address (or turning it over to law enforcement, as happened here) implicates an unknown number of other customers of that ISP.
This is so wonderfully informative and well-explained. Thank you for taking the time to type it out! You have a gift for being able to communicate technical information in accessible ways. Based...
This is so wonderfully informative and well-explained. Thank you for taking the time to type it out! You have a gift for being able to communicate technical information in accessible ways.
Based on what you’re saying (and please correct me if I’m wrong in this), it sounds like when NAT has multiple users/devices sharing an IP address, the address doesn’t “belong” to one of those specifically but identifies each of them equally? Or, in a real world situation: if a friend comes over and hops on my wireless network, our external IP addresses would be identical and would not be able to be used to identify me as the “primary” user on that address?
In the strictest technical sense, it doesn't belong to either one - it belongs to the router, and only the router. Your laptop and your friend's laptop both get different private IPs, and they...
Exemplary
it sounds like when NAT has multiple users/devices sharing an IP address, the address doesn’t “belong” to one of those specifically but identifies each of them equally?
In the strictest technical sense, it doesn't belong to either one - it belongs to the router, and only the router. Your laptop and your friend's laptop both get different private IPs, and they don't actually know what their publicly visible IP address is.
For example, here's what the desktop I'm typing this on knows about its internet connection:
$ ip addr show enp4s0
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 04:d4:c4:48:50:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.40.100/24 brd 192.168.40.255 scope global dynamic noprefixroute enp4s0
valid_lft 2485sec preferred_lft 2035sec
inet6 fe80::bb4f:f160:40ad:918/64 scope link
valid_lft forever preferred_lft forever
$ ip route show
default via 192.168.40.1 dev enp4s0 proto dhcp src 192.168.40.100 metric 202
192.168.40.0/24 dev enp4s0 proto dhcp scope link src 192.168.40.100 metric 202
I have a private IP address of 192.168.40.100, and DHCP (the protocol my router runs that automatically assigned me that address) also told me to send all my internet traffic through 192.168.40.1, which is the IP address of my router on my private home network.
My desktop doesn't know or care what its upstream internet connection is. It just sends data on to my router, which is smart enough to send it upstream, and make sure the results come back to my desktop.
Meanwhile, since my router is a cute little Linux box, I can log in to it and look at the exact same info (this has large chunks removed, both because I have advanced network configuration that's not relevant here, and to redact my public IP as a security precaution):
$ ip addr show
...
4: switch0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 04:18:d6:c3:b5:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.40.1/24 brd 192.168.40.255 scope global switch0
valid_lft forever preferred_lft forever
...
17: pppoe0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/ppp
inet <REDACTED1> peer <REDACTED2>/32 scope global pppoe0
valid_lft forever preferred_lft forever
$ ip route show
default dev pppoe0 scope link
<REDACTED2> dev pppoe0 proto kernel scope link src <REDACTED1>
<REDACTED1> dev pppoe0 proto kernel scope link
192.168.40.0/24 dev switch0 proto kernel scope link src 192.168.40.1
Notice I have no concern, security or privacy-wise, about disclosing the private IPs of my desktop or my router. There's nothing a malicious party can do with that information, because those addresses are only meaningful if you're already connected to my home network. Trying to connect to them over the internet would be like trying to mail a letter simply addressed to "apartment 203". The post office will return that to sender or discard it, because it's not a deliverable address.
(disclosing my public-facing IP would almost certainly be safe - by the nature of the internet, every website or service you use knows your IP otherwise they couldn't send you back the webpages or whatever else you asked for, so it's very-nearly-public information. I just excised it here out of a general caution)
Or, in a real world situation: if a friend comes over and hops on my wireless network, our external IP addresses would be identical and would not be able to be used to identify me as the “primary” user on that address?
...but in this broader sense of what you're asking, correct. If you load Tildes on your laptop, logged in to your account, and your friend does the same with their laptop & account, the server-side logs available to Deimos would list the exact same source IP. They might differ in other ways, for example the User Agents might be different if you and your friend were running different browsers or operating systems. But that's part of HTTP, which is a higher-level protocol that runs on top of IP.
The whole thing is pretty dubious. From the article: That should have been the end of it. There is more than enough doubt in the system that it shouldn't be trusted but schools aren't exactly...
how can it be determined that it's "his" IP address rather than "an" IP address that points equally to multiple people?
The whole thing is pretty dubious. From the article:
but four other students who did not appear to be Zoom bombers were also listed as having Malachi’s public IP address, an impossibility since they were not in the same house
That should have been the end of it. There is more than enough doubt in the system that it shouldn't be trusted but schools aren't exactly known for their bulletproof decision making processes.
That seems like a mischaracterization. It takes the blame off of the school and places it on Zoom. The data that Zoom gave to the school was accurate. The school just didn't bother to do the work...
“it’s hugely unlikely that this is the first time” a student had been disciplined based on questionable data from Zoom.
That seems like a mischaracterization. It takes the blame off of the school and places it on Zoom. The data that Zoom gave to the school was accurate. The school just didn't bother to do the work to find out that an IP address is not a reliable way to uniquely identify someone.
Given the facts in this article, it is pretty clear that this kid did nothing wrong and that the school district just flat out misunderstands how technology works. They reacted rashly without...
Given the facts in this article, it is pretty clear that this kid did nothing wrong and that the school district just flat out misunderstands how technology works. They reacted rashly without figuring out the whole story and Malachi was thrown under the bus.
At this point, they should just own up to the mistake, offer the kid an apology, and let him come back to school.
And that's not even getting in to the fact that a three month suspension is absolutely ridiculous for this.
tl;dr - some people "Zoom bombed" an online class. School asked Zoom for the IP addresses of everyone involved. This kid shared an IP address with the trolls, so the school suspended him for three months (effectively an expulsion for the rest of the school year)
Discussion thread on HN suggested what seems to me to be a likely explanation - this kid, as well as the actual trolls, may have been behind carrier-grade NAT which would have made their IP address appear to all be the same from Zoom's perspective.
So, I don't have a thorough understanding of the nature of IP addresses, but in an instance where there is a collision, how can it be determined that it's "his" IP address rather than "an" IP address that points equally to multiple people? If that's the smoking gun here, then it seems like there should be other students suspended as well.
Yup. This is flagrantly, egregiously punitive. It's also likely to come back and bite the district in the ass. Denying a student their right to an education in the US, especially for such a long time, is a BIG deal.
For background:
The original idea, way back in the ~1970s, was that every device on the internet has a unique IP address. There were 4 billion possible IP addresses, which at the time was obviously going to be enough for every internet device to have one...
And of course that didn't work, so NAT was born. Your internet router at home uses NAT, as does mine, as does virtually everyone else's. It's an essential part of how the modern internet works.
The idea with NAT is that your upstream ISP only has to give you one IP address, regardless of how many devices you have at home. Your router uses that IP address. Then, for each device on your home network, your router gives it a private IP address, which is only valid on your own home network. There are addresses set aside for this purpose that are required to never be used on the "public" internet, only the private side of your home network. This means they can be re-used - for example, your laptop in your house and my laptop at my house might both have a private IP of 192.168.1.100. That address reuse is fine, because both addresses are only valid within our respective home networks, and there's no collision. If I brought my laptop over to your house, your router would assign it a different IP address, in order to prevent the two private IPs from colliding.
Then, your router keeps track of which device on its private network is talking to which addresses on the public internet. When you open google.com in your browser, your router forwards that request on to Google's servers, and also remembers that it was your device that made the request. Then, Google's response comes back, and it's simply addressed to the public IP your router has. Your router remembers that it was your laptop that made that request, so it knows to forward the response to your laptop, rather than some other device on your home network. This is the "translation" in Network Address Translation.
The upshot of all this is that if you're Zoom, or Google, or Netflix, or any other company running internet services, you tend to see one IP address per household rather than one IP address per device in that household.
(this is all describing IPv4, the current version in use across the majority of the internet, and the vast majority of home internet routers. IPv6 solves this problem by using 128-bit addresses instead of 32-bit ones, which makes them effectively unlimited and allows for "each device gets a unique public address" again. but IPv6 adoption has been glacially slow)
So that's "normal" NAT. It kicked the can of "too few IPv4 addresses" down the road by moving from "one public IP address per device" to "one public IP address per household".
But naturally, "one IP address per household" didn't really solve the problem of running out of 4 billion IP addresses. So they came up with carrier-grade NAT. That adds a second layer of NAT, one step upstream at the ISP level.
With CGNAT, an ISP assigns a single public IP address to a large group of subscribers. They might do this at the neighborhood level, for example. That means each home network router still does its own NAT, but not with a full public IP address as before. Now it's a special private CGNAT address, and the CGNAT hardware run by the ISP does a 2nd level of NAT translation before it hits the public internet.
With CGNAT in play, internet services like Zoom no longer see one IP per household, they see one IP address per neighborhood (or whatever other grouping the ISP decides to use). This breaks all sorts of assumptions, like "you can get a troll's IP address, and ban them based on that IP". With NAT alone, you're also banning everyone else in that household, which is a reasonable amount of collateral damage, because you don't want the troll to be able to just switch to a different device on their home network.
When CGNAT is in play, the collateral damage of banning a single troll's IP address (or turning it over to law enforcement, as happened here) implicates an unknown number of other customers of that ISP.
This is so wonderfully informative and well-explained. Thank you for taking the time to type it out! You have a gift for being able to communicate technical information in accessible ways.
Based on what you’re saying (and please correct me if I’m wrong in this), it sounds like when NAT has multiple users/devices sharing an IP address, the address doesn’t “belong” to one of those specifically but identifies each of them equally? Or, in a real world situation: if a friend comes over and hops on my wireless network, our external IP addresses would be identical and would not be able to be used to identify me as the “primary” user on that address?
In the strictest technical sense, it doesn't belong to either one - it belongs to the router, and only the router. Your laptop and your friend's laptop both get different private IPs, and they don't actually know what their publicly visible IP address is.
For example, here's what the desktop I'm typing this on knows about its internet connection:
I have a private IP address of
192.168.40.100, and DHCP (the protocol my router runs that automatically assigned me that address) also told me to send all my internet traffic through192.168.40.1, which is the IP address of my router on my private home network.My desktop doesn't know or care what its upstream internet connection is. It just sends data on to my router, which is smart enough to send it upstream, and make sure the results come back to my desktop.
Meanwhile, since my router is a cute little Linux box, I can log in to it and look at the exact same info (this has large chunks removed, both because I have advanced network configuration that's not relevant here, and to redact my public IP as a security precaution):
Notice I have no concern, security or privacy-wise, about disclosing the private IPs of my desktop or my router. There's nothing a malicious party can do with that information, because those addresses are only meaningful if you're already connected to my home network. Trying to connect to them over the internet would be like trying to mail a letter simply addressed to "apartment 203". The post office will return that to sender or discard it, because it's not a deliverable address.
(disclosing my public-facing IP would almost certainly be safe - by the nature of the internet, every website or service you use knows your IP otherwise they couldn't send you back the webpages or whatever else you asked for, so it's very-nearly-public information. I just excised it here out of a general caution)
...but in this broader sense of what you're asking, correct. If you load Tildes on your laptop, logged in to your account, and your friend does the same with their laptop & account, the server-side logs available to Deimos would list the exact same source IP. They might differ in other ways, for example the User Agents might be different if you and your friend were running different browsers or operating systems. But that's part of HTTP, which is a higher-level protocol that runs on top of IP.
The whole thing is pretty dubious. From the article:
That should have been the end of it. There is more than enough doubt in the system that it shouldn't be trusted but schools aren't exactly known for their bulletproof decision making processes.
That seems like a mischaracterization. It takes the blame off of the school and places it on Zoom. The data that Zoom gave to the school was accurate. The school just didn't bother to do the work to find out that an IP address is not a reliable way to uniquely identify someone.
Given the facts in this article, it is pretty clear that this kid did nothing wrong and that the school district just flat out misunderstands how technology works. They reacted rashly without figuring out the whole story and Malachi was thrown under the bus.
At this point, they should just own up to the mistake, offer the kid an apology, and let him come back to school.
And that's not even getting in to the fact that a three month suspension is absolutely ridiculous for this.