Tracking Protection In Wi-Fi Networks Coming Soon To Linux

prisoninmate writes: Fedora contributor and NetworkManager developer Lubomir Rintel explains how your devices are being identified on a network by a unique number that most of us know by the name of MAC address. Same goes for mobile networking, as your laptop's or mobile phone's MAC address is, in most cases, broadcasted everywhere you go before you even attempt a connection to a wireless network. And that's a problem for your privacy. The solution? Randomization of the MAC address while scanning for Wi-Fi networks. Apple is already using this method on iOS 8 and later mobile operating systems, and so is Microsoft in Windows 10, so Linux users will ["likely"] get it in the upcoming NetworkManager 1.2 release.

Turn it off.

[marnues]

Please don't. My company is building tools that help businesses understand their customers through WiFi. We're having to waste a lot of time building heuristics that determine whose MAC switched when they blip off and a new one randomly appears. We're barely off the ground with this stuff, now we're probably going to have to build new heuristics for Android devices.

I will say that the good part of this is the product managers now understand we can't track real people, which was never our intent, but was possible given the long-lived nature of MACs. I just wish they'd randomize in the middle of the night when charging.

Re:Turn it off.

Hi, I am actually the CEO of the OP's company, let me clarify.

The difference between a CUSTOMER (which we track) and PEOPLE (which we do not), is that the latter has legal and human rights and is worthy of respect.

But the former is just a big ole walkin' talkin' sack with a dollar sign painted on it!

Well I don't know about you, but I'm not interested in tracking a bunch of "people" with rights and dignity! That's boring!

I'm after that big old fat sack of loot with a dollar sign painted on it!

Re:Turn it off.

[cfalcon]

Don't listen to murnues, above.

> My company is building tools that help businesses understand their customers through WiFi.

No, your company is building a tracker program by trying to make use of an oversight in the spec. In fact, shit like that is why this needs to happen, and why the lifespan of announced MACs needs to be short enough to render any information you may gather useless.

Did you pay for all those phones that the businesses customers are using? Like, do you own them? Or do they belong to people who don't know you and barely know the businesses you serve, and wouldn't help you if given the chance, just as you would not help them? They aren't YOUR customers, after all. They are cattle and you are getting pissed that you won't be able to herd them as easily.

This is a good thing, and I'm sad it has taken this long. Hope this gets pushed up to Android fast enough so your company can instead do something besides trying to track people who don't owe you shit and who you don't help in any way.

Re:Turn it off.

[cfalcon]

> > their customers don't want to be fucking tracked?
> Except, that's not really true is it?

Apparently it is, because you posted AC, presumably because you don't want to be tracked.

And yes it is true, and no, the odds that anyone wants to be tracked by accidentally persistent MAC address are slim to none. Just because you put up 20 wifis and try to track me doesn't help me in any way. I'm not a user, I'm walking through an area without telling my phone to not use wifi. This is basic security.

And again, just like you don't want to be tracked, nobody does.

whats?

[dansgovindo]

what is happend here?

Re:This will mess with DHCP reservation

This is automatically done when scanning for WiFi access points, which your phone or laptop or whatever is probably doing constantly. When you connect you use whatever MAC rules you normally have.

This is about not advertising your real MAC address to APs you have no intention of connecting to, so third parties (NSA and friends) cant scatter a bunch of APs around town to track your movements.

Re:Can't lock down with random MAC addresses

[amorsen]

That is not how random MAC scanning works. The scanning is done with a random MAC, but actual traffic uses the real hardware MAC. Your MAC address based authentication is unaffected.

Real random MAC on public networks has not been implemented by any OS yet, AFAIK.

Re:Can't lock down with random MAC addresses

[DarkOx]

Damn slashdot and its lack of edit, that should be DHCP

Re:Can't lock down with random MAC addresses

[cfalcon]

No, it's not at all useless. It may not be exactly as useful as YOU want, but it's absolutely useful.

Pretend your MAC address is some number, that I'll call Larry. Without this, just walking through an area can result in your machine saying "Larry here, what networks are around?" With this, every time he asks, he'll say "$RANDOM_NAME here, what networks are around?" This is good design, because you shouldn't have to leak information like a MAC just to see what's going on.

Now pretend you want to connect, and you connect as Larry. That's fine for most people, but you want more- you want your address to connect differently each time. This is much more niche, but you CAN do it- there are hardware MAC address changers, after all, and you could automate one in Linux. Not quite sure in Windows how to do it automatically, but I'm sure you could.

I think your idea is good too, btw- but it's nowhere near as important as the one that gives your info away to networks you aren't even trying to connect to.

Re:You can already change your MAC on linux

The MAC randomization used here is only while scanning, not while connecting, in order to not break MAC whitelisting where it may be used.

"What seems like a viable option is randomizing the MAC address while scanning, chainging it every now and then, but still use the hard-wired MAC address for association and actual connectivity. Apple pioneered this approach with its mobile operating system, iOS version 8. Since the worst thing that can happen in an unlikely event of MAC address clash is that your AP list is incomplete for a while it seems like a fairly safe choice."

Passive scanning

[enriquevagu]

If you want to keep your privacy, you'd better employ passive scanning. Avoids any MAC transmission at all and saves some power while disconnected.

Link in Wi-fi.org

Re:Unless you don't use NetworkManager

[caseih]

You are confused. I'm not sure why you were modded up here. NetworkManager is not part of systemd, and doesn't require systemd either. Your linux machines have been using it for years, several years longer than systemd has ever existed. Please get your facts straight before posting.

Sounds like your knee jerked and you mistook NetworkManager for networkd, which is a part of systemd. But networkd is intended only to provide simple network functionality for containers like Docker or virtual machines. networkd is not required, and I've never ever used it on my boxes and I've run systemd for years. I don't even think I have it installed (yes systemd really is modular and you can remove parts of it).

Possibly networkd could become a backend for NetworkManager, but so far I don't think that's the case. And NewtorkManager seems to handle hotplugging of devices with ease (like Wifi dongles or ethernet dongles).

NetworkManager is great for managing things like WiFi, VPNs, and multiple TCP/IP configurations. For example, I keep a special NetworkManager profile for connecting to my Ubuiquiti Wifi devices for the first time. The profile uses a static IP address like 192.168.1.10. For my normal connections, DHCP is used. NetworkManager is very powerful, and there's a nice command-line utility to interface with it as well. It used to be quite embarrassing for many years on Linux that even something as simple as plugging in a ethernet wire would not automatically bring up the interface like Windows and Mac had done for years. NetworkManager was a welcome piece of the puzzle.