Re: [Tails-dev] [RFC] Design (and prototype) for MAC spoofin…

Delete this message

Reply to this message
Autore: irregulator
Data:  
To: tails-dev
Oggetto: Re: [Tails-dev] [RFC] Design (and prototype) for MAC spoofing in Tails
On 10/09/2013 07:32 PM, anonym wrote:
>
> ## Using Tails at home
>
> First, note that the user's relation (owner, family member's,
> friend's, work's, borrowed, etc.) to the computer running Tails
> doesn't matter; the location is already directly related to the user's
> identity. Similarly, because of this, MAC spoofing is of very limited
> value for both AvoidTracking and AvoidIdTails value.
>
> MAC spoofing could hinder AvoidSuspicion if detected by the ISP's
> hardware (i.e. no trusted router in the way). Similarly, ISP-provided
> hardware may employ some sort of MAC address white-listing (e.g. only
> X unique ones are allowed) that can prevent AvoidConnectionProbs.
>
> Summary: MAC spoofing should be avoided but isn't terribly dangerous
> if enabled.
>


That's a very thorough and interesting analysis on changing mac address,
thanks.

I want to argue on "MAC spoofing should be avoided but isn't terribly
dangerous if enabled." when using Tails at home. I wouldn't say that
AvoidIdTails is negligible.

As you correctly write spoofing MAC could raise suspicion. On the other
hand, if user is under surveillance for whatever reason, and an
adversary's goal is to link the user to a certain internet persona, for
example a nickname in an IRC room. Adversary is monitoring user's local
router and correlates the following :

- a MAC address connects to the router
- that PC starts using Tor
- a certain nickname shows up in the IRC room

After a period of time that the adversary monitors the above events and
seeks for correlation, is able to be certain that user is the one using
that nickname.

All the adversary has to do now, is prove that the MAC address is owned
from that user.

Of course if adversary is constantly monitoring user's connections and
router, will be alarmed when a random MAC will appear. Nevertheless that
MAC does not provably belong to the user.

Interestingly a similar case is described in Hammond Jeremy's complaint,
page 29 [1], when FBI agents used wireless traffic sniffing, MAC address
logging to correlate Hammond to a certain persona.

So, weighing the "not spoofing MAC so as not to raise alarm" and
"spoofing MAC so as not certain connections can be tracked to user's
NIC", I would say the latter is preferred.

Summary : MAC spoofing could be used under certain circumstances.

Greetings


[1]
www.wired.com/images_blogs/threatlevel/2012/03/Hammond-Jeremy-Complaint.pdf