intrigeri: >>> changing mac gets admin attention
>
>> Is this a realistic threat model?
>
> In a setup with a static list of allowed MAC addresses (e.g. a LAN
> with desktop computers that get fixed DHCP addresses in function of
> their MAC address, and where no other computers are supposed to be
> plugged in), any minimal log monitoring system will trigger an alarm.
>
> I don't think this is unrealistic in enterprise settings, even the
> combination of that setup + being able to boot from DVD/USB is
> probably not that common.
>
>>> admin looks for consistent mac
>
>> How realistic is this threat model? Someone sitting at a desk,
>> remembering users and watching their mac address on screen as they boot
>> up their notebook?
>
>> Wouldn't it be much more effective to look over their shoulder or to use
>> a miniature camera to spy on them?
>
> I've no strongly formed opinion on that specific point right now.
>
> However a good start to discuss it would be to avoid mixing "a network
> IDS automatically detects network configuration change events and
> raises alerts" with "a specific user is targetted by people who
> monitor his/her usage with spy gadgets". I think this only adds
> to confusion.
>
>>> admin looks out for unpopular vendor ids
>
>> Whenever this is realistic or does not have to be asked, since macchiato
>> will solve that.
>
> ... if, and only if, its lists grow substantially. Last time I've
> checked, they still looked dramatically small, and using them would
> probably offer attackers means to fingerprint Tails users that we'd
> rather avoid. I don't mean improving these lists is impossible, but
> I'm afraid we should not act as if it will come for free.
Good points!
> Any update on what steps are being taken to improve these lists?
