I was going to respond directly to a comment on the previous post, but thought I'd do a proper post since it ties in to one of the main themes here.
An anonymous comment (of course) signed "Anli" says:
I like the "Use your router's "MAC cloning" feature". Wouldn't it be nice to have the database of MAC addresses per location? [This would be analogous to a reverse phone directory. Databases of location per address are widely available. Inverting one is left as an exercise. -- D.H.]I started to reply:
Oh, well random 48 bits are fine...
It should be less than 48 if you want to narrow it to a suitable manufacturer...
Random bits will be fine until the next time the car comes by. The system will then say, "hmm, don't know this one, let's add it at this location."
All this on a per-database basis. Skyhook might add you at a different time from Apple, etc. So yeah, what you want is a database of ...And then I realized what you really want is a MAC address that's known to be associated with a lot of locations, all over the world, because this is a basic anonymity problem, though with a twist. It's a basic anonymity problem because the more different locations are associated with your MAC address, that is, the more places you could be, that is, the larger your anonymity set, the less you can be pinned down.
The twist here is that it's very easy to tell if a router at some particular location has the particular MAC address. By contrast, in the similar-but-different scenario of using an an anonymizer and trying to hide what IP address you're connecting from, we can assume that The Man can tell who's connecting to nodes that are also providing anonymity, but that takes a bit of work -- packet sniffing, etc., and then all they have is a circumstantial case, though perhaps a fairly strong one, that you're participating in or using an anonymizer.
In the case of a wireless router, anyone with $100 worth of parts -- probably quite a bit less, I haven't looked lately -- can tell for sure that there is a router with a given MAC address at a given location. If The Man in your part of the world has made it a crime to spoof someone's MAC address, then you can probably expect a knock on the door.
But then, in such a case you probably don't have location services enabled anyway, so why would you be spoofing someone's MAC address? Likewise, your MAC is unlikely to be in, say, Apple's database, though it will most assuredly be in The Man's.
It's also worth noting that a laptop or phone that's trying to establish its location doesn't need to actually connect to a given wireless router. It just has to detect packets from it, that is, be within range. As mentioned previously, the MAC address has to be in the clear for the protocols to work [meaning that you can use WiFi routers to establish your own location without announcing that you're doing it --D.H. Sep 2015].
Summary: If you own a wireless router, expect its location to be known and widely available. That's not theory. People do it.
How much of a concern is this, really? Next post ...
2 comments:
It wasn't really that long ago that we paid for everything with checks, and the vendor would want to see your driver's lisence, and he'd write the number on the check. So to save time and trouble, we would just have our driver's lisence number printed on our checks. In those days (and, no, it really wasn't that long ago) your driver's lisence number in many states was your social security number. So we went all over town passing out pieces of paper with our names, addresses, bank account numbers and social security numbers, often to people we'd never met, and we never thought a thing about it, and I have yet to hear of any catastrophe resulting from this practice.
Today we are told to guard our social security numbers and account numbers as though they were our first born.
What has changed is the ability of The Man, A Man, or J. Random High School Kid with too much time on his hands to sort through and make use of thumping great amounts of information. We were anonymous enough then because no one was bothering to look for us. Now we have to hide because looking for us is too easy.
This is getting directly into what I wanted to address in the next post, but now I need to chew it over a bit more.
Post a Comment