>How do probes with random macs break it? If a known network it wants to connect to is present it can use its real address. You can probe with a random mac all you like.
But you can't then connect with a random mac and expect the connectivity to work. Not when the mac is changing faster than the network attachment. If it isn't changing that fast (like in Apple's products) it can work, but it doesn't stop a broad class of tracking.
So yes, you can probe all day with a random mac. Just expect to have to reveal a session-consistent mac when you try to connect.
I asked a friend in the middle of this in 802 and he dumped a pile of documents on me. It was quite an entertaining read.
At PDX and other places a TSA guy gives you a little colored card with a number on it. At the other end of the line a TSA guy takes it from you. They time of the line is measured by the transit time of the card.
MAC address randomization is currently being argued back and forth in IEEE 802.
It breaks many things. It might work randomizing between sessions on a simple LAN, but in the presence of the the 802.1 network features (bridges, vlans, STP, provider bridges etc. etc.) it simply breaks.
It doesn't sit well with the various authentication schemes that mix the MAC address into the security header and key derivation. It doesn't sit will with MAC based routing entities that are not on the local segment.
People with a deep knowledge of 802 protocols are looking at this and it isn't simple or easy.
> I have a feeling that Bose' CFO is not happy but not unhappy. It's business. I have a feeling that setting the lawyers on an effective retail outlet for your goods is really bad for business.
If someone sued me, I'm certainly not going to do business with them in the future.
Can to tell us the brand/model of your better-than-active-noise-cancellation headphones?
He's deluding himself. What he's using is ear defenders.
Try this... Stick your finger in your ear. Create a good seal so outside sound is well blocked. Do you hear nothing? No, you hear a background roar of muffly rumblings.
Or try putting ear plugs in and sit still. Do you hear less? Yes. Now move your head. Say just slowly move it around. You hear a bunch of noise from the ear plug itself rubbing in your ear canal.
A sealed cavity around your ears traps in all the local noise. It's worse than nothing.
I call BS. The Sony's barely worked. I tried them back to back with the Bose.
Active noise cancellation is not about HiFi. It's about high background noise environments like on airplanes or in offices.
Try a set of Bose QC3s in a quiet environment, listening to music through a stereo of any quality will not be better than something with a large seal and a half decent speaker, but that's not the point. I doubt people could actually tell the difference in a quiet environment. If there's nothing to cancel, cancellation doesn't help. But in a high noise environment, the Bose are clearly better.
Bose noise cancelling headphones are not a scam. They were qualitatively far far better than anything else on the market when they came out and they still seem to be better today.
I'll be taking my rather ancient set of QC3s on the plane tomorrow.
Designing and building a 6 layer board, 3 iterations to get right, using your own time is 10-30 grand, depending on the components and manufacturer fees. Any board of takes 6 months. It just does. String together all the things to do for a manufacturable board and it takes 6 months.
Doing a one off, for your own amusement, or a PoC, I managed that in 2 very long days once.
Yes, it seems like that interpretation requires that you interpret the word 'Gamer' to mean lowlife male basement dwellers who yell into microphones. Being competent in English I interpret 'Gamer' in this context to mean 'People who play computer games'.
So I'm a gamer. I like a good FPS. I've has my arse whipped in Starcraft. I've shot lots of zombies and Nazis in Sniper Elite.*, I've been top of the pile on master mode on Rocksmith, But I'm also a crypto hardware engineer in my late 40s with grandchildren and no tendency to yell into microphones.
I played with it for a while, was initially amused and then got bored.
But my 5 year old grandson loves it and keeps coming back. It's the game on which he finally cracked the WASD/Mouse thing, which is a pretty important life skill in my book.
> Who the fuck cares I don't, but the author's of the offensive articles really screwed up.
They took a demographic they considered male, teenage basement dwellers and wrote a couple of astonishingly offensive articles, on a website aimed at that demographic. Then they found out that 'gamer' != that demographic. It cuts right across all levels of society and all genders. So they managed to write something offensive to everyone. When the story broke out of bubble of that one website, sympathy for the authors was heavily muted by the fact that everyone who plays computer games, myself included, think they brought it upon themselves, because they can see plainly how offensive the articles were and how they articles are talking squarely about them, regardless of where they sit in society.
Not being the sort of person to take offense at random things on the internet, I really don't care, but it's still pretty obvious the authors screwed up and got a predictable response. Society has people who live on a broad distribution of extremism. If you uniformly offend people across the distribution, you're going to offend the sort of people who send death threats over the internet for fun.
>This is important news. I'm not criticizing the reporting. I'm criticizing the FBI for putting out blatantly manipulative, fear mongering press releases.
> If China is stepping up it's state sponsored spying and digital theft They are. So is everyone else. That isn't new news.
>If you have no use for it If they told us something we could take action on, like a way to distinguish these 'new' bad actors from anyone else, that would be news I could use.
>clearly you aren't a nerd Yes clearly. I'll hand my nerd card into the local nerd management office and take up accounting rather than crypto.
I presume the company I work for is a target, but it's no less a target from any other government.
This isn't news I can use. There's no behavior change that is a rational response to this. It's not like we didn't already know there are several governments trying to get access to all out stuff.
Agree. A good article would explain how it happens, such as on Cisco gear and how it may or may not be deliberate and would explain what you can do about it, e.g. use a VPN service.
This was discussed when we were writing the 802.11i security specs. If an attacker can selectively DoS the link/network/whatever when security is enabled, you can fool the user to conclude the security is the problem and turn it off, whereupon everything starts to work.
There is a collision of two principles 1) Silently drop bad packets. 2) Let the user know something bad is happening.
These are opposing goals. In the case of this attack, we want #2, because we know they have evil intent and plaintext is not ok and we need the user to not turn off TLS. In other cases, like front door attacks (as opposed to MITM), #1 is the way.
This is why designing a good security protocol is hard and TLS still does the wrong thing at the wrong time.
I myself am Christian, but not in the annoying way that many are.
Why do you think your irrational belief in ghosts is less annoying than someone else's?
Ultimately, the willingness to believe things because "someone said so" is what leads to the ills of religion in its many forms. Your religion is no less irrational or annoying than someone else's.
At least you can diagnose and fix issues with shell scripts with vi and a bit of knowledge. Try that with a binary blob that stores its data in a binary store.
Well with the source code of the binary blob, you could diagnose and fix issues with vi and a bit of knowledge.
>I’m sure this won’t be the only "css" sucks comment. You're not wrong. Can I mention inheritance, or the lack thereof? FFS, I want to say - "This is like that but with this thing changed" This is probably why every CSS preprocessor adds inheritance. Because it's missing from CSS.
My analysis is that the authors who drafted it were browser writers, not web content developers, who wanted something that slotted right into their data model.
>How do probes with random macs break it? If a known network it wants to connect to is present it can use its real address.
You can probe with a random mac all you like.
But you can't then connect with a random mac and expect the connectivity to work. Not when the mac is changing faster than the network attachment. If it isn't changing that fast (like in Apple's products) it can work, but it doesn't stop a broad class of tracking.
So yes, you can probe all day with a random mac. Just expect to have to reveal a session-consistent mac when you try to connect.
I asked a friend in the middle of this in 802 and he dumped a pile of documents on me. It was quite an entertaining read.
At PDX and other places a TSA guy gives you a little colored card with a number on it.
At the other end of the line a TSA guy takes it from you.
They time of the line is measured by the transit time of the card.
Is this more or less creepy?
MAC address randomization is currently being argued back and forth in IEEE 802.
It breaks many things. It might work randomizing between sessions on a simple LAN, but in the presence of the the 802.1 network features (bridges, vlans, STP, provider bridges etc. etc.) it simply breaks.
It doesn't sit well with the various authentication schemes that mix the MAC address into the security header and key derivation.
It doesn't sit will with MAC based routing entities that are not on the local segment.
People with a deep knowledge of 802 protocols are looking at this and it isn't simple or easy.
..run a program that takes longer than a week to complete.
But when I do, I unplug the ethernet.
find a battery charging station on Mars.
A commercial litigator saying it's OK the sue. Whoodathunk?
I don't frequent those places, but if it is that loud, active cancelation audio headphones do not make good ear defenders.
> I have a feeling that Bose' CFO is not happy but not unhappy. It's business.
I have a feeling that setting the lawyers on an effective retail outlet for your goods is really bad for business.
If someone sued me, I'm certainly not going to do business with them in the future.
Can to tell us the brand/model of your better-than-active-noise-cancellation headphones?
He's deluding himself. What he's using is ear defenders.
Try this... Stick your finger in your ear. Create a good seal so outside sound is well blocked.
Do you hear nothing? No, you hear a background roar of muffly rumblings.
Or try putting ear plugs in and sit still. Do you hear less? Yes.
Now move your head. Say just slowly move it around. You hear a bunch of noise from the ear plug itself rubbing in your ear canal.
A sealed cavity around your ears traps in all the local noise. It's worse than nothing.
I call BS. The Sony's barely worked. I tried them back to back with the Bose.
Active noise cancellation is not about HiFi. It's about high background noise environments like on airplanes or in offices.
Try a set of Bose QC3s in a quiet environment, listening to music through a stereo of any quality will not be better than something with a large seal and a half decent speaker, but that's not the point. I doubt people could actually tell the difference in a quiet environment. If there's nothing to cancel, cancellation doesn't help. But in a high noise environment, the Bose are clearly better.
Bose noise cancelling headphones are not a scam. They were qualitatively far far better than anything else on the market when they came out and they still seem to be better today.
I'll be taking my rather ancient set of QC3s on the plane tomorrow.
Designing and building a 6 layer board, 3 iterations to get right, using your own time is 10-30 grand, depending on the components and manufacturer fees. Any board of takes 6 months. It just does. String together all the things to do for a manufacturable board and it takes 6 months.
Doing a one off, for your own amusement, or a PoC, I managed that in 2 very long days once.
>Language and labels change meaning
Yes, it seems like that interpretation requires that you interpret the word 'Gamer' to mean lowlife male basement dwellers who yell into microphones.
Being competent in English I interpret 'Gamer' in this context to mean 'People who play computer games'.
So I'm a gamer. I like a good FPS. I've has my arse whipped in Starcraft. I've shot lots of zombies and Nazis in Sniper Elite .*, I've been top of the pile on master mode on Rocksmith, But I'm also a crypto hardware engineer in my late 40s with grandchildren and no tendency to yell into microphones.
movies that I won't go to see.
I played with it for a while, was initially amused and then got bored.
But my 5 year old grandson loves it and keeps coming back. It's the game on which he finally cracked the WASD/Mouse thing, which is a pretty important life skill in my book.
> Who the fuck cares
I don't, but the author's of the offensive articles really screwed up.
They took a demographic they considered male, teenage basement dwellers and wrote a couple of astonishingly offensive articles, on a website aimed at that demographic. Then they found out that 'gamer' != that demographic. It cuts right across all levels of society and all genders. So they managed to write something offensive to everyone. When the story broke out of bubble of that one website, sympathy for the authors was heavily muted by the fact that everyone who plays computer games, myself included, think they brought it upon themselves, because they can see plainly how offensive the articles were and how they articles are talking squarely about them, regardless of where they sit in society.
Not being the sort of person to take offense at random things on the internet, I really don't care, but it's still pretty obvious the authors screwed up and got a predictable response. Society has people who live on a broad distribution of extremism. If you uniformly offend people across the distribution, you're going to offend the sort of people who send death threats over the internet for fun.
>This is important news.
I'm not criticizing the reporting. I'm criticizing the FBI for putting out blatantly manipulative, fear mongering press releases.
> If China is stepping up it's state sponsored spying and digital theft
They are. So is everyone else. That isn't new news.
>If you have no use for it
If they told us something we could take action on, like a way to distinguish these 'new' bad actors from anyone else, that would be news I could use.
>clearly you aren't a nerd
Yes clearly. I'll hand my nerd card into the local nerd management office and take up accounting rather than crypto.
I presume the company I work for is a target, but it's no less a target from any other government.
This isn't news I can use. There's no behavior change that is a rational response to this. It's not like we didn't already know there are several governments trying to get access to all out stuff.
So they're great at killing and spying. They don't have a track record in doing 'good' things like providing cheap, clean energy.
Agree. A good article would explain how it happens, such as on Cisco gear and how it may or may not be deliberate and would explain what you can do about it, e.g. use a VPN service.
Isn't the end result the same?
If a transparent proxy changes the TLS messages, it's filtering encrypted traffic so it's a MITM attack.
Still evil.
This was discussed when we were writing the 802.11i security specs. If an attacker can selectively DoS the link/network/whatever when security is enabled, you can fool the user to conclude the security is the problem and turn it off, whereupon everything starts to work.
There is a collision of two principles
1) Silently drop bad packets.
2) Let the user know something bad is happening.
These are opposing goals. In the case of this attack, we want #2, because we know they have evil intent and plaintext is not ok and we need the user to not turn off TLS.
In other cases, like front door attacks (as opposed to MITM), #1 is the way.
This is why designing a good security protocol is hard and TLS still does the wrong thing at the wrong time.
I myself am Christian, but not in the annoying way that many are.
Why do you think your irrational belief in ghosts is less annoying than someone else's?
Ultimately, the willingness to believe things because "someone said so" is what leads to the ills of religion in its many forms. Your religion is no less irrational or annoying than someone else's.
At least you can diagnose and fix issues with shell scripts with vi and a bit of knowledge. Try that with a binary blob that stores its data in a binary store.
Well with the source code of the binary blob, you could diagnose and fix issues with vi and a bit of knowledge.
>I’m sure this won’t be the only "css" sucks comment.
You're not wrong. Can I mention inheritance, or the lack thereof?
FFS, I want to say - "This is like that but with this thing changed"
This is probably why every CSS preprocessor adds inheritance. Because it's missing from CSS.
My analysis is that the authors who drafted it were browser writers, not web content developers, who wanted something that slotted right into their data model.