Wednesday, March 30, 2011

Just how much should one be unsettled by all this unsettling stuff?

Sitting here as I type this, I can't see you reading it.  With a couple of exceptions, I have little idea who you might be, and you may well know me only through my profile and posts here.  In the absence of face-to-face interaction, it's easy to think oneself anonymous.  For all you know, I could be a dog.

It's easy to think oneself anonymous on the web, but there are significant ways in which this just isn't so. As I've mentioned in a few recent posts, for example, a web server can find out if you're logged in to various sites, your browser quite likely has a unique fingerprint, and the location of your WiFi router is probably in several databases which can be used to locate people who aren't even connected to it (on a recent road trip, I helped install a brand-new wifi router, and did a double-take when Apple's location service knew where I was -- because of the half-dozen other WiFi routers in range).

Which brings us to the question: To what extent are these just somewhat unsettling facts of web.life and to what extent are they cause for real concern?  And of course, the answer is "it depends".

Fine.  What kinds of things does it depend on?

For such things to be more than theoretical concerns, someone has to do something harmful with the information that they wouldn't have been able to do anyway, or at least, the likelihood of someone doing harm has to increase (or if you really want to be technical, the expected harm has to be outweigh any expected benefits, using "expected" in the probability sense).  The downside will depend on what kinds of bad things can happen, which depends on the particular unsettling fact, and how likely they are to happen, which can depend on all sorts of things.

For example, there's probably not a lot of harm in most cases if a server can tell that you're logged into FaceSpace, but if your employer has a strict policy against that and someone decides to install a FaceSpace login detector in your company's internal homepage, the consequences could be serious.  It's up to you to weigh how likely that is and how much you need the job (and how important it really is to browse FaceSpace at work).

If you live under a regime that bans unauthorized WiFi routers, the odds of something bad happening if you put one up anyway are pretty high.  It's almost certainly not worth it.  In most places, however, it shouldn't pose a problem.  If your security is set up properly, most likely all that someone can determine is that there's a WiFi device with some particular SSID near some particular location.  Given that it's easy to determine that there is, say, a house with a mailbox and electricity at a given location, that doesn't seem so dangerous, once you get past the creep-out factor of someone being able to detect something inside your home that they can't see.

To a large extent then, such things are just a part of conducting business on the web.  There's nothing wrong with being concerned about privacy, or taking reasonable steps to try to protect one's privacy, but it's a mistake to expect one's online life to be perfectly private.

But the same can be said of one's offline life.  Ultimately, issues of privacy are not technical, but social and legal.  Expectations of privacy have always been around.  So have breaches of those expectations, and so have various ways of trying to cope with such breaches.  Which is worse: having your Awful Secret shouted in the town square of your medieval village, or to the whole tribal group around the prehistoric campfire, or having it posted to millions of people on the modern web?  I don't see much difference.  All three cases are serious.  What matters isn't how many people find out, but how many people that you care about find out.  I'm not convinced that technology changes that picture much.

Tuesday, March 8, 2011

Wardriving Spartacus

[For those joining recently, "Spartacus" here is a byword for anonymity issues.  See this post, or the anonymity label for more background.]


I was going to respond directly to a comment on the previous post, but thought I'd do a proper post since it ties in to one of the main themes here.

An anonymous  comment (of course) signed "Anli" says:
I like the "Use your router's "MAC cloning" feature". Wouldn't it be nice to have the database of MAC addresses per location? [This would be analogous to a reverse phone directory.  Databases of location per address are widely available.  Inverting one is left as an exercise. -- D.H.]

Oh, well random 48 bits are fine... 
It should be less than 48 if you want to narrow it to a suitable manufacturer...
I started to reply:
Random bits will be fine until the next time the car comes by.  The system will then say, "hmm, don't know this one, let's add it at this location."
All this on a per-database basis.  Skyhook might add you at a different time from Apple, etc.  So yeah, what you want is a database of ...
And then I realized what you really want is a MAC address that's known to be associated with a lot of locations, all over the world, because this is a basic anonymity problem, though with a twist.  It's a basic anonymity problem because the more different locations are associated with your MAC address, that is, the more places you could be, that is, the larger your anonymity set, the less you can be pinned down.

The twist here is that it's very easy to tell if a router at some particular location has the particular MAC address.  By contrast, in the similar-but-different scenario of using an an anonymizer and trying to hide what IP address you're connecting from, we can assume that The Man can tell who's connecting to nodes that are also providing anonymity, but that takes a bit of work -- packet sniffing, etc., and then all they have is a circumstantial case, though perhaps a fairly strong one, that you're participating in or using an anonymizer.

In the case of a wireless router, anyone with $100 worth of parts -- probably quite a bit less, I haven't looked lately -- can tell for sure that there is a router with a given MAC address at a given location.  If The Man in your part of  the world has made it a crime to spoof someone's MAC address, then you can probably expect a knock on the door.

But then, in such a case you probably don't have location services enabled anyway, so why would you be spoofing someone's MAC address?  Likewise, your MAC is unlikely to be in, say, Apple's database, though it will most assuredly be in The Man's.

It's also worth noting that a laptop or phone that's trying to establish its location doesn't need to actually connect to a given wireless router.  It just has to detect packets from it, that is, be within range.  As mentioned previously, the MAC address has to be in the clear for the protocols to work [meaning that you can use WiFi routers to establish your own location without announcing that you're doing it --D.H. Sep 2015].

Summary: If you own a wireless router, expect its location to be known and widely available.  That's not theory.  People do it.

How much of a concern is this, really?  Next post ...

Thursday, March 3, 2011

Now I remember why I don't pay much attention to this kind of stuff

Recently I enabled location services on my MacBook.  That couldn't do too much, right?  The MacBook doesn't have a GPS attached.  A quick check from whatsmyip (go there, then do the "IP Address Lookup") gave a location several miles from my actual one.  Clearly that's as close as it can get.

Well, actually, it was accurate to within a hundred yards or so.

After double-checking that I really, really didn't have a GPS, I dug up what was really happening:   Like many of us, I'm connected to the internet through a wireless router.  That router has a unique MAC address by default.  The MacBook's networking layer knows this (otherwise it can't function), so when I'm on my home network, I'm associated with a particular MAC address.

Several parties, including Apple, keep a database of locations of wireless routers.  They get these locations by "wardriving" -- driving along looking for WiFi signals and using old-school radio techniques to pinpoint roughly where the signal is coming from.  Location services simply contacts the mothership with the MAC address of the router to get the physical location out of the database.  This has all been around a while.  I'm just slow on the uptake.

Assuming everything's working as intended, this doesn't mean that any random person on the internet can find out your location.  You decide whether to share that information, just like you decide whether to share a particular file (caveat: I'm not sure how secure a MacBook's default settings are).  Still, it's another for the growing list of unsettling privacy issues (maybe I'll create a new tag).

As I understand it, there's not a whole lot you can do about this form of information gathering, though I didn't delve deep enough into the IEEE standards docs to be sure I had a definitive answer.  From what I can make out, though, the source and destination MAC addresses have to be on every packet, unencrypted.  Otherwise your router would have to try to decode every encrypted packet it received against the session keys for every active connection in order to see if it was the intended recipient.

Given that, turning off broadcasting of your SSID, using WPA2, whitelisting MAC addresses and so forth is not going to make a difference.  The wardriver just has to sniff for packets and note the MAC addresses.  That's not to say you shouldn't use WPA2 -- you absolutely should, as it provides decent protection against eavesdropping and unauthorized connections -- just that it won't prevent someone from knowing that a router with a given MAC address is in a given location.

There are some countermeasures you can take:
  • Use your router's "MAC cloning" feature to set its MAC to something already in the database (if you choose a MAC not in the database, it will get added with your location next time the car comes by).  Your friends and foes will then think you're in sunny Tahiti or wherever.
  • Don't use WiFi
    • String a bunch of Cat 5 cable and give up the convenience of wirelessness
    • Use a smart phone as a tether -- this has its own set of privacy issues, but I'm not familiar with them and ignorance is bliss [I doubt this helps that much.  A tethering phone looks like any other WiFi router to a wardriver, including having a MAC address.  If you only use the tethering in one place, say your home, there's no real difference from using any other WiFi router.  If you move around, there will be a record that your MAC address was seen at several places, which is probably not what you want --D.H. Sep 2015].
  • Disable location services.  The world will know that there's a wireless router at a given location, but won't be able to associate it with you or your computer (or at least, not quite as easily)
  • Build a suitable Faraday cage around your network.
  • Don't worry, be happy.
Please understand I'm not recommending any of these, except possibly the last.