Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
be prepared for the german law for big WLAN hot spots
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3648
Location: Hamburg

PostPosted: Sat Apr 11, 2015 4:10 pm    Post subject: be prepared for the german law for big WLAN hot spots Reply with quote

Code:
#  WLAN
#
#config_wlp3s0="dhcp"

preup(){
  if [[ "$IFACE" = "wlp3s0" ]]; then
    macchanger -r $IFACE
  fi
}

postdown(){
  if [[ "$IFACE" = "wlp3s0" ]]; then
    macchanger -p $IFACE
  fi
}
edit: limit this for WLAN interface and filed https://bugs.gentoo.org/show_bug.cgi?id=547020
Update much better :
Code:
mac_wlp3s0="random-samekind"
within /etc/conf.d/net (if it works however, I do suffer from a driver bug)

Last edited by toralf on Thu Apr 23, 2015 4:47 pm; edited 5 times in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42592
Location: 56N 3W

PostPosted: Sat Apr 11, 2015 5:01 pm    Post subject: Reply with quote

toralf,

Will we be able to get these big WLAN hot spots in Scotland :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3648
Location: Hamburg

PostPosted: Sat Apr 11, 2015 6:32 pm    Post subject: Reply with quote

yeah, btw (in german) : http://www.heise.de/newsticker/meldung/Oeffentliche-WLAN-Hotspots-sollen-schnueffeln-helfen-2599623.html
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6737
Location: Blighty

PostPosted: Tue Apr 14, 2015 1:36 pm    Post subject: Re: be prepared for the german law for big WLAN hot spots Reply with quote

toralf wrote:
Code:
#  WLAN
#
#config_wlp3s0="dhcp"

preup(){
  if [[ "$IFACE" = "wlp3s0" ]]; then
    macchanger -r $IFACE
  fi
}

postdown(){
  if [[ "$IFACE" = "wlp3s0" ]]; then
    macchanger -p $IFACE
  fi
}
edit: limit this for WLAN interface


If you do that, please set your DHCP clients to release their lease if they can so to reduce the lease pool burning out!
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3648
Location: Hamburg

PostPosted: Tue Apr 14, 2015 1:41 pm    Post subject: Re: be prepared for the german law for big WLAN hot spots Reply with quote

UberLord wrote:
If you do that, please set your DHCP clients to release their lease if they can so to reduce the lease pool burning out!
good hint
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6737
Location: Blighty

PostPosted: Tue Apr 14, 2015 1:42 pm    Post subject: Reply with quote

Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router ;)
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6737
Location: Blighty

PostPosted: Tue Apr 14, 2015 1:44 pm    Post subject: Reply with quote

NeddySeagoon wrote:
Will we be able to get these big WLAN hot spots in Scotland :)


Scotland has teh intertubez? :roll:
Isn't the Scottish hotspot called England? :twisted:

OK, I'll stop now :D
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Fri Apr 17, 2015 6:47 am    Post subject: Reply with quote

UberLord wrote:
Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router ;)

That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly.

As for the rest: please do.. ;p
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3648
Location: Hamburg

PostPosted: Fri Apr 17, 2015 8:22 am    Post subject: Reply with quote

steveL wrote:
UberLord wrote:
Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router ;)

That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly.
+1 - that' a candidate for die GMN
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Fri Apr 17, 2015 6:23 pm    Post subject: Reply with quote

Yeah that'd be cool, toralf.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Sat Apr 18, 2015 12:38 am    Post subject: Reply with quote

Sorry for being curious. What this law is about?
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3648
Location: Hamburg

PostPosted: Sat Apr 18, 2015 4:39 pm    Post subject: Reply with quote

krinn wrote:
Sorry for being curious. What this law is about?
Bigger public WLAN hot spots have to support the spy action of the goverment (as this has to be made by TelCos for wired communication already)
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Sat Apr 18, 2015 5:43 pm    Post subject: Reply with quote

Ah, i knew it was something stupid again.
Looks like european countries cannot work together, but when it comes to do shit, even following different paths, they all walk toward the same direction.

french did it easier btw, we have the great entity that attack the IP owner (lol yeah, i know, you were thinking nobody could do worst than germans, but french beat you badly).
Of course our ISP add free wifi option that takes few of your bandwith to provide free wifi to other travellers next to your spot, combine that with the "your IP is the badass, so you're the rat" ; wonder result :)

It would be laughable if they (our politicians) weren't pay to do that crap, but they are, and with good big numbers.
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Sun Apr 19, 2015 2:33 am    Post subject: Reply with quote

toralf wrote:
Bigger public WLAN hot spots have to support the spy action of the goverment (as this has to be made by TelCos for wired communication already)

Hmm. Art. 1 of the Grundgesetz provides:
Code:
(1) The dignity of [man] shall be inviolable. To respect and protect it shall be the duty of all state authority.
(2) The German people therefore acknowledge inviolable and inalienable human rights as the basis of every community, of peace and justice in the world

I really don't see how one can square arbitrary, Stasi-style blanket surveillance of all correspondence, with respect for anyone's right to privacy and a family life.

I was under the impression the ECHR had already ruled to that effect, but that might just be wishful thinking.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Sun Apr 19, 2015 5:10 am    Post subject: Reply with quote

Yeah steveL, but something you read as "is" was written as "shall be" :)
Don't worry, they would do the same even if it was written with "is"
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Mon Apr 20, 2015 2:59 am    Post subject: Reply with quote

krinn: As it was, so shall it be.. yea, and verily. ;-)
Back to top
View user's profile Send private message
yngwin
Retired Dev
Retired Dev


Joined: 19 Dec 2002
Posts: 4572
Location: Suzhou, China

PostPosted: Mon Apr 20, 2015 9:20 am    Post subject: Reply with quote

toralf wrote:
steveL wrote:
UberLord wrote:
Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router ;)

That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly.
+1 - that' a candidate for die GMN

I'll be in charge of the next GMN. So can someone do a write-up with clear directions of how to do that and send it to gmn@gentoo.org? Then I'll include it.
_________________
"Those who deny freedom to others deserve it not for themselves." - Abraham Lincoln
Free Culture | Defective by Design | EFF
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6737
Location: Blighty

PostPosted: Mon Apr 20, 2015 9:37 am    Post subject: Reply with quote

yngwin wrote:
toralf wrote:
steveL wrote:
UberLord wrote:
Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router ;)

That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly.
+1 - that' a candidate for die GMN

I'll be in charge of the next GMN. So can someone do a write-up with clear directions of how to do that and send it to gmn@gentoo.org? Then I'll include it.


Unsure what you mean? This is a feature of the stock dhcpcd install, so just use dhcpcd :)
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
lost+found
Guru
Guru


Joined: 15 Nov 2004
Posts: 508
Location: North~Sea~Coa~s~~t~~~

PostPosted: Mon Apr 20, 2015 1:01 pm    Post subject: Reply with quote

rm /var/lib/dhcpcd/dhcpcd-wlan0.lease

Otherwise the old lease is requested (and NAK'ed because of the changed MAC), and "they" gotcha... :?

And how about:
dhcp_wlan0="nontp nosendhost"
So they can't give you a clock skew, and write down your host name. :)

When things don't go as expected (after a crash for instance, or restarting udev after an upgrade), it's a good idea to check /etc/udev/rules.d/70-persistent-net.rules. The MAC addresses in there, must be the real ones. Any extra interfaces added by Udev - based on fake MACs - can be removed. After that it needs a cold boot (power switch off).


Added:
Some reading about macchanger (syntax) in: /usr/share/doc/netifrc-0.2.2/net.example.bz2


Last edited by lost+found on Thu Apr 23, 2015 6:14 am; edited 1 time in total
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Tue Apr 21, 2015 8:20 am    Post subject: Reply with quote

UberLord wrote:
yngwin wrote:
toralf wrote:
steveL wrote:
UberLord wrote:
Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router ;)

That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly.
+1 - that' a candidate for die GMN

I'll be in charge of the next GMN. So can someone do a write-up with clear directions of how to do that and send it to gmn@gentoo.org? Then I'll include it.


Unsure what you mean? This is a feature of the stock dhcpcd install, so just use dhcpcd :)

Because this feature is not well known, and just this feature may let many users use hdcpcd to have it.
Privacy (to my knowledge) isn't really a problem for us resident, but europeans really take that seriously.
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2583

PostPosted: Tue Apr 21, 2015 8:55 am    Post subject: Reply with quote

steveL wrote:
UberLord wrote:
Of far greater concern is sites you visit tracking the EUI64 component of your SLAAC address - so they have your MAC address regardless of the hotspot itself.
Luckily dhcpcd defaults to providing a private stable SLAAC address without any MAC details being leaked past the router ;)

That's good to know. Sometimes I think we should publicise all these aspects of dhcpcd more brazenly.

You're welcome to add it to the wiki.
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Thu Apr 23, 2015 2:12 am    Post subject: Reply with quote

I'd gladly add it, if I knew wtf "the EUI64 component of your SLAAC address" meant (beyond the obvious that it looks like a 64-bit field, which reveals your LAN MAC addr.) Still, it's not so much about the wiki, though ofc it should be there too.

IOW: we need about a paragraph at least from UberLord, explaining what it is in a bit more context.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6737
Location: Blighty

PostPosted: Thu Apr 23, 2015 10:52 am    Post subject: Reply with quote

IPv6 supports end to end connectivity. There is no NAT (at least not normally).
As such, a host you connect to will know your IPv6 address.

A IPv6 address is compromised of two parts - the Prefix which is unique to your site (office, home, etc) and your HostID, which is unique to your host at the site.
The HostID is generally formed from the MAC address of the network interface (which has to be unique to the site as well for IPv4 to work)

Take this IPv6 address
fe80::dead:beff:feef:f00d

From this, we can derive tha the MAC address is de:ad:be:ef:f0:0d.
We know this because the magic bits ff:fe are inserted in the middle.
If this host had a global prefix (fe80:: is local) it would look like so
2345:123:3::dead:beff:feef:f00d

So you can see, MAC address is the same.

There are two ways to mitigate this - DHCPv6 (because it's a stateful address and not PHY based) or a different way of generating the HostID.
IPv6 has long supported random temporary addresses, but this has pitfalls as you cannot use it on say a server and won't easily work with DNS.
This is where RFC 7217 comes into play. By storing a secret key on the host, we can use this along with other information such as the Prefix, MAC address and SSID of the connected network (obviously wired interfaces won't have that) and combine them together. Put the result through SHA256 and take a portion of the result to the be host ID.
This results in a stable but private address which changes for each network you connect to, so you cannot be tracked by IPv6 address across networks *

Here's the original Gentoo news article:
https://www.gentoo.org/support/news-items/2014-07-17-dhcpcd_6.4.2_changes_defaults_for_ipv6.html

* Of course, you are generally tracked by your browser as well, but we're strictly talking network topology here.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool


Last edited by UberLord on Thu Apr 23, 2015 11:45 am; edited 1 time in total
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Thu Apr 23, 2015 11:41 am    Post subject: Reply with quote

Perfect, thanks UberLord. :-)
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Thu Apr 23, 2015 11:49 am    Post subject: Reply with quote

How can it works with a NAT?
From my knowledge if my IP is 3.3.3.3 and this host (mac 4.4.4.4) send something to someone, it would send it back to my IP with my mac in it, allowing the router to know even it's for 3.3.3.3 the reply is for the host with the mac 4.4.4.4 and not some other random hosts.

So if the router cannot match the mac return value, it may drop the reply or give it to the host that is dmz no?
I don't have any ipv6 router to see how this work, but do ipv6 packets aren't made with the mac inside them too?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum