On Mon, Nov 11, 2013 at 2:21 AM, Mitar <mitar(a)tnode.com> wrote:
Hi!
Bob is stalking Eve, and he has figured out her
MAC address. He wants to
follow her around the city or simply learn where she lives. Using the
node
map, which includes node IP addresses (or because
he simply drove around
the city and mapped them out himself) he knows the IP/MAC to physical
location mapping of all nodes. A simple layer 2 or 3 traceroute will now
tell him Eve's movements around town including her work location and home
location. I am proposing that we disable the layer 2 traceroute
functionality in batman-adv and block ICMP Time Exceeded messages such
that
traceroute is no longer possible, and such that
it becomes much more
difficult to find the physical location of a MAC address.
OK, and you believe this scenario warrants crimping the network?
Yes! Emphatically yes! This is an issue of people's safety. People will not
reasonably expect that they are broadcasting their position to anyone who
cares to listen when they use the mesh. Many people have enemies and
stalkers. If we don't do anything about this issue then we are endangering
people's personal safety. We can't just say "oh, people can't expect to
keep their location private anymore".
I do not have a direct analogy here, but we used for
some time a captive
portal which blocked all traffic until you clicked a button in the
browser. We got quite some reports of network not working from geeks who
first thing after they connected to network tried something non-HTTP and
then tried to ping and debug and nothing worked. Never tried to open
HTTP. Those were people not otherwise involved with the network. They
just assumed things should work. So what I am saying that I think should
always work as expected. Don't break things.
Sacrificing usability and/or personal safety for the many so a few techies
won't have to deal with workarounds is completely unreasonable. The
long-term solution to captive portals is a standard, implemented by all
major operating systems, that allows communication with users that connect
to your network without ugly hacks. I'm not sure what long-term solution
for not leaking geo-location information is, but there probably is a
non-ugly solution. We should work to create those solutions, but in the
mean-time, it's more important that the network works for the majority of
people than that it's technically beautiful.
BTW, I am not sure if normal traceroute does anything
smart in Batman
network. So how much people will really know how to use Batman specific
tool?
True. You'd need to use a batman-specific tool, but that's security by
obscurity territory and it only takes one person to make a "find anyone's
location" web app for that to break.
--
Marc/Juul