Tracking Protection In Wi-Fi Networks Coming Soon To Linux 112
prisoninmate writes: Fedora contributor and NetworkManager developer Lubomir Rintel explains how your devices are being identified on a network by a unique number that most of us know by the name of MAC address. Same goes for mobile networking, as your laptop's or mobile phone's MAC address is, in most cases, broadcasted everywhere you go before you even attempt a connection to a wireless network. And that's a problem for your privacy. The solution? Randomization of the MAC address while scanning for Wi-Fi networks. Apple is already using this method on iOS 8 and later mobile operating systems, and so is Microsoft in Windows 10, so Linux users will ["likely"] get it in the upcoming NetworkManager 1.2 release.
Coming soon? Already there. (Score:1)
Turn it off. (Score:5, Funny)
I will say that the good part of this is the product managers now understand we can't track real people, which was never our intent, but was possible given the long-lived nature of MACs. I just wish they'd randomize in the middle of the night when charging.
Re:Turn it off. Why, what do we gain? (Score:1)
What do we gain, what makes it worth our while to let others track us?
Re: (Score:1)
As someone who has modeled pedestrian traffic, specifically for retail outlets - including stores. Well, you get things optimized and more easily found. Of course, you're rooted through the store like cattle. Ever notice how almost everyone goes in the same direction and the people who don't go the "right" way get ugly looks. There's a reason for that but, alas, I'm too ill to explain it and, frankly, I don't like you that much.
Hmm... They said this Prednizone (sp) would make me grumpy. They're right. So, s
Re: (Score:2, Funny)
Hi, I am actually the CEO of the OP's company, let me clarify.
The difference between a CUSTOMER (which we track) and PEOPLE (which we do not), is that the latter has legal and human rights and is worthy of respect.
But the former is just a big ole walkin' talkin' sack with a dollar sign painted on it!
Well I don't know about you, but I'm not interested in tracking a bunch of "people" with rights and dignity! That's boring!
I'm after that big old fat sack of loot with a dollar sign painted on it!
Re: (Score:2)
The difference between a CUSTOMER (which we track) and PEOPLE (which we do not), is that the latter has legal and human rights and is worthy of respect.
Did you really just say that your customers have no legal and human rights and are not worthy of respect?
Ever read an EULA?
Re: (Score:1)
You're right out of your fucking mind. I was setting up tracking systems back when you were playing Nintendo - maybe PS. Probably not PS 2. You have enough unique identifiers to use those nifty cameras. It has about a 3% failure rate in 2008. I assume it has improved since I sold. Why do we track? Well, we want to put the best bargains in front of you. If enough people do not follow the "proper flow" then we redesign the layout.
Re: (Score:2)
Re: (Score:1)
Please don't. My company is building tools that help businesses understand their customers through WiFi. We're having to waste a lot of time building heuristics that determine whose MAC switched when they blip off and a new one randomly appears. We're barely off the ground with this stuff, now we're probably going to have to build new heuristics for Android devices.
How about if the businesses "understand" that their customers don't want to be fucking tracked?
Thank you.
Re: (Score:3)
> > their customers don't want to be fucking tracked?
> Except, that's not really true is it?
Apparently it is, because you posted AC, presumably because you don't want to be tracked.
And yes it is true, and no, the odds that anyone wants to be tracked by accidentally persistent MAC address are slim to none. Just because you put up 20 wifis and try to track me doesn't help me in any way. I'm not a user, I'm walking through an area without telling my phone to not use wifi. This is basic security.
And
Re: (Score:2)
I beg to differ. It would allow me to look at your posting history which would most likely tell me a lot about you.
Re: (Score:2)
> Nice bundling of independent unrelated items together to form what appears to be a cohesive argument.
My argument is as follows: You obviously understand the virtue of not being tracked, because you chose to post- TWICE- in a way to deny everyone your post history. This means that your argument is such swill that you don't even believe it for a fucking second, as evidenced by your OWN actions.
> Have you had a look at what google is tracking based on your location history on your Android device?
I ca
Re: (Score:2)
The default MAC is tied to the interface, but there's no reason it can't be changed in software...
Re: (Score:1)
Doesn't matter. If you don't defend your self, you're barking up a tree without a paddle..
Re: (Score:3, Interesting)
Don't listen to murnues, above.
> My company is building tools that help businesses understand their customers through WiFi.
No, your company is building a tracker program by trying to make use of an oversight in the spec. In fact, shit like that is why this needs to happen, and why the lifespan of announced MACs needs to be short enough to render any information you may gather useless.
Did you pay for all those phones that the businesses customers are using? Like, do you own them? Or do they belong to p
Re: (Score:2)
It is your intent to track & analyse people.
Re: (Score:1)
Who gives a rat's ass about your company. Unless we own stock or getting kickbacks how is your problem any of our concern other than you are trying to profit by tracking us. GFY
Re: (Score:2)
Doesn't demand for this feature kind of tell you that customers don't want to be understood through tracking their mobile devices? What do they get out of allowing it to happen?
Have you considered sweetening the deal? Offer them a discount or cash in return for connecting to your wifi hotspot to download a coupon. Or just pivot and become a manufacturer of signs that say "we don't track you" and sell them to ethical businesses (admittedly a small market).
Re: (Score:2)
I think the assumption is that you can offer customers more useful discounts, but honestly I'd prefer the store be explicit and give me some way to provide direct feedback on the 'personalized' discounts. Things like "Oh, I loved seeing this pop up...except I couldn't wedge it into today's budget so it wasn't used" and "Why do you keep trying to sell me bacon did you not notice I only buy kosher/halal/veg* food?" would be useful feedback for the store, and short of somebody finding out what to browse while
Re: (Score:2)
While I have no sympathy for your plight, I have to admit genuine curiosity... what, exactly, did you expect as a reaction from Slashdot commenters to that request? " marnues says he needs this, so Linus, buddy, cancel that merge." ?
Re: (Score:2)
I think what you are trying to do is still do able. Just that the old game of getting identifiable information without giving anything is going away. And rightfully so, there have been too many businesses that have abused what is the equivalent of dumpster diving. Asking people not to shred their trash isn't going to go anywhere.
However, why not setup an intranet at each location. Provide people the ability to scan bar codes and get pricing information on the spot on their phone (Macys). Provide a layo
Go to war! (Score:2)
I don't like being tracked, so I randomize my MAC with Pry-Fi [google.com]. If you would be so kind to tell us who you work for, we can all enable the "Go to war!" mode to flood you with bogus MACs. Game?
whats? (Score:2)
Re: (Score:1)
Someone set up us the bomb.
Re:This will mess with DHCP reservation (Score:5, Informative)
This is automatically done when scanning for WiFi access points, which your phone or laptop or whatever is probably doing constantly. When you connect you use whatever MAC rules you normally have.
This is about not advertising your real MAC address to APs you have no intention of connecting to, so third parties (NSA and friends) cant scatter a bunch of APs around town to track your movements.
Re: (Score:1)
Re: (Score:1)
The solution? Randomization of the MAC address while scanning for Wi-Fi networks
Scanning only. It uses the real MAC address when connecting to a network.
Re: (Score:2)
Scanning only. It uses the real MAC address when connecting to a network.
No need for that on a public network, is there?
If this is a known network, connect using a 'real' MAC address. (Which doesn't need to be the hardware one, it just needs to be constant, so static IP assignment works). If this is an unknown network, just use a random MAC address - or else they'll track you.
When adding a network to your known list, it could give you the option to use the 'real' address, or continue to use a fake one.
IPv6 SLAAC without EUI-64 (Score:2)
The summary was maybe bit misleading
This is not actually abput changing your MAC address, but using a different algorithm for IPv6 StateLess Address Auto Configuration than the EUI-64 method (which is "ef80${MAC}").
This doesn't impact IPv4 DHCP or AP MAC address filters at all, and if your routers are configured to send the right eouter advertisements in response to IPv6 router solicitation, will have no impact on DHCPv6.
Re: IPv6 SLAAC without EUI-64 (Score:2)
Sorry, eui-64 format for host identifier is roughly "${MAC:0:7}:ff:fe:${MAC:8:15}".
Re: (Score:2)
dhcpcd (which also works on BSD) has had support for this (RFC7217) for almost a year now, but it's now news when NetworkManager (Linux only) get's it?
Re: (Score:2)
EDIT: over a year and a half .... can't read dates in my own source repo ...
Re: (Score:2)
dhcpcd (which also works on BSD) has had support for this (RFC7217) for almost a year now, but it's now news when NetworkManager (Linux only) get's it?
RFC7217 has been in NM for some time. The news regarding this is that it now is upstream default for IPv6 connections when using NM 1.2.
The other feature, that is the real news, is a kind of MAC randomization feature that uses the real HW MAC for connection, but "fake" MAC's for scanning for AP's. This is also default now.
NM can also randomize and spoof MAC's like the decade old GNU MAC Changer, but it isn't default since that may give problems with connecting to certain devices and services.
Re: (Score:2)
It doesn't, it relies on a 3rd party like wpa_supplicant or the kernel for that.
My initial reply to the parent was NOT about wlan discovery.
Re: (Score:3)
That is not how random MAC scanning works. The scanning is done with a random MAC, but actual traffic uses the real hardware MAC. Your MAC address based authentication is unaffected.
Real random MAC on public networks has not been implemented by any OS yet, AFAIK.
Re: (Score:3)
No, it's not at all useless. It may not be exactly as useful as YOU want, but it's absolutely useful.
Pretend your MAC address is some number, that I'll call Larry. Without this, just walking through an area can result in your machine saying "Larry here, what networks are around?" With this, every time he asks, he'll say "$RANDOM_NAME here, what networks are around?" This is good design, because you shouldn't have to leak information like a MAC just to see what's going on.
Now pretend you want to connect,
Re: (Score:2)
You can already do it on Linux
ifconfig wlan0 hw ether 00:11:22:33:44:55
Re: (Score:2)
Just Don't use de:ad:be:ef:00 because that's my random address.
Er wait...
Re: (Score:2)
I can't imagine it would be either. The consequense for DCHP on IPv4 would be not great to say the least.
I would see address pool exhaustion, the concept reservations breaking entirely, any hardware based options variability failing (IE send the right pixie boot server for the device class) all becoming a total mess.
Re: (Score:3)
Damn slashdot and its lack of edit, that should be DHCP
Re: (Score:2)
Most of those problems would be non-issues on public Wifi, as long as the MAC address doesn't change more often than say once an hour.
If you are TFTP-booting on Starbucks Wifi you deserve what you get.
Re: (Score:2)
Yes, you can implement it yourself quite easily on Linux for a 90% solution. Once you want notifications to the DHCP client, periodic changes of MAC address, selection of which networks to keep the factory MAC address on, and so forth, it is not so simple.
Re: (Score:2)
my problem with this is
1 what happens when multiple orgs want to be LAST in the chain
2 an SSID only has 32 characters to begin with so if you need to use a few tags you land up with
mine_eatfresh_fred_optout_nomap as your ssid
Unless you don't use NetworkManager (Score:1)
Because systemd sucks.
Re: (Score:2)
both are poetteringware
Re: (Score:3, Informative)
You are confused. I'm not sure why you were modded up here. NetworkManager is not part of systemd, and doesn't require systemd either. Your linux machines have been using it for years, several years longer than systemd has ever existed. Please get your facts straight before posting.
Sounds like your knee jerked and you mistook NetworkManager for networkd, which is a part of systemd. But networkd is intended only to provide simple network functionality for containers like Docker or virtual machines. ne
You can already change your MAC on linux (Score:2)
Use ifconfig:
ifconfig eth0 hw ether
Its had this option for years. I presume it'll work for the wlan0 device though I've never tried it.
Re: (Score:3, Informative)
The MAC randomization used here is only while scanning, not while connecting, in order to not break MAC whitelisting where it may be used.
"What seems like a viable option is randomizing the MAC address while scanning, chainging it every now and then, but still use the hard-wired MAC address for association and actual connectivity. Apple pioneered this approach with its mobile operating system, iOS version 8. Since the worst thing that can happen in an unlikely event of MAC address clash is that your AP list
Re: (Score:1)
Did everyone forget about fingerprinting? (Score:2)
Just won't work.
Mostly due to java creep in browsers - https://panopticlick.eff.org/ [eff.org]
If you want to get unwarranted attention - randomly flip your MACs - makes you look like a spook.
What we really need is a browser that looks very common via finger-print - the page is not shown - only an OCR document created from the page with links that have tracking information removed. Once the OCR doc is created the instance of the browser is removed.
I really miss web sites that don't use java..
Re: (Score:2)
This way every phone and laptop with Wifi enabled is an active radio beacon that permanently broadcasts a unique identifier. On many devices this is even the case when Wifi is turned off, but the service for Wifi assisted positioning is enabled. The craziest thing is that none of the active scanning is technically necessary, because the clients could just passively listen for the beacon frames that the access points broadcast (by default 10 times per second).
THIS. I wish I had mod points, because this deserves two. I'd love for more devices to do this passively. Be active when I hit the "Scan for Wifi Networks" button (maybe), but otherwise just listen to what's going on. For OS's that seem to think that not responding to an ICMP ping is a valuable end-user feature, you'd think more of them would offer this already.
Re: (Score:2)
Problem is, with mobile carriers abusing us on data limits, most people are thankful that their phones will find an open network and use it to update their Facebook feeds in the background. So it's not just about maintaining a list of AP's, but also checking if you have permission to get on them.
Please make this disableable (Score:2)
I support the idea, but please make it optional for those of us who have reasons not to want to do it. One example of why you might not want to do this: if you restrict MAC addresses on your home wifi, this will break it.
Passive scanning (Score:3)
If you want to keep your privacy, you'd better employ passive scanning. Avoids any MAC transmission at all and saves some power while disconnected.
Link in Wi-fi.org [wi-fi.org]
Re: (Score:2)
Smarter Wifi Manager for Android uses your location to keep the wifi turned off until you get to a place where you were previously connected to a known network. It saves a lot of battery power, and protects your privacy.
wpa_supplicant already does this (Score:1)
Screw NetworkManager, its broken anyways and wpa_supplicant can already do everything one might want there:
Add 'mac_addr=1' and 'preassoc_mac_addr=1' to your /etc/wpa_supplicant.conf. Then your MAC-address will be randomized during the Scanning/Preassociation phase and afterwards.
For networks that need a static MAC address for filtering, add 'mac_addr=0' in the appropriate 'network' section. You also want to make sure you are using 'dhcpcd' instead of 'dhclient' (alias isc-dhcp-client). The latter can't dea
and dhcpcd already handles SLAAC randomisation (Score:1)
for over a year and a half now!
What is more, both products also work on BSDs with GTK+ and Qt front ends.
Who needs this NetworkManager anyway?