ipv6 privacy extensions

On 7/24/2016 2:14 PM, HighSpy wrote:
On 23/07/2016 20:57, Justin Tyme wrote:
On Sat, 23 Jul 2016 11:55:09 +0100, HighSpy
wrote:

On 23/07/2016 10:02, Justin Tyme wrote:
On Fri, 22 Jul 2016 17:04:59 -0400, Neil
wrote:

On 7/22/2016 3:34 PM, Mayayana wrote:

Totally agree with you Neil.

Figures

I just added my grandaugter's mac address and she never has to login,
which for her would be difficult. She enters any Shaw hotspot and the
wifi is just on. It is a convenience for Shaw customers who are all
part of a massive user group. The OP must be part of some user group
and the mac address was used as a convenience to log in automatically.
Nothing more.

Is it me or are you people really that thick?
I'm probably wasting my time here but I'll give it one more go

Apparently there is a management overhead in registering MAC addresses.
Why would the network administrators do something they didn't have to
unless there was a benefit for them?

What is this benefit
If you know the answer and would like to share it that would be great
If you don't know the answer then why bother responding

That lunacy about being tracked is too much. LOL!

We are all surely doomed :-(

Do you actually believe that you are that important to anyone?

Global mass surveillance is a fact but it doesn't affect the vast
majority of people in a negative way. If you are a person of interest
then you need to be very careful. It is very doubtful that you are
that person.

You should treat the internet like an open book that anyone with the
ability to read can access. There are steps you can take that can
enhance your computer privacy to the point where you are anonymous. I
won't go into explaining operational security, but I do understand
OPSEC.

I think some people *overestimate their importance* and become
unreasonably paranoid. The fact that you can be tracked and the steps
you take to avoid being tracked depends upon how big a fish you are
and/or what it is you are trying to hide.

The really worrying thing is you actually sound like you believe your
own propagada. Everything is snuggly and warm and only the bad guys are
being actively watched. That's all right then nothing to worry about.

Better to presume that *everyone* is being watched, since it is unlikely
that one can go through the day in public spaces without being observed.
Those who think otherwise are the ones you see on the news after having
been caught in some anti-social act or another. But, there's still no
requisite connection to ipv6 or library administrators. ;-)

--
Best regards,

Neil

On 07/22/16 00:21, HighSpy so wittily quipped:

Windows 10

I tried this in the windows-8 group with no luck so I thought I'd try it
here, we have windows 7, 8 and 10 machines.

I'm finally trying to get me head around ipv6

I was somewhat alarmed to discover that the low order 64 bits are
reserved for what someone called 'hardware addressing schemes' but I
can't remember where I read this.

https://en.wikipedia.org/wiki/IPv6

"In IPv6 when using address auto-configuration, the Interface Identifier
(MAC address) of an interface port is used to make its public IP address
unique, exposing the type of hardware used and providing a unique handle
for a user's online activity"

The article then goes on about 'privacy extensions'

etc.
it probably applies to automatically generated IPv6 addresses. If
you're using DHCPv6, the DHCP server issues them. But the point that
IPv6 is *PUBLICALLY* viewable should be your biggest concern.

Windows (and win-10-nic is NO exception) has a LOT of open, listening
ports, that typically are NOT firewalled. I compiled a list a while
back, let's see if I can dredge it up...


***

here's a (possibly incomplete) list I compiled using PIDs and listening
ports on Windows 8. From all indications, vista and 7 are similar. XP
has fewer.

135: RpcEptMapper, RpcSs
445: "SYSTEM"
554: WMPNetworkSvc (wmpnetwk.exe)
1025: (udp) mDNS responder
1900: (udp) FDResPub, SSDPSRV, TimeBroker, upnphost
2869: "SYSTEM"
5353: (udp) mDNS responder
5354: mDNS responder
5357: "SYSTEM"
8001: [vista only] "SYSTEM"
10243: "SYSTEM"
49152: wininit.exe
49153: Audiosrv, Dhcp, EventLog, HomeGroupProvider, lmhosts,
Wcmsvc, wscsvc
49154: Appinfo, Browser, CertPropSvc, iphlpsvc, LanmanServer,
ProfSvc, Schedule, SENS, SessionEnv, ShellHWDetection,
SystemEventsBroker, Themes, Winmgmt
49155: KeyIso, SamSs (lsass.exe)
49157: services.exe
49176: Spooler (spoolsv.exe)

additionally...

UDP 546: Audiosrv, Dhcp, EventLog, HomeGroupProvider, lmhosts,
Wcmsvc, wscsvc
UDP 54436: FDResPub, SSDPSRV, TimeBroker, upnphost

also 8001 and 51493 (vista)

***

(I can't quickly find my Win-10-nic list, though, but it's similar)

if you want to see what ports are listening, you can use 'netstat -an'
and filter on 'LISTENING'. '[::]' listens on all IPv6 addresses, which
can be another filter.

keep in mind that 'fe80::' IPv6 addresses are like 'link local'
addresses, and won't route outside of your LAN. you will need to look
at the addresses that DO route to determine what things could be
listening to the public IPv6 address.


worthy of note: there's no way to determine what kind of 0-day thing,
similar to the old 'win nuke', might exploit one of these listening
ports, ports that are essentially 'well-known', and listen on EVERY!
WINDOWS! MACHINE! that runs the typical load of services.

On 07/22/16 07:18, HighSpy so wittily quipped:
So, map the MAC address to the serial number of the device and you have
a bullet proof way of identifying the actual device being used

except you can often CHANGE the mac address...

now I know this is possible on XP [with specific devices], or even on 7
[from what I recall], and can MOST DEFINITELY be done with Linux and BSD.

however, I don't know if it's possible with Win-10-nic. If NOT, it
*should* be.

FYI wifi protocol has your mac address 'in the clear'. It's necessary
for the hardware to properly receive it. But if you assign a MAC
address of your choice, it also defeats 'mac filtering', and prevents
your 'type of hardware' from being identified via the 'OID'.

On 23/07/2016 09:21, Rodney Pont wrote:
On Sat, 23 Jul 2016 08:58:29 +0100, HighSpy wrote:

Again I understand this but what I don't understand is why they are
*insisting* on it. If it was just for our convinience why not let us use
a normal sign in account. It's really no skin off their noses is it, in
fact it's less work for them.

OK, I'm glad you understand that, I wasn't completely sure that you had
understood this aspect of it.

There is some benefit to them in knowing the MAC address beforehand
particularly if they also know the serial number of the device.

I'm trying to find out what this benefit might be. If not to make it
easy to trace a particular activity to an actuall hardwrare device then
what?

Don't assume that they know what they are doing. I can't see any
advantage in them insisting on knowing your MAC address beforehand
except to allow you straight into their network. That isn't really a
safety aspect though, for them, because anyone could monitor what MAC
addresses are in use and spoof one and so have direct access.

It seems to me that you need to ask them their reasons for insisting.
Whatever their reasons it doesn't make you any less secure, you are not
giving them any information they don't already have. Maybe it's as
simple as someone there has just come across the fact that their router
can allow access to know MAC addresses and they think that it's a good
idea and means that they can scrap the login requirements. If that's
the case they really need to think again.

Good luck on getting to the bottom of it.


I asked why they (the network admins) were insisting on registering our
hardware addresses and got the usuall 'legal reasons' response. I
declined their offer and decided to look elsewhere for our group
meetings. I just don't trust someone who hides behind some nebulous and
mysterious 'legal reasons'



--
Quis custodiet ipsos custodes?