| View previous topic :: View next topic |
| Author |
Message |
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
 Posted: Sat Apr 11, 2015 4:10 pm Post subject: be prepared for the german law for big WLAN hot spots |
 |
|
| Code: | # WLAN
#
#config_wlp3s0="dhcp"
preup(){
if [[ "$IFACE" = "wlp3s0" ]]; then
macchanger -r $IFACE
fi
}
postdown(){
if [[ "$IFACE" = "wlp3s0" ]]; then
macchanger -p $IFACE
fi
} |
edit: limit this for WLAN interface and filed https://bugs.gentoo.org/show_bug.cgi?id=547020
Update much better : | Code: | | mac_wlp3s0="random-samekind" |
within /etc/conf.d/net (if it works however, I do suffer from a driver bug)
Last edited by toralf on Thu Apr 23, 2015 4:47 pm; edited 5 times in total |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sat Apr 11, 2015 5:01 pm Post subject: |
|
|
toralf,
Will we be able to get these big WLAN hot spots in Scotland :)
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
| Posted: Tue Apr 14, 2015 1:36 pm Post subject: Re: be prepared for the german law for big WLAN hot spots |
|
|
| toralf wrote: | | Code: | # WLAN
#
#config_wlp3s0="dhcp"
preup(){
if [[ "$IFACE" = "wlp3s0" ]]; then
macchanger -r $IFACE
fi
}
postdown(){
if [[ "$IFACE" = "wlp3s0" ]]; then
macchanger -p $IFACE
fi
} |
edit: limit this for WLAN interface |
If you do that, please set your DHCP clients to release their lease if they can so to reduce the lease pool burning out!
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
| Posted: Tue Apr 14, 2015 1:41 pm Post subject: Re: be prepared for the german law for big WLAN hot spots |
|
|
| UberLord wrote: | | If you do that, please set your DHCP clients to release their lease if they can so to reduce the lease pool burning out! |
good hint |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Fri Apr 17, 2015 6:47 am Post subject: |
|
|
| UberLord wrote: | Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router ;) |
That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly.
As for the rest: please do.. ;p |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
| Posted: Fri Apr 17, 2015 8:22 am Post subject: |
|
|
| steveL wrote: | | UberLord wrote: | Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router  |
That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly. |
+1 - that' a candidate for die GMN |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Fri Apr 17, 2015 6:23 pm Post subject: |
|
|
| Yeah that'd be cool, toralf. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sat Apr 18, 2015 12:38 am Post subject: |
|
|
| Sorry for being curious. What this law is about? |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
| Posted: Sat Apr 18, 2015 4:39 pm Post subject: |
|
|
| krinn wrote: | | Sorry for being curious. What this law is about? |
Bigger public WLAN hot spots have to support the spy action of the goverment (as this has to be made by TelCos for wired communication already) |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sat Apr 18, 2015 5:43 pm Post subject: |
|
|
Ah, i knew it was something stupid again.
Looks like european countries cannot work together, but when it comes to do shit, even following different paths, they all walk toward the same direction.
french did it easier btw, we have the great entity that attack the IP owner (lol yeah, i know, you were thinking nobody could do worst than germans, but french beat you badly).
Of course our ISP add free wifi option that takes few of your bandwith to provide free wifi to other travellers next to your spot, combine that with the "your IP is the badass, so you're the rat" ; wonder result 
It would be laughable if they (our politicians) weren't pay to do that crap, but they are, and with good big numbers. |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sun Apr 19, 2015 2:33 am Post subject: |
|
|
| toralf wrote: | | Bigger public WLAN hot spots have to support the spy action of the goverment (as this has to be made by TelCos for wired communication already) |
Hmm. Art. 1 of the Grundgesetz provides:
| Code: | (1) The dignity of [man] shall be inviolable. To respect and protect it shall be the duty of all state authority.
(2) The German people therefore acknowledge inviolable and inalienable human rights as the basis of every community, of peace and justice in the world |
I really don't see how one can square arbitrary, Stasi-style blanket surveillance of all correspondence, with respect for anyone's right to privacy and a family life.
I was under the impression the ECHR had already ruled to that effect, but that might just be wishful thinking. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sun Apr 19, 2015 5:10 am Post subject: |
|
|
Yeah steveL, but something you read as "is" was written as "shall be"
Don't worry, they would do the same even if it was written with "is" |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Mon Apr 20, 2015 2:59 am Post subject: |
|
|
| krinn: As it was, so shall it be.. yea, and verily. ;-) |
|
| Back to top |
|
|
yngwin
Retired Dev
Joined: 19 Dec 2002
Posts: 4572
Location: Suzhou, China
|
| Posted: Mon Apr 20, 2015 9:20 am Post subject: |
|
|
| toralf wrote: | | steveL wrote: | | UberLord wrote: | Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router |
That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly. |
+1 - that' a candidate for die GMN |
I'll be in charge of the next GMN. So can someone do a write-up with clear directions of how to do that and send it to gmn@gentoo.org? Then I'll include it.
_________________
"Those who deny freedom to others deserve it not for themselves." - Abraham Lincoln
Free Culture | Defective by Design | EFF |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
| Posted: Mon Apr 20, 2015 9:37 am Post subject: |
|
|
| yngwin wrote: | | toralf wrote: | | steveL wrote: | | UberLord wrote: | Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router |
That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly. |
+1 - that' a candidate for die GMN |
I'll be in charge of the next GMN. So can someone do a write-up with clear directions of how to do that and send it to gmn@gentoo.org? Then I'll include it. |
Unsure what you mean? This is a feature of the stock dhcpcd install, so just use dhcpcd
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool |
|
| Back to top |
|
|
lost+found
Guru
Joined: 15 Nov 2004
Posts: 509
Location: North~Sea~Coa~s~~t~~~
|
| Posted: Mon Apr 20, 2015 1:01 pm Post subject: |
|
|
rm /var/lib/dhcpcd/dhcpcd-wlan0.lease
Otherwise the old lease is requested (and NAK'ed because of the changed MAC), and "they" gotcha... 
And how about:
dhcp_wlan0="nontp nosendhost"
So they can't give you a clock skew, and write down your host name.
When things don't go as expected (after a crash for instance, or restarting udev after an upgrade), it's a good idea to check /etc/udev/rules.d/70-persistent-net.rules. The MAC addresses in there, must be the real ones. Any extra interfaces added by Udev - based on fake MACs - can be removed. After that it needs a cold boot (power switch off).
Added:
Some reading about macchanger (syntax) in: /usr/share/doc/netifrc-0.2.2/net.example.bz2
Last edited by lost+found on Thu Apr 23, 2015 6:14 am; edited 1 time in total |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Tue Apr 21, 2015 8:20 am Post subject: |
|
|
| UberLord wrote: | | yngwin wrote: | | toralf wrote: | | steveL wrote: | | UberLord wrote: | Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router |
That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly. |
+1 - that' a candidate for die GMN |
I'll be in charge of the next GMN. So can someone do a write-up with clear directions of how to do that and send it to gmn@gentoo.org? Then I'll include it. |
Unsure what you mean? This is a feature of the stock dhcpcd install, so just use dhcpcd |
Because this feature is not well known, and just this feature may let many users use hdcpcd to have it.
Privacy (to my knowledge) isn't really a problem for us resident, but europeans really take that seriously. |
|
| Back to top |
|
|
charles17
Advocate
Joined: 02 Mar 2008
Posts: 3664
|
| Posted: Tue Apr 21, 2015 8:55 am Post subject: |
|
|
| steveL wrote: | | UberLord wrote: | Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router |
That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly. |
You're welcome to add it to the wiki. |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Thu Apr 23, 2015 2:12 am Post subject: |
|
|
I'd gladly add it, if I knew wtf "the EUI64 component of your SLAAC address" meant (beyond the obvious that it looks like a 64-bit field, which reveals your LAN MAC addr.) Still, it's not so much about the wiki, though ofc it should be there too.
IOW: we need about a paragraph at least from UberLord, explaining what it is in a bit more context. |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
| Posted: Thu Apr 23, 2015 10:52 am Post subject: |
|
|
IPv6 supports end to end connectivity. There is no NAT (at least not normally).
As such, a host you connect to will know your IPv6 address.
A IPv6 address is compromised of two parts - the Prefix which is unique to your site (office, home, etc) and your HostID, which is unique to your host at the site.
The HostID is generally formed from the MAC address of the network interface (which has to be unique to the site as well for IPv4 to work)
Take this IPv6 address
fe80::dead:beff:feef:f00d
From this, we can derive tha the MAC address is de:ad:be:ef:f0:0d.
We know this because the magic bits ff:fe are inserted in the middle.
If this host had a global prefix (fe80:: is local) it would look like so
2345:123:3::dead:beff:feef:f00d
So you can see, MAC address is the same.
There are two ways to mitigate this - DHCPv6 (because it's a stateful address and not PHY based) or a different way of generating the HostID.
IPv6 has long supported random temporary addresses, but this has pitfalls as you cannot use it on say a server and won't easily work with DNS.
This is where RFC 7217 comes into play. By storing a secret key on the host, we can use this along with other information such as the Prefix, MAC address and SSID of the connected network (obviously wired interfaces won't have that) and combine them together. Put the result through SHA256 and take a portion of the result to the be host ID.
This results in a stable but private address which changes for each network you connect to, so you cannot be tracked by IPv6 address across networks *
Here's the original Gentoo news article:
https://www.gentoo.org/support/news-items/2014-07-17-dhcpcd_6.4.2_changes_defaults_for_ipv6.html
* Of course, you are generally tracked by your browser as well, but we're strictly talking network topology here.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Last edited by UberLord on Thu Apr 23, 2015 11:45 am; edited 1 time in total |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Thu Apr 23, 2015 11:41 am Post subject: |
|
|
| Perfect, thanks UberLord. :-) |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Thu Apr 23, 2015 11:49 am Post subject: |
|
|
How can it works with a NAT?
From my knowledge if my IP is 3.3.3.3 and this host (mac 4.4.4.4) send something to someone, it would send it back to my IP with my mac in it, allowing the router to know even it's for 3.3.3.3 the reply is for the host with the mac 4.4.4.4 and not some other random hosts.
So if the router cannot match the mac return value, it may drop the reply or give it to the host that is dmz no?
I don't have any ipv6 router to see how this work, but do ipv6 packets aren't made with the mac inside them too? |
|
| Back to top |
|
|
|
Networking & Security
