Re: [Tails-dev] Please review MAC address spoofing documenta…

Delete this message

Reply to this message
Autor: sajolida
Data:  
Dla: The Tails public development discussion list
Temat: Re: [Tails-dev] Please review MAC address spoofing documentation
intrigeri:
> Congrats! Here are a few comments and suggestions:


Thanks a lot for your comments! Even if it took me a couple of hours to
process all that, I really think that was needed: it improved this piece
of doc and beyond.

Still, I allowed myself to reject some of them :)

> * Perhaps "What is a MAC address?" instead of "What are
> MAC addresses?"


Done.

> * I would perhaps use "network interface" instead of "network card".


Indeed. I've replaced "device" by "card" but was not 100% convinced
either. The right word is "interface" indeed. Still I kept the "card"
terminology in the expressions "credit card" and "SIM card" :)

> * s/your laptop/the same laptop/


Those two bullet points are meant as example, not general explanation. I
tried to remove the "your?" words but was not convinced by the result...

> * s/being a Tails users/being a Tails user/
> * It's not put clearly what conclusion the reader is supposed to draw
> from "Someone observing the traffic coming out of your computer on
> the local network can probably suspect you of being a Tails users,
> as explained in our documentation on network fingerprint", once
> combined with "Having such a unique identifier used on the local
> network can harm your privacy".


This part has been rephrased thanks to anonym:

2. As explained in our documentation on [[network
fingerprint|about/fingerprint]], someone observing the traffic coming
out of your computer on the local network can probably see that you are
using Tails. In that case, your MAC address can **identify you as a
Tails user**.

> * "MAC address spoofing hides the serial number of your network card,
> and so to some extend, who you are, to the local network." <-- maybe
> make it clear that this is true if you're using Tails, and not
> in general?


To please our geek karma regarding correctness I thought I could either:
- add "in Tails" somewhere in the second sentence but that wouldn't make
this point clearer to anyone else but someone who understands it already.
- add a more thorough explanation about what MAC spoofing doesn't do
outside of Tails, but we don't pretend to be a general security guide
and that's outside of the scope we use pretend covering.

Make sense? Alternative proposal?

> * "it might also cause connectivity problems or suspicious network
> activity": well, spoofing a MAC address does not by itself cause
> suspicious network activity, it instead makes network activity look
> suspicious. Not sure if this can be clarified easily, your call.


I'm not sure I understood your point here, but I changed it to:

« MAC address spoofing is enabled by default in Tails because it is
usually beneficial. But in some situations it might also lead to
connectivity problems or make your network activity look suspicious. »

> * s/according to your situation/depending on your situation/ would
> seem clearer to me ("according to" has various meanings).


Indeed.

> * "a free Wi-Fi" does not make much sense to me, as "a Wi-Fi" does not
> mean much; perhaps "a Wi-Fi hotspot" instead?


That's a metonymy I've seen used all over the place [1], but for
correction I changed that to "free Wi-Fi service".

[1]: https://en.wikipedia.org/wiki/Wi-Fi#City-wide_Wi-Fi

> * FWIW, people who congratuled me directly for the Unsafe Browser
> feature were talking of McDonald's, not airports. Instead of "in an
> airport", I'd rather see an example less targeted at the class of
> people who can afford flying; maybe more people could easily relate
> to "in a fast-food restaurant" (even if that's also a strong
> cultural marker).


What about "in a restaurant" or "in a bar or restaurant"?

> * In "It also hides the fact that you are the one running Tails on
> this network.", I'd rather not imply that only one person is running
> Tails on this network. "... that *you* are running Tails", instead?


Done.

> * "your anonymity on Internet" <-- isn't our doc standardized on "the
> Internet"?


Already fixed.

> * It strikes me as odd that this documentation only mentions leaking
> MAC addresses on the LAN, and has nothing about its broadcasting in
> the air when using Wi-Fi. Is this on purpose?


In the section describing the threads, I think the language is vague
enough to cover this scenario: « Someone observing those networks can
recognize your MAC address and track your geographical location. » and
« someone observing the traffic coming out of your computer on the
local network ».

But I could add a footnote from there to make it more explicit as well:

« While using Wi-Fi, anybody within range of your Wi-Fi interface can
see your MAC address, even without being connected to the same Wi-Fi
access point. »

Can you also confirm this is technical true with WPA in all its flavors?
I don't want to misunderstand your point...

> * In "It can even look suspicious to the network administrators to have
> an unknown MAC address used on that network.": s/to have/to see/,
> and maybe s/used/being used/.


Fixed.

> * This documentation does not explain *how* to disable MAC spoofing.


Indeed. And actually, the explanation of the other Tails Greeter options
were not in a good shape either. So I reworked them all a bit to be
consistent.

> * In the navigation path (next / previous links), I think I would
> group the 2 options that are about networking (MAC spoofing and
> bridges), and the 2 options that are about local stuff
> (administration password, camouflage), to avoid some context
> switches to the user.


And map the order of the option in Tails Greeter. Done.

> * "Using your own computer on a restricted network where you had to
> register with your identity or credit card. In this case, you
> already revealed your geographical location to the local network by
> other means." <--- right, but you perhaps have not revealed them
> what specific computer you own / are carrying. Besides, that's
> a list of cases when MAC spoofing can be problematic, and this
> bullet point does not explain what would be the problem.


Indeed, MAC spoofing is not problematic as such in this case, and the
fact that your credit card transactions can also track you is documented
later on. So I'm in favor of just removing that paragraph.
I'd like your acknowledgment on this.

> * "in your hardware or its drivers" <--- maybe replace "its drivers"
> with "in Linux"?


Why not.

> * I would rewrite "if your local network has a restricted access based
> on" into "if access to your local network is restricted based on".


Done.

> * I would rewrite "the number of your SIM card (IMSI)" into "the
> identifier of your SIM card (IMSI)"


Done.

> * Regarding "to the phone network", I think it should be made clearer
> if we mean "to the mobile phone company" (there's probably a more
> idiomatic way to put it, btw), and/or to other participants to this
> specific mobile phone network, or what.


Chanted to "mobile phone operator".

> * Regarding Intel AMT, I think it should be mentioned as one example
> of a broader technology (out-of-band administration): there are
> other implementations.


We decided to deal with that in a different way, see c483070.

--
sajolida