ipv6 privacy extensions

On Sat, 23 Jul 2016 07:39:07 +0100, HighSpy wrote:

Why would a network administrator, any network administrator *insist* on
knowing the MAC address of a device before it was used to access the
network if not to track that device.

To allow that device to log in automatically. If they want to track it
they get the MAC address as soon as you try to connect anyway and they
can connect that to your network login and track you without asking if
they really wanted to.

--
Faster, cheaper, quieter than HS2
and built in 5 years;
UKUltraspeed http://www.500kmh.com/

On 23/07/2016 08:35, Rodney Pont wrote:
On Sat, 23 Jul 2016 07:39:07 +0100, HighSpy wrote:

Why would a network administrator, any network administrator *insist* on
knowing the MAC address of a device before it was used to access the
network if not to track that device.

To allow that device to log in automatically.

Yes, I understand that, really, I do

If a device logs in to a normal signed up account with username and
password then they can get hold of the hardware address, if the *device*
is used to play silly buggers they can block that hardware address, all
this is understood.

If they want to track it
they get the MAC address as soon as you try to connect anyway and they
can connect that to your network login and track you without asking if
they really wanted to.

Again I understand this but what I don't understand is why they are
*insisting* on it. If it was just for our convinience why not let us use
a normal sign in account. It's really no skin off their noses is it, in
fact it's less work for them.

There is some benefit to them in knowing the MAC address beforehand
particularly if they also know the serial number of the device.

I'm trying to find out what this benefit might be. If not to make it
easy to trace a particular activity to an actuall hardwrare device then
what?

--
Quis custodiet ipsos custodes?

On Sat, 23 Jul 2016 08:58:29 +0100, HighSpy wrote:

Again I understand this but what I don't understand is why they are
*insisting* on it. If it was just for our convinience why not let us use
a normal sign in account. It's really no skin off their noses is it, in
fact it's less work for them.

OK, I'm glad you understand that, I wasn't completely sure that you had
understood this aspect of it.

There is some benefit to them in knowing the MAC address beforehand
particularly if they also know the serial number of the device.

I'm trying to find out what this benefit might be. If not to make it
easy to trace a particular activity to an actuall hardwrare device then
what?

Don't assume that they know what they are doing. I can't see any
advantage in them insisting on knowing your MAC address beforehand
except to allow you straight into their network. That isn't really a
safety aspect though, for them, because anyone could monitor what MAC
addresses are in use and spoof one and so have direct access.

It seems to me that you need to ask them their reasons for insisting.
Whatever their reasons it doesn't make you any less secure, you are not
giving them any information they don't already have. Maybe it's as
simple as someone there has just come across the fact that their router
can allow access to know MAC addresses and they think that it's a good
idea and means that they can scrap the login requirements. If that's
the case they really need to think again.

Good luck on getting to the bottom of it.


--
Faster, cheaper, quieter than HS2
and built in 5 years;
UKUltraspeed http://www.500kmh.com/

On Fri, 22 Jul 2016 17:04:59 -0400, Neil
wrote:

On 7/22/2016 3:34 PM, Mayayana wrote:
| Perhaps you've not set up a wifi access point, and that is the basis of
| your confusion? It has long been possible to specify MAC addresses that
| can use the WAP, block others, and allow log-ins from non-specified
| devices.

I'm not an expert on wifi. I rarely have occasion to
use it at all. But from my reading of the IPv6 link it
sounds to me like there's a valid concern. If the MAC
address as part of a unique ID is enabled -- or more
to the point, if an IPv6 unique ID is enabled -- then
the IP sent to remote servers contains a unique ID.
That allows the remote server to ID individuals. It also
allows the library to have a log of who visited what site,
based on that ID in the network traffic.

[...]

Maybe I'm mistaken, but that reads to me to say
that what the library is asking is for people using
their wifi to be uniquely identifiable online. Can you
see a different reason for their demands?

If you followed this topic from when it was introduced on the Win8
group, the first question is whether the library is "demanding"
anything. One must understand that having users submit MACs to bypass
wifi log-ins would be sufficiently time-consuming for a public location
to make it completely impractical as a general policy. So, that begs the
question, why that person's particular user group? It looked to me that
it was an offer to make life easier for that person's user group -- for
example, that they frequently use the library's wifi. So, my response to
the question, "should I be concerned" is... no.

The OP's concern seems to be whether s/he can be tracked on-line, and to
that, I said that this issue has little or nothing to do with a MAC
protocol for bypassing log-in at the library. It would be easy to
"track" their user group's on-line activity *whether or not* they bypass
the log-in (think about it for 10 seconds -- once they log in, where is
their "privacy" going to be???)

Finally, if one is *really* concerned about such things, there are
remedies that have been available for decades. So, someone with the OP's
level of knowledge would be better off believing that everything s/he
does on line is exposed. And, the library has nothing to do with it.

+1

Totally agree with you Neil.

My internet provider, Shaw, has hotspots everywhere and my account
lets me add 6 devices so they can get free wifi at any hotspot that
Shaw sponsors. I have to add the mac address for each device, this
enables automatic access to Shaw's wifi network. The mac address is
used to automate the process. At first Shaw wifi did use a
password/login but they quickly abandoned it and went to mac address
for login. I guess a lot of customers had problems with the
password/login process.

I just added my grandaugter's mac address and she never has to login,
which for her would be difficult. She enters any Shaw hotspot and the
wifi is just on. It is a convenience for Shaw customers who are all
part of a massive user group. The OP must be part of some user group
and the mac address was used as a convenience to log in automatically.
Nothing more.

That lunacy about being tracked is too much. LOL!
--
JT

On 23/07/2016 10:02, Justin Tyme wrote:
On Fri, 22 Jul 2016 17:04:59 -0400, Neil
wrote:

On 7/22/2016 3:34 PM, Mayayana wrote:

Totally agree with you Neil.

Figures

I just added my grandaugter's mac address and she never has to login,
which for her would be difficult. She enters any Shaw hotspot and the
wifi is just on. It is a convenience for Shaw customers who are all
part of a massive user group. The OP must be part of some user group
and the mac address was used as a convenience to log in automatically.
Nothing more.

Is it me or are you people really that thick?
I'm probably wasting my time here but I'll give it one more go

Apparently there is a management overhead in registering MAC addresses.
Why would the network administrators do something they didn't have to
unless there was a benefit for them?

What is this benefit

If you know the answer and would like to share it that would be great
If you don't know the answer then why bother responding

That lunacy about being tracked is too much. LOL!

We are all surely doomed :-(


--
Quis custodiet ipsos custodes?

On 7/23/2016 2:48 AM, HighSpy wrote:
On 22/07/2016 22:04, Neil wrote:
On 7/22/2016 3:34 PM, Mayayana wrote:
| Perhaps you've not set up a wifi access point, and that is the
basis of
| your confusion? It has long been possible to specify MAC addresses
that
| can use the WAP, block others, and allow log-ins from non-specified
| devices.

I'm not an expert on wifi. I rarely have occasion to
use it at all. But from my reading of the IPv6 link it
sounds to me like there's a valid concern. If the MAC
address as part of a unique ID is enabled -- or more
to the point, if an IPv6 unique ID is enabled -- then
the IP sent to remote servers contains a unique ID.
That allows the remote server to ID individuals. It also
allows the library to have a log of who visited what site,
based on that ID in the network traffic.

[...]

Maybe I'm mistaken, but that reads to me to say
that what the library is asking is for people using
their wifi to be uniquely identifiable online. Can you
see a different reason for their demands?

If you followed this topic from when it was introduced on the Win8
group, the first question is whether the library is "demanding"
anything.

Amazing, truly amazing, you appear to know more about the situation than
I do. What are they asking for then ...

One must understand that having users submit MACs to bypass
wifi log-ins would be sufficiently time-consuming for a public location
to make it completely impractical as a general policy. So, that begs the
question, why that person's particular user group? It looked to me that
it was an offer to make life easier for that person's user group -- for
example, that they frequently use the library's wifi. So, my response to
the question, "should I be concerned" is... no.

Again, you are missing the point (quelle surprise).
Let's try this again

Why would the library *insist* on knowing the MAC addresses if not to
track the device (notice I use the word 'device') I'm still waiting for
your insight.

Your snarky remarks are unimpressive. It's clear that you don't
understand what some of us have told you, which is pretty elementary
information about WAPs. Basically, the only "advantage" to supplying a
MAC is *yours*; you no longer have to log in. When you log in, as you
have apparently been doing, your MAC address is already visible to the
WAP, and any activity could be tracked to your specific device, should
someone care to do so.

That you wish to turn their offer (insistence, or whatever) into some
kind of snoopy behavior is nonsensical. Take it or leave it.

--
Best regards,

Neil

On 23/07/2016 12:12, Neil wrote:
On 7/23/2016 2:48 AM, HighSpy wrote:
On 22/07/2016 22:04, Neil wrote:
On 7/22/2016 3:34 PM, Mayayana wrote:
| Perhaps you've not set up a wifi access point, and that is the
basis of
| your confusion? It has long been possible to specify MAC addresses
that
| can use the WAP, block others, and allow log-ins from non-specified
| devices.

I'm not an expert on wifi. I rarely have occasion to
use it at all. But from my reading of the IPv6 link it
sounds to me like there's a valid concern. If the MAC
address as part of a unique ID is enabled -- or more
to the point, if an IPv6 unique ID is enabled -- then
the IP sent to remote servers contains a unique ID.
That allows the remote server to ID individuals. It also
allows the library to have a log of who visited what site,
based on that ID in the network traffic.

[...]

Maybe I'm mistaken, but that reads to me to say
that what the library is asking is for people using
their wifi to be uniquely identifiable online. Can you
see a different reason for their demands?

If you followed this topic from when it was introduced on the Win8
group, the first question is whether the library is "demanding"
anything.

Amazing, truly amazing, you appear to know more about the situation than
I do. What are they asking for then ...

One must understand that having users submit MACs to bypass
wifi log-ins would be sufficiently time-consuming for a public location
to make it completely impractical as a general policy. So, that begs the
question, why that person's particular user group? It looked to me that
it was an offer to make life easier for that person's user group -- for
example, that they frequently use the library's wifi. So, my response to
the question, "should I be concerned" is... no.

Again, you are missing the point (quelle surprise).
Let's try this again

Why would the library *insist* on knowing the MAC addresses if not to
track the device (notice I use the word 'device') I'm still waiting for
your insight.

Your snarky remarks are unimpressive. It's clear that you don't
understand what some of us have told you, which is pretty elementary
information about WAPs. Basically, the only "advantage" to supplying a
MAC is *yours*; you no longer have to log in. When you log in, as you
have apparently been doing, your MAC address is already visible to the
WAP, and any activity could be tracked to your specific device, should
someone care to do so.

That you wish to turn their offer (insistence, or whatever) into some
kind of snoopy behavior is nonsensical. Take it or leave it.

In other words you don't know.
That's OK but did you really have to waste all that bandwidth saying so
you could've just said "I don't know'


--
Quis custodiet ipsos custodes?

On 7/23/2016 6:55 AM, HighSpy wrote:
On 23/07/2016 10:02, Justin Tyme wrote:
On Fri, 22 Jul 2016 17:04:59 -0400, Neil
wrote:

On 7/22/2016 3:34 PM, Mayayana wrote:

Totally agree with you Neil.

Figures

What doesn't figure is why you don't get it. At this point, it's clear
that you need to believe some paranoid nonsense rather than grasp some
elementary facts about wireless access points. That's fine, but I hope
you don't think you're persuading those of us with that knowledge that
you're on to something we need to know about. Move on.

--
Best regards,

Neil

On 23/07/2016 12:18, Neil wrote:
On 7/23/2016 6:55 AM, HighSpy wrote:
On 23/07/2016 10:02, Justin Tyme wrote:
On Fri, 22 Jul 2016 17:04:59 -0400, Neil
wrote:

On 7/22/2016 3:34 PM, Mayayana wrote:

Totally agree with you Neil.

Figures

What doesn't figure is why you don't get it. At this point, it's clear
that you need to believe some paranoid nonsense rather than grasp some
elementary facts about wireless access points. That's fine, but I hope
you don't think you're persuading those of us with that knowledge that
you're on to something we need to know about. Move on.

In my long, long experience in this business people, particularly
network administrators don't do anything for no reason.

I don't know why they are insisting on the MAC addresses and neither
apparently do you.

That is the difference between you and I, you don't know but rather than
find out you obfuscate your lamentable lack of knowledge by questioning
others ability to understand. Again, I've seen it so many times it
shouldn't come as a surprise.

There is a reason for the demand and I will find out what it is,
although not obviously from you. You carry on in your cosy world and
leave the hard stuff to someone else.

I see no benefit in continuing with this discussion.


--
Quis custodiet ipsos custodes?

| In my long, long experience in this business people, particularly
| network administrators don't do anything for no reason.
|

Maybe not, but they might insist for no reason.
As one can see in this group, an awfully lot of
techie people like to think the rest of the world
are idiots. So they might "demand" the MAC just
as a parent might require something of a child
without explaining.

| I don't know why they are insisting on the MAC addresses and neither
| apparently do you.
|

What he says seems to make sense. I was thinking
that you had said they required you to disable the
privacy extensions of IPv6, but re-reading, I don't see
anywhere that you said that. So presumably any IPv6
IP you're sending outside the network should be as
protected as an IP address can be, or would be if you
were using it from home.

That seems to leave only the mysterious "security
mark" demand. Having to hand over your device for
configuration does seem unreasonable and unjustifiable.
But if they only want to change some sort of setting
for better security they should be able to tell you
that and let you do it.

On 7/23/2016 7:46 AM, HighSpy wrote:
On 23/07/2016 12:18, Neil wrote:
On 7/23/2016 6:55 AM, HighSpy wrote:
On 23/07/2016 10:02, Justin Tyme wrote:
On Fri, 22 Jul 2016 17:04:59 -0400, Neil
wrote:

On 7/22/2016 3:34 PM, Mayayana wrote:

Totally agree with you Neil.

Figures

What doesn't figure is why you don't get it. At this point, it's clear
that you need to believe some paranoid nonsense rather than grasp some
elementary facts about wireless access points. That's fine, but I hope
you don't think you're persuading those of us with that knowledge that
you're on to something we need to know about. Move on.

In my long, long experience in this business people, particularly
network administrators don't do anything for no reason.

If you understood any of the responses you've gotten, it should make you
wonder why they'd go to the trouble to accomplish what concerns you.

I don't know why they are insisting on the MAC addresses and neither
apparently do you.

Actually, the reason for their request seems pretty obvious to me, and
I've explained why more than once.

That is the difference between you and I, you don't know but rather than
find out you obfuscate your lamentable lack of knowledge by questioning
others ability to understand. Again, I've seen it so many times it
shouldn't come as a surprise.

If you were under some bizarre impression that any of us could "know"
what those we have never met might have in mind, then your tin foil hat
is leaking RFI. The facts that some of us have repeatedly presented, and
you repeatedly refuse to accept is that those wishing to track your
activities in a place with public wifi don't need your permission to do
so. When you log in, the jig is up.

There is a reason for the demand and I will find out what it is,
although not obviously from you.

If that was really your only intent, then it should have been obvious
that the ones to ask are the ones asking you to provide your MAC
addresses, not us. But, based on your comments here, you wouldn't
believe them, either.

I see no benefit in continuing with this discussion.

I see no benefit in your having started it in the first place. At least,
not to any of us.

--
Best regards,

Neil

On 7/23/2016 7:18 AM, HighSpy wrote:
On 23/07/2016 12:12, Neil wrote:
On 7/23/2016 2:48 AM, HighSpy wrote:
On 22/07/2016 22:04, Neil wrote:
On 7/22/2016 3:34 PM, Mayayana wrote:
| Perhaps you've not set up a wifi access point, and that is the
basis of
| your confusion? It has long been possible to specify MAC addresses
that
| can use the WAP, block others, and allow log-ins from non-specified
| devices.

I'm not an expert on wifi. I rarely have occasion to
use it at all. But from my reading of the IPv6 link it
sounds to me like there's a valid concern. If the MAC
address as part of a unique ID is enabled -- or more
to the point, if an IPv6 unique ID is enabled -- then
the IP sent to remote servers contains a unique ID.
That allows the remote server to ID individuals. It also
allows the library to have a log of who visited what site,
based on that ID in the network traffic.

[...]

Maybe I'm mistaken, but that reads to me to say
that what the library is asking is for people using
their wifi to be uniquely identifiable online. Can you
see a different reason for their demands?

If you followed this topic from when it was introduced on the Win8
group, the first question is whether the library is "demanding"
anything.

Amazing, truly amazing, you appear to know more about the situation than
I do. What are they asking for then ...

One must understand that having users submit MACs to bypass
wifi log-ins would be sufficiently time-consuming for a public location
to make it completely impractical as a general policy. So, that begs
the
question, why that person's particular user group? It looked to me that
it was an offer to make life easier for that person's user group -- for
example, that they frequently use the library's wifi. So, my
response to
the question, "should I be concerned" is... no.

Again, you are missing the point (quelle surprise).
Let's try this again

Why would the library *insist* on knowing the MAC addresses if not to
track the device (notice I use the word 'device') I'm still waiting for
your insight.

Your snarky remarks are unimpressive. It's clear that you don't
understand what some of us have told you, which is pretty elementary
information about WAPs. Basically, the only "advantage" to supplying a
MAC is *yours*; you no longer have to log in. When you log in, as you
have apparently been doing, your MAC address is already visible to the
WAP, and any activity could be tracked to your specific device, should
someone care to do so.

That you wish to turn their offer (insistence, or whatever) into some
kind of snoopy behavior is nonsensical. Take it or leave it.

In other words you don't know.
That's OK but did you really have to waste all that bandwidth saying so
you could've just said "I don't know'

Since your comprehension appears to be suffering, let me be clear to
other readers of this thread. It seems obvious to me why they have
offered you wifi access without logging in, and it's not nefarious. It
is you who just don't get it.

--
Best regards,

Neil

On Sat, 23 Jul 2016 11:55:09 +0100, HighSpy
wrote:

On 23/07/2016 10:02, Justin Tyme wrote:
On Fri, 22 Jul 2016 17:04:59 -0400, Neil
wrote:

On 7/22/2016 3:34 PM, Mayayana wrote:

Totally agree with you Neil.

Figures

I just added my grandaugter's mac address and she never has to login,
which for her would be difficult. She enters any Shaw hotspot and the
wifi is just on. It is a convenience for Shaw customers who are all
part of a massive user group. The OP must be part of some user group
and the mac address was used as a convenience to log in automatically.
Nothing more.

Is it me or are you people really that thick?
I'm probably wasting my time here but I'll give it one more go

Apparently there is a management overhead in registering MAC addresses.
Why would the network administrators do something they didn't have to
unless there was a benefit for them?

What is this benefit
If you know the answer and would like to share it that would be great
If you don't know the answer then why bother responding

That lunacy about being tracked is too much. LOL!

We are all surely doomed :-(

Do you actually believe that you are that important to anyone?

Global mass surveillance is a fact but it doesn't affect the vast
majority of people in a negative way. If you are a person of interest
then you need to be very careful. It is very doubtful that you are
that person.

You should treat the internet like an open book that anyone with the
ability to read can access. There are steps you can take that can
enhance your computer privacy to the point where you are anonymous. I
won't go into explaining operational security, but I do understand
OPSEC.

I think some people *overestimate their importance* and become
unreasonably paranoid. The fact that you can be tracked and the steps
you take to avoid being tracked depends upon how big a fish you are
and/or what it is you are trying to hide.
--
JT

On 23/07/2016 20:57, Justin Tyme wrote:
On Sat, 23 Jul 2016 11:55:09 +0100, HighSpy
wrote:

On 23/07/2016 10:02, Justin Tyme wrote:
On Fri, 22 Jul 2016 17:04:59 -0400, Neil
wrote:

On 7/22/2016 3:34 PM, Mayayana wrote:

Totally agree with you Neil.

Figures

I just added my grandaugter's mac address and she never has to login,
which for her would be difficult. She enters any Shaw hotspot and the
wifi is just on. It is a convenience for Shaw customers who are all
part of a massive user group. The OP must be part of some user group
and the mac address was used as a convenience to log in automatically.
Nothing more.

Is it me or are you people really that thick?
I'm probably wasting my time here but I'll give it one more go

Apparently there is a management overhead in registering MAC addresses.
Why would the network administrators do something they didn't have to
unless there was a benefit for them?

What is this benefit
If you know the answer and would like to share it that would be great
If you don't know the answer then why bother responding

That lunacy about being tracked is too much. LOL!

We are all surely doomed :-(

Do you actually believe that you are that important to anyone?

Global mass surveillance is a fact but it doesn't affect the vast
majority of people in a negative way. If you are a person of interest
then you need to be very careful. It is very doubtful that you are
that person.

You should treat the internet like an open book that anyone with the
ability to read can access. There are steps you can take that can
enhance your computer privacy to the point where you are anonymous. I
won't go into explaining operational security, but I do understand
OPSEC.

I think some people *overestimate their importance* and become
unreasonably paranoid. The fact that you can be tracked and the steps
you take to avoid being tracked depends upon how big a fish you are
and/or what it is you are trying to hide.

The really worrying thing is you actually sound like you believe your
own propagada. Everything is snuggly and warm and only the bad guys are
being actively watched. That's all right then nothing to worry about.



--
Quis custodiet ipsos custodes?

HighSpy wrote:

Why would the network administrators do something they didn't have to

Mostly the reason network admins do anything is to make their own life
easier :-)

So in your library's case it sounds they can either have a system that
handles authenticated logins *and* MAC address whitelists, where they
need some way of generating and giving out logins and dealing with
people forgetting their password etc

Or they can have a system that just accepts MAC addresses.

Either way (if they actually wanted to) they could associate your
machine's MAC address with you, e.g. by your library membership details
etc, so it's no skin off your nose, I'd be amazed if they were using IPv6.