Slashdot Mirror
Londoners Tracked By Advertising Firm's Trash Cans
schwit1 asks "How can I automatically have my wi-fi turn off when I leave the house unless I specifically turn it back on?" and provides this excerpt from Wired to illustrate why that would be useful: "Hundreds of thousands of pedestrians walking past 12 locations unknowingly had the unique MAC address of their smartphones recorded by Renew London. Data including the "movement, type, direction, and speed of unique devices" was recorded from smartphones that had their Wi-Fi on. First reported by Quartz, the data gathering appears to be a Minority Report-esque proof-of-concept project, demonstrating the possibility for targeted personal advertising. 'It provides an unparalleled insight into the past behavior of unique devices — entry/exit points, dwell times, places of work, places of interest, and affinity to other devices — and should provide a compelling reach data base for predictive analytics (likely places to eat, drink, personal habits etc.),' reads a blog post on the company's site. In tests running between 21-24 May and 2-9 June, over 4 million events were captured, with over 530,000 unique devices captured. Further testing is taking place at sites including Liverpool Street Station." (The name sounds a bit like a government project, but Renew London is actually an advertising / marketing firm.)
The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.
There needs to be an update to iOS and Android that gives users the option to disable this feature (I can't remember the official name). Users should understand that it will take longer to find access points, but in exchange, they get vastly increased privacy.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
Former is free and can do what you need, latter costs a few bucks but is apparently far more versatile.
This is for Android, of course.
If you're carrying a cell phone around, you might as well surrender any idea that your movements are not being tracked by 3rd parties without your knowledge or consent. Retailers like Target are installing ANPR systems in surveillance cameras, their wifi routers are already watching for probe attempts from cell phones as a way of monitoring where you are in the store (how long did you spend in the women's section? Where on the floor did you stop to look at advertising?) and modules are also installed to track cell phone transmissions and ESNs to uniquely identify customers at checkout (you use a credit card, and now your ESN is linked to your name)...
Trash cans are watching you. Buses are equipped with similar sensors. If you are carrying a cell phone, someone, somewhere, knows exactly where you are and is going to sell this information. You are not carrying a cell phone these days: You're carrying a tracking beacon with two-way communication capability.
#fuckbeta #iamslashdot #dicemustdie
What's the difference? Can you opt out of any of it? Not having a cell phone or Facebook is grounds for suspicion..
“He’s not deformed, he’s just drunk!”
Standard configuration is for access points to broadcast beacons 10 times per second. I doubt that sending probe requests would make detection any faster. The real reason why probe requests are sent is that idiots turn off SSID broadcasting, and that leaves the phone no choice: Either send probe requests all the time or don't find the home network when you're in range.
Isnt there something like aircracks airbase that could be run nearby that would make this data useless? Something that just spits out mac addresses at random for the system to pickup?
> "How can I automatically have my wi-fi turn off when I leave the house unless I specifically turn it back on?"
At first I couldn't think of a solution. It's really a matter of remembering to do it yourself. ...and then I remembered, cells with wifi also have gps... Why couldn't there be an app that will only turn on wifi when gps coordinates closely match a list? Possible GUI -- bring up app, touch "allow wifi from here". Coordinates are memorized, and wifi is turned on only X number of feet from that location. (Also "disallow wifi from here", "edit list" and "delete all entries" would be good features. Oooh, also add "test wifi" with "remember this location?")
"I'd buy that for a dollar".
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.
Except, of course, that it does. In order to associate to an access point, you have to send your MAC address. It's sortof how packet-switched networks operate: It needs a source and destination. What you're talking about is a Probe request, a special type of packet when a station needs to obtain information from another station. This other station is typically an AP, but not necessarily.
Any connection made over wifi needs to broadcast a probe frame, and these are by definition unencrypted. Any station on the same channel can see them. Thus the only way to prevent broadcasting your MAC address is to disable wifi entirely. It is in no way "optional" for connecting to another wifi network, and many cell phone users want this functionality because auto-connecting to unsecured wifi allows for data transmission without incurring fees from their provider. The iPhone, for example, can receive OTA updates via open wifi, as can Android.
They aren't doing it solely to "discover nearby networks faster"; It actually saves the user money.
#fuckbeta #iamslashdot #dicemustdie
How ARE those Dockers working out for you?
Understanding the scope of the problem is the first step on the path to true panic.
Never heard of dumpsters doing it though.
Haha....Living in the can so long I guess he needed a new hobby. :)
If you have Android, Tasker works great for this sort of thing. Simply set it up to trigger a profile based on your GPS location.
This was going to be used as proximity detection for a new line of laughing toasters.
Renew London is actually an advertising / marketing firm
...sponsored via a joint NSA+GCHQ project.
What he meant was "The 802.11 protocol does not require cell phones to broadcast their MAC addresses when disconnected from an AP" Sure you need to send the MAC address to connect - he knows that. You don't need to send anything if you don't want to connect. It's not hard to write an app that turns off wifi outside of particular physical area. That addresses the concern they're talking about. They don't care about background data usage on the phone when they're not using it.
doesnt everything in the us track everything?
How about we just fry the damn things with an electro magnet? "what, destruction of private property? i was simply disposing of my magnet! besides, said private property was abandoned in a public place!"
Saying people want to auto-connect to unsecured wifi networks is like saying people want to be able to drive at 150 mph. Yeah everyone would like to do it, but they realize it's such a stupid thing to do that almost nobody willingly does so. A random unsecured wifi net in a public area is the perfect setup for a man-in-the-middle attack to harvest your email and bank login and passwords. At a minimum, automatically connecting to them should be disabled by default on all devices, and preferably there should be no way to enable such a "feature".
If you want to connect to an unsecured wifi network, you should have to make a conscious decision and take a deliberate action to do it. Auto-connecting to them is colossally stupid. So there is no need for your phone to be automatically scanning wifi nets in a manner which exposes its MAC address. If you find yourself in a random location and would like to manually connect to an open wifi net which you feel you can trust, then the phone should give up its MAC address.
If a probe request to identify nearby wifi nets requires a MAC address, that's a deficiency in the wifi handshaking standard IMHO. The phone should generate a random one just for that probe request to bypass that deficiency.
How about an app that changes the MAC to something new and random every time the interface has been disconnected longer than three minutes?
one in wallet / car to turn wifi off
one by front door / hall table to wifi on
Is excellent for scripting actions (although you need to root really).
e.g. in this case you could define geographic areas (your home, your office etc) where WiFi is turned on, and get it to turn off in all other areas.
The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.
Except, of course, that it does. In order to associate to an access point, you have to send your MAC address. [...]
To discover a nearby access point 802.11 only requires that you listen for the broadcast.
To connect to it, yes, you need to exchange MAC addresses - but this is only required if you actually want to connect to the AP.
The GP is correct, actively throwing your MAC address around to networks you have no desire to connect to is not required by the protocol and should be disabled by default.
Now, if your phone wants to go whoring around with every open AP just to save on wireless data transfer, that's a different problem...
Probably also something that should be disabled by default.
Several airports in Europe are using the same non-associating probe technique to figure out if enough security lines are open. By knowing the time from pre to post security location of a MAC address, they can tell how well traffic is flowing. Since people beyond security, on average, spend several Euros per minute, it is better for the airport to minimize the security delay. Good for passengers too.
.
Marketeers like Acxiom and SurveySampling are probably lusting after the ability to link a MAC address to a social media account, or a person's demographics.
Saying people want to auto-connect to unsecured wifi networks is like saying people want to be able to drive at 150 mph. Yeah everyone would like to do it, but they realize it's such a stupid thing to do that almost nobody willingly does so.
Driving at 150 MPH is legal in many areas. The Autobahn, Montana during the day... And it's not stupid. As well, they're going considerably faster than 150 MPH with their phones; They're going at 670,616,629 mph.
A random unsecured wifi net in a public area is the perfect setup for a man-in-the-middle attack to harvest your email and bank login and passwords.
Find me a bank or online retailer that allows financial accounting data to be submitted over insecure connections instead of SSL. I can wait.
Auto-connecting to them is colossally stupid.
So is carrying a cell phone in public, according to some. People don't have to use military-grade encryption to browse wikipedia; There's plenty of things that open wifi is good for, even if it can be monitored. And if you're that worried about it, download Tor for Android (Orbit) or the iPhone and proxy everything through that.
Plenty of people want to make internet available to the general public for free; You know, that whole "Share and share alike" thing that we learned as kindergarners and then promptly forgot as adults as we all adopted the "what's mine is mine and what's yours is negotiable" stance.
If a probe request to identify nearby wifi nets requires a MAC address, that's a deficiency in the wifi handshaking
standard IMHO.
I think I'll stick with what the IEEE working group came up with, which included Cisco Systems, Microsoft, Hewlett Packard, and dozens of independent network engineers over your "humble opinion", thanks. But if you can figure out a way to transfer data over a packet-based network without a source and destination in the header, I am quite certain the IEEE would give you a free membership and plane rides and hotel rooms for all their meetings to explain your new protocol.
#fuckbeta #iamslashdot #dicemustdie
Given the Orwellian irony that London is the city with the most CCTV surveillance, I'm surprised that smartphone tracking is even an issue.
"I bless every day that I continue to live, for every day is pure profit."
I'm not sure the parent understands 802.11. The parent contains numerous glaring technical errors, half-truths and inaccuracies, but I admit the use of jargon does make it *sound* impressive.
A WIFI client technically only needs to passively listen for beacon frames, usually emitted with a 100ms interval (save for collisions, which might delay a beacon frame a bit), to find access points. It doesn't have to send probe requests to know if the default network (or any other network) is within range.
So yes, probing is most definitely used to "discover nearby networks faster", about an average of 100ms faster.
http://www.wi-fiplanet.com/tutorials/print.php/1492071
The Globally-Unique MAC addresses seem to be a pretty blatant security and tracking problem. I've been increasingly wondering why we don't simply start randomizing the MAC address every time the device is turned on, or perhaps even randomizing it for each new connection.
Yes, in principle this could result in a random address collision between two devices. However MACs are 48 bits... this means you'd need to have over 16 million devices simultaneously connected to the same access point before there's a substantial chance of two of them randomly colliding. I'd call that a rather pretty negligible trade off to obtain some privacy and security. And if one device does detect a MAC collision it could simply re-randomize.
As for additional "security risks" of randomizing MAC addresses, not really. It's already trivially easy for someone to deliberately fake your MAC address on their own device. So no new threat there. If anything, I think randomizing (and regularly re-randomizing) the MAC address would be a security benefit. If someone does deliberately fake your MAC address, the target lock is neutralized when your device re-randomizes.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
There needs to be an update to iOS and Android that gives users the option to disable this feature
You must be joking, Android 4.3 update already disables "disable wifi" button = you CANT disable wifi
Who logs in to gdm? Not I, said the duck.
Most people "need" less access to the internet and start paying attention to reality.
The mind conceives, the body achieves, the spirit manifests.
Montana now has a day time speed limit (and has since 1999):
http://en.wikipedia.org/wiki/Speed_limits_in_the_United_States#No_speed_limit
Thank you for understand exactly what I was trying to say. However, it's not necessary to disable wifi completely. Instead, the phone should just not send any probe requests, and it should not automatically connect to an insecure network that it has never seen before.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.
Except, of course, that it does. In order to associate to an access point, you have to send your MAC address. It's sort of how packet-switched networks operate: It needs a source and destination. What you're talking about is a Probe request, a special type of packet when a station needs to obtain information from another station. This other station is typically an AP, but not necessarily
Discover != Associate.
Your cell phone (or any WiFi client) can listen for and enumerate available networks. The MAC address does not need to be sent until a connection is to be made. If your phone is set to automatically connect to any passing network, that's an entirely different can of worms. And smart trash cans are the least of your worries.
Have gnu, will travel.
No it doesn't, I have 4.3 on both my phone and tablet. I am still able to disable wifi on both devices.
True dat! A "listen only" mode would be great.
Germany here. You have to be stupid to drive 250 km/h on a public road. Take your toys to a racetrack, not the autobahn. Sorry for your small penis.
It doesn't even have to go that far if you don't want. Just passively listen for known APs and only connect to those. Then add something friendly like a "look for WiFi" button to send out a probe when the user actively wants to connect to something and no known APs are broadcasting beacons.
Data including the "movement, type, direction, and speed of unique devices" was recorded from smartphones that had their Wi-Fi on.
All of that was recorded from the phone? Or was it actually only the MAC which was recorded at multiple points and times, which allows the rest to be inferred?
systemd is Roko's Basilisk.
I love how ignorant slashmods keep marking this as 'troll' while others who actually understand networking keep marking it informative. Sadly, the technical proficiency of people on this site continues to track lower month over month since the Dice takeover.
Now people who suggest that the people who designed the internet might have known what they are doing are moderated down while the paranoid tin foil hat crowd gets modded up for suggesting that changing the protocol is a simple handwave and people with decades of experience in this sort of thing are incompetent...
#fuckbeta #iamslashdot #dicemustdie
No protocols have to be changed, and none of your posts are informative (at least not on this article). It's so simple and obvious that you don't have to broadcast to listen.
No protocols have to be changed, and none of your posts are informative (at least not on this article). It's so simple and obvious that you don't have to broadcast to listen.
Amazingly though, in order to find out if the network can actually route to the internet, which is what the station is trying to find out... you have to associate to the AP. As well, many people disable SSID broadcasting, necessitating probes to determine if that network is actually present.
It's so simple and obvious!
#fuckbeta #iamslashdot #dicemustdie
If you have an iPhone, you can prevent these "rogue" Wi-Fi points from sniffing you by changing a simple setting.
Look in "Settings/Wi-Fi/Ask to Join Networks" and just switch it on. Done.
Androids and others probably have something similar.
"You have to associate to the AP" - maybe you do. Nobody else here wants to.
4.3 added an option to scan for wifi networks when wifi is off to use for location (it uses less power than GPS). You can enable/disable this behaviour in the advanced wifi options, and I just checked my Nexus 7 running 4.3 and this option hadn't been automatically enabled with the update.
Drains the battery anyways. Turn it on when I want and need it, turn it off again when I'm done.
really fucks up the syntax and readability of your sentences.
Discover != Associate.
So how does your phone 'discover' your (or any other that you connect to) network if you aren't broadcasting your SSID?
I often hate reading your posts because you have a very obnoxious manner of expressing yourself, but at least you know what you're talking about often enough. I have to agree with you about the quality of the posts, though. They've always been going downhill, but I've just attributed that to a "get off my lawn" effect where young'uns are pontificating about stuff that's new to them but already understood by everyone else.
But the rate of decrease in quality has really increased lately. Also, the posts that are modded up are increasingly factually incorrect or incredibly naive. Something weird is definitely going on here. Frankly, I'm on the verge of bailing entirely. The average post here now shows about the same intelligence and informed worldview as the average YouTube comment.
-- A low UID user away from their computer at the moment.
Obviously risk increases with speed but this can and is mitigated by preparations like other travellers expecting it and the driver, the car and road being fit for purpose.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Yeah but you won't do any of that, spreading a little dissent just makes you feel as though you are less the subservient slave than you actually are. When you have a mental capacity as low as yours such tricks work very well.
So what is this referring to then? "Background Wi-Fi location still runs even when Wi-Fi is turned off" From here: https://en.wikipedia.org/wiki/Jelly_Bean_(operating_system)#Android_4.3_Jelly_Bean_.28API_level_18.29
You're both right, a little at least. It's perfectly safe to connect to whatever random wifi you run across and use it in the sense it's intended, in the case that you are absolutely certain anything important is actually being encrypted at the application layer where it should be.
For most people, in the real world, they have no idea. Application programmers seem to do a really lousy job of it (as in usually dont even try) so it's certainly not safe to assume. Probably smarter in many cases simply to set your phone to only connect to networks you program it specifically to connect to. And encrypt them, so they cannot be trivially spoofed.
IF they are actually broadcasting their MAC when NOT attempting to connect to a network, that would be a bug to stomp. But I am pretty sure that part was just GPs ignorance.
And, btw, you SHOULD use encryption to browse wikipedia. You should, in fact, use HTTPS Everywhere and attempt to encrypt every single piece of data that is sent out, redundantly. This is because if you only encrypt things that you are worried about being seen, the encryption is suspicious in and of itself, and anyone investigating you for any reason (even just 'because your traffic passed our sniffer') is going to at least see exactly the data they are looking for, they will see the endpoints even if they cannot break the encryption. That 'meta data' may be more valuable than the encrypted message itself.
So if you want digital privacy, dont just encrypt important documents. Encrypt every single thing you can, and encourage others to do the same. An internet where only super-sekrit documents are sent encrypted is a fertile environment for snoops. One where the amount of traffic that is encrypted at the application level already nears 100% may be the only way to regain the privacy that we have lost in the digital era - and it certainly cannot hurt.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
1. Make OSS for this purpose
2. Release into wild
3. ???
4. No advertising profit
A clever person could even put it into some free apps....
It's an option, it allows using wifi for location when you otherwise don't want to use wifi. You don't have to have it on an you can toggle it in the advanced options. When I upgraded to 4.3 it was not truned on by default.
Just use Llama if you have an Android phone:
Llama - Location Profiles
It's totally amazing. I use it to turn off WiFi when I leave the house and turn it back on when arrive at work.
"Auto Wifi Turn Off" by shinji. only 41k. turns wifi off a set amount of minutes after losing connection (leaving home). Turns wifi on when you plug in a charger. doesn't need unnecessary permissions.
It listens for the network SSID. Silently, in some cases.
Have gnu, will travel.
Locale can do exactly this. (Android app)
What you do is download locale and then a specific locale plugin that controls what you want it to do.
example: locale + turn on/off wifi. Locale will then trigger the event (turning off wifi) when a condition is met, which can include location.
He thought the idea that he debuted at BlackHat was somehow new or revolutionary. I think the only thing he may have done differently than this advertising agency is to have each node connect to the other nodes using Tor.
Find me a bank or online retailer that allows financial accounting data to be submitted over insecure connections instead of SSL. I can wait.
It doesn't matter what the bank or retailer gets the data over, it matters what your phone sends it over. All too often people start browsing from an insecure entry point and only later move to a secure part of a site. This allows the MITM to change links or redirects in the insecure part and hence get the user to either enter their authentication details unencrypted or get them to enter them encrypted but to a domain the attacker controls (and therefore has a "legitimate" certificate for).
Plus ssl isn't as secure as people might like to think, for example apparently there were CAs out there who would still sign certs using md5 after md5 collision attacks became feasible allowing attackers to get themselves a cert with CA powers that was trusted by browsers*. There have also been recent attacks on SSL itself, and attacks on the way browsers combine compression with ssl.
* http://www.win.tue.nl/hashclash/rogue-ca/
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Serious question: how would the phone differentiate from the "dlink" AP at the owner's regular coffee shop and the eavesdropping "dlink" AP? I know the coffee shop owner should pick a more unique AP name and the phone owner shouldn't connect to a generically named insecure AP, but reality is different.
2) Discard device in trash can.
3) Profit?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I'd love to see activists "recycle' some iron oxide and aluminum powder in these fuckers.
I'm about ready for some real action in response to the marketing-scum and paranoid guberments sweeping away our right to privacy *frowns*
It gripped her hand gently. 'Regret is for humans,' it said.
All you need is an encrypted VPN tunnel, and an unsecured WiFi access point should be safe (aside from the issues in this article, in that they can track your MAC address connecting... but what if you generate random mac addresses per connection attempt?)
The central MAC authority is supposed to be spreading them around so they do not collide.
If its not associated with an access point, the wifi chip gets switched off. You have to turn it on to associate and it stays on until you go out of range, and then it flicks off again. I dont want it on unless I ask. And I dont want to have to remember to turn it off. So when it loses its AP, it goes down.
The 802.11 protocol does not require cell phones to broadcast their MAC addresses. Phones do it so that they can discover nearby networks faster, but it is completely optional.
There needs to be an update to iOS and Android that gives users the option to disable this feature (I can't remember the official name). Users should understand that it will take longer to find access points, but in exchange, they get vastly increased privacy.
Android already has this option.
In Android 4.x (4.3 here) go to Settings and slide the WiFi setting to "Off".
Calling someone a "hater" only means you can not rationally rebut their argument.
Just use a N900. It won't unnecessarily broadcast its MAC address.
Of course, then you have to deal with it being so slow and swapping all the time, and the interface that's clunkier than a museum jalopy. As I like to say, the N900 is a piece of crap. But it's the best piece of crap in the world!
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
No protocols have to be changed, and none of your posts are informative (at least not on this article). It's so simple and obvious that you don't have to broadcast to listen.
I think you are talking at cross purposes. You are asking for a protocol which allows you to connect automatically to open wifi and stay anonymous. As you say, that's impossible with a fixed MAC address. The posters you are discussing with wants to have their phones connect automatically to chosen WiFi access points without giving away the MAC address but to otherwise require manual intervention. What they ask for is possible simply through listening, though only as long as you never connect to a hidden access point.
Amazingly though, in order to find out if the network can actually route to the internet, which is what the station is trying to find out... you have to associate to the AP. As well, many people disable SSID broadcasting, necessitating probes to determine if that network is actually present.
It's so simple and obvious!
The interesting thing here is that cellphone networks have a bunch of interesting work done on the privacy here. They use random temporary identities and tunnelling of data back to the home network which should allow hiding of your identity from local passive attackers. The implementations are not perfect (an active attacker can use flaws in the GSM protocol for man in the middle attacks ; the crypto is/was a bit poor ; 3G phones are subject to fall back attacks etc.) but someone who is just listening to a GSM/3GPP phone should not see enough information to do tracking and someone who forces out enough information to do tracking should be clearly breaking the law (both computer hacking and radio frequency laws).
If the MAC address was a large random number which changed regularly and the standard was to start a VPN tunnel (back to the TOR network?) then untrackable connectivity would be possible. Of course it's not an accident that this is not the way things work.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
how would the phone differentiate from the "dlink" AP at the owner's regular coffee shop and the eavesdropping "dlink" AP?
The AP broadcasts its MAC as the BSSID. You could ask before signalling to an AP which has an unknown BSSID. Also, since the phones know where they are, you could ask whenever you see the same name in a different location.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
You can go further and (as some phones do) prompt the user with "wifi base stations available; do you want to try to connect" when you see unknown APs. This can still be implemented without sending out any signal.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
They may get "vastly increased privacy" in return for their phone not working optimally and increased mobile bills because they still get charged for the amount of traffic they use. The cell phone provider tracks them just the same and those records are kept for a long time so the government can get them if they wish so. Yes, some "free market" party getting similar data on you and selling it to anyone interested is going to have a much bigger impact on the life of the people that "have nothing to hide", but over 80% will value the functioning of the WiFi on their phone over that.
I'm fairly certain you can set location based profiles on at least modern Android, where you can use aGPS to switch on WiFi, blutooth and such. You can set the "automatically look for wireless networks" feature manually too. What you are suggesting is already implemented. The fact that almost nobody knows this and nobody I know uses it to increase their privacy, even the security professionals, shows how much people care about this. They want their FaceBook status updates and WhatsApp and whatnot and that is way more important than their privacy. By the way, does the FaceBook mobile app log your location to the mothership? I'd be surprised if it didn't to be honest....
I was promised a flying car. Where is my flying car?
You really did not start your post well. An argument of "but driving that fast is legal in some areas" is ... not very relevant. And I honestly did not get your point that your smartphone has a different mph rating. Most people probably stopped reading by then.
As the other AC says, you came off as obnoxious.
MAC addresses aren't unique.
The first 3 bytes identify the manufacturer, the last three identify the device, that's 16.7 million devices per manufacturer if perfectly distributed. But they often aren't. Back in 1996 we had several instances of Apple computers with the same MAC, because they didn't use the full 24bit address space.
Another solution is changing MAC address every day. I think a one line cron job would do it on GNU/Linux. Unfortunately I have an Android/Linux/run/some/binaries/from/untrusted/places/to/gain/root toy, instead.
Besides, those who really can track you have the IMEI.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
That these speeds are an everyday event doesn't mean the people doing 250km/h on public roads aren't idiots. The Autobahn is designed for 130km/h and even a tiny bump can send you flying off if you drive 250km/h. There's no warning and no way to see a bump like that in time. So yes, obviously the risk increases, and that means you should take your toys to the racetrack, which is a road "fit for purpose" and, more importantly, not full of people who are endangered by your reckless behavior. Personally I think that someone who believes that 250km/h is acceptable on a public road lacks the necessary judgment and is unfit to drive at any speed.
You Sire, are math-challeged:
2^48 = 281.474.976.710.656
The solution would be for the phone to periodically generate a random MAC for the purposes of scanning hotspots. If a user explicitly chooses to connect to a wifi hotspot the genuine MAC is presented and the connection proceeds with that. The behaviour could be turned on by default without affecting the user experience in any way. The random MAC could change every hour or so making the information transient and relatively useless to anybody who is snooping on it.
Some phones send broadcast probe requests with it's mac address, this will make the accesspoint send a probe reply with it's name and bssid etc. The access point also periodically transmits this information, so it is perfectly possible to use wifi without broadcasting the client mac if it does not want to connect. The big advantage of probing over beaconing is that the phone instantly knows which accesspoint can hear it (often the base station transmitter is better, so the phone hears the ap, but not the other way around). In roaming scenarios this can help. Still, when connecting it will do a probe to verify this.
There actually have been talks about using a random address for initial broadcast probing, as this gives the same advantages, without the privacy risk. Of course, to actually connect the phone will give out its mac address, but that is obvious.
This article actually starts as a question, but there are only a few posts addressing practical ways to deal with it. I for one use Smart Wifi Toggler on Android. It decides when to switch on Wifi based on cell tower locations. I use it mainly because it saves some battery.
Avantslash: low-bandwidth mobile slashdot.
Driving at 150 MPH is legal in many areas. The Autobahn, Montana during the day... And it's not stupid.
Sorry, unless you are a professional racing driver with lightning reactions, driving at 150MPH is always stupid. And even if you are a racing driver, on public roads you can never anticipate what unexpected thing the driver next to you may do. At 150 MPH your safe margin of error is zero. Happy to put your life in their hands? Happy to risk the life of everyone about you?
But back on topic; the idea of not automatically connecting to every network available is sound. Even if you aren't logging into your bank website. For reasons that TFA suggests; it helps stop random companies you have no dealings with slurping up information about you, your movements and your behaviour. You may think what you browse on Wikipedia doesn't require security, but would you think the same if you discovered some company you've never even heard of has a complete record of your interests, and is selling it to others?
The distinction between secure and unsecure logins to websites is also lost on most people. They think it all the same. So a man-in-the-middle attack on an unsecure login can open the door to who-knows-what information.
Those with no problem connecting to any open connection they find should ask themselves this; if you were offered open wifi access, but specifically told that this access will be intercepted, probed and exploited in every way possible by persons unknown, would you still connect to it, placing all your trust in SSL and your own device's security? Or would you think; why take the risk? So why treat any other random open wifi differently?
And lastly; if your device is in the habit of connecting to whatever wifi it comes across, unless you are equally in the habit of always checking which connection you have active, you will sooner or later accidentally perform on the open wifi some operation you'd normally reserve for a secured connection. Guaranteed.
Wi-Fi is so widely available these days that this would be a redundant, or even annoying feature. Very often you can catch unsecured Wi-Fi from shops, restaurants, libraries, buses, trains and people's homes. I think a "Search for Wi-Fi connections" button would be more than sufficient.
There are a bunch of ways of working around and/or breaking SSL. Please read up on ssl stripping and the recent series BEAST/CRIME and BREACH. The former will terminate an ssl connection early, rewriting all links and references from http to https. The latter will place an agent script in any http pages requested and use cross-domain requests to disclose secure information.
Parent posts' only requirement was to enable network discovery without clients broadcasting probe requests. As long as no hiden SSIDs are involved, this functionality is widely available. Windows (XP and up, as far as I'm aware) will only send probe requests if it is configured to connect to a network with a hidden SSID. iOS is severely broken, Android (again, as far as I'm aware) a bit less so.
Long story short: You don't need to send out your MAC address to discover broadcasting networks. You need it to join them, which is an entirely different matter.
Great advice, and not only for the reason you stated. Several recent attacks (BEAST, CRIME, BREACH) will use unencrypted connections originating from your browser to discover information transmitted in its encrypted connections.
The speed limit in neighbouring countries is usually around 120kph. Taking that as an average for traffic on German roads someone doing 250kph would be passing them by at 130kph. The vast disparity in speed alone is dangerous.
Human beings find it really hard to react that fast. That's why even in Formula 1 they keep making changes to limit the top speed to around 300kph (on a specialized racing track). On an ordinary road it's dumb.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
....which can do this sort of thing based on times, locations and so forth.
"Now people who suggest that the people who designed the internet might have known what they are doing are moderated down while the paranoid tin foil hat crowd gets modded up for suggesting that changing the protocol is a simple handwave and people with decades of experience in this sort of thing are incompetent..."
These were the same people that widely deployed the flawed WEP before finally getting WPA2 correct (we hope) over a period of years of compatibility and security problems. Oh, and then there's WPS. Brilliant work, there.
The reality is, getting this stuff right is hard even for the competent. You're right that the uninformed don't help the discussion, but a little less hubris would be appreciated.
that and use encryption to send loads of usless data too. if people are that dedicated to spying on you, they deserve as much data as can be produced. it'll help them get the most accurate picture possible
You can use llama and tasker.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Just to nitpick, according to Wikipedia the design speed of the flat portions of the Autobahn was 160km/h. Certainly when I drove on it the slower traffic was generally doing 130 while the other lanes got progressively faster.
Rubbish, although those speeds are, even in Germany, not common they are an everyday event.
Obviously risk increases with speed but this can and is mitigated by preparations like other travellers expecting it and the driver, the car and road being fit for purpose.
Yet Germany has a higher accident (and fatality) rate on motorways than comparable countries (France, UK).
Banking information might be less a problem as at least if somebody is actively using the device he/she can see it's connected to wifi.
However, if you're auto-connecting to various open wifi networks, then data may jump between the cellular network and random snoopy wifi AP's. Any apps that leak or have vulnerabilities are going to be a real concern in this case.
[...]it should not automatically connect to an insecure network that it has never seen before.
Well, if that's what you meant, then you're in luck. As you originally wrote, "There needs to be an update to iOS and Android that gives users the option to disable this feature." That's not necessary, because there are (and have always been) a grand total of two toggles in the Wi-Fi settings on iOS: "On/Off" and " Ask to Join Networks ."
looks like officials have been called in.
http://www.theregister.co.uk/2013/08/12/spy_bins_scrapped_from_london_streets/
Tasker for android. I have mine set to turn off wifi when I leave my house(based off of gps) and then switch it back on again once I get to work.
Is there any particular reason that MAC addresses need to be (typically) hard-coded to the device? I know it's occasionally handy on physical networks for addressing specific devices for admin reasons, but on portable, wireless connections, seems like more trouble than it's worth.
Why not just have an option to let the device randomly roll a new MAC each time it connects? If it's already in use (highly unlikely), just roll a new one.
(note: I know you can authorize access to specific MAC addresses through many routers/switches/base stations, but it's flimsy security at best as many adapters can have their MACs changed through software).
"Nothing strengthens authority so much as silence." - Charles de Gaulle
Not sure what os you're interested in doing this on, but llama for Android can do exactly this (and a lot more). And it's free.
Is to start spitting out masses of random MACS and overload their database.
(Don't go using harvested MACs, that's naughty.)
I'd buy an app which did that, simply to spite those wankers and put QRcodes on the bins to encourage others to do the same.. Only caveat is that it has to give the genuine MAC when associating with a wanted SSID.
The past 20-odd years I've always had cars able to exceed the 250 limit most cars are governed at and on rare occasions I actually drove at those speeds.
I never felt it to be particularly dangerous but of course I observed the road much further ahead then when going at regular speeds, this means the road and traffic needs to be perfectly visible for the distance needed to adjust my speed.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
I think you are talking at cross purposes. You are asking for a protocol which allows you to connect automatically to open wifi and stay anonymous. As you say, that's impossible with a fixed MAC address. The posters you are discussing with wants to have their phones connect automatically to chosen WiFi access points without giving away the MAC address but to otherwise require manual intervention. What they ask for is possible simply through listening, though only as long as you never connect to a hidden access point.
To be completely fair, the idea that a bunch of academics and scientists had any idea what sort of commercial systems would be built on their proposals decades later is very humorous. The MAC address itself was conceived in a time when nobody was worried about being tracked, because there WERE no mobile MAC addresses.
Such a system could probably be replaced today with some sort of public key exchange on link negotiation with randomly generated identifiers and/or strong identifying cryptography, but it will never get implemented at the layer it should be, so forget about it.
Then again, my last phone bill told me that I'd used about 20MB of my monthly 20GB of inclusive traffic, which suggests to me that I'm not as heavy a user as they thought I would be.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
I suggest londoners complain to ICO.
Form is here
http://www.ico.org.uk/complaints/handling/complain
I have never complained to ICO before about anything, but I am going to now - this tracking really is distasteful.
It listens for the network SSID. Silently, in some cases.
Try reading:
So how does your phone 'discover' your (or any other that you connect to) network if you aren't broadcasting your SSID?
How do you listen for something that is not being broadcast?
No you should access wikipedia with encryption because if you're using an unsecured wi-fi network of unknown providence, they could be doing a man in the middle thing to exploit bugs in your phone browser to pwn it. Or in other words, it's never perfectly safe to use random wi-fi networks, as long as browsers have bugs in them, which up until this point in time at least, has always been true. If it weren't true, there wouldn't be any jailbroken iphones.
I don't get it. In the world of mobile where battery durability is everything, why the hell is the wifi chip powered and running if you are not specifically attempting to gain a wifi connection, sounds like a crock of shit marketing scam, set up by the manufacturers to exploit their customers. There should be no hardware or service running on mobile phones that the customer is not specifically attempting to use. Off should be off, for the phone as a whole as well as for any hardware or service on that phone eg not using blue tooth blue tooth should be off. Faster boot, quicker operation of what you are actually using and extended battery life. With capitalist life endless array of privacy invasive marketing douches not able to leak away your battery life.
Chaos - everything, everywhere, everywhen
Uum, how fuckin' retarded are you that you can't imagine that in a modern car one can handle 250 km/h on a *fuckin* empty or nearly empty street? Or blind maybe?
Sorry, it's just you.
And using personal attacks about penises and stereotypic thought-terminating clichees only goes supports that hypothesis about you being retarded. Have you got nothing else, but that? There's not even anything to refute in there in the first place, dammit!
And honestly, I highly doubt you're even German. Because you're the first German to say such a thing. If you had been on an Autobahn even once, you'd see that clearly proven by the amount of people driving at those speeds.
Of course that resonates well with the Americans here, who themselves never actually learned to drive, and are scared shitless to drive fuckin' 130 km/h! (Go search YouTube for such videos.) Nobody here knows the fuck what they are talking about.