Thanks for the great discussion on this topic.
A real world anecdote:
When I login to TAILS on my msi brand netbook, the wireless device does not
appear in network-manager and I must use the keyboard hotkey to disable and
then re-enable the wireless device before network-manager shows any
"wireless connections are available" message.
So I am worried that in this example, the MAC will not be spoofed correctly
prior to the initial wireless "scan" sent out to find access points.
On 10 October 2013 07:01, <irregulator@???> wrote:
> On 10/09/2013 07:32 PM, anonym wrote:
> >
> > ## Using Tails at home
> >
> > First, note that the user's relation (owner, family member's,
> > friend's, work's, borrowed, etc.) to the computer running Tails
> > doesn't matter; the location is already directly related to the user's
> > identity. Similarly, because of this, MAC spoofing is of very limited
> > value for both AvoidTracking and AvoidIdTails value.
> >
> > MAC spoofing could hinder AvoidSuspicion if detected by the ISP's
> > hardware (i.e. no trusted router in the way). Similarly, ISP-provided
> > hardware may employ some sort of MAC address white-listing (e.g. only
> > X unique ones are allowed) that can prevent AvoidConnectionProbs.
> >
> > Summary: MAC spoofing should be avoided but isn't terribly dangerous
> > if enabled.
> >
>
> That's a very thorough and interesting analysis on changing mac address,
> thanks.
>
> I want to argue on "MAC spoofing should be avoided but isn't terribly
> dangerous if enabled." when using Tails at home. I wouldn't say that
> AvoidIdTails is negligible.
>
> As you correctly write spoofing MAC could raise suspicion. On the other
> hand, if user is under surveillance for whatever reason, and an
> adversary's goal is to link the user to a certain internet persona, for
> example a nickname in an IRC room. Adversary is monitoring user's local
> router and correlates the following :
>
> - a MAC address connects to the router
> - that PC starts using Tor
> - a certain nickname shows up in the IRC room
>
> After a period of time that the adversary monitors the above events and
> seeks for correlation, is able to be certain that user is the one using
> that nickname.
>
> All the adversary has to do now, is prove that the MAC address is owned
> from that user.
>
> Of course if adversary is constantly monitoring user's connections and
> router, will be alarmed when a random MAC will appear. Nevertheless that
> MAC does not provably belong to the user.
>
> Interestingly a similar case is described in Hammond Jeremy's complaint,
> page 29 [1], when FBI agents used wireless traffic sniffing, MAC address
> logging to correlate Hammond to a certain persona.
>
> So, weighing the "not spoofing MAC so as not to raise alarm" and
> "spoofing MAC so as not certain connections can be tracked to user's
> NIC", I would say the latter is preferred.
>
> Summary : MAC spoofing could be used under certain circumstances.
>
> Greetings
>
>
> [1]
> www.wired.com/images_blogs/threatlevel/2012/03/Hammond-Jeremy-Complaint.pdf
> _______________________________________________
> tails-dev mailing list
> tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
>
