[Mesh] Changing your MAC address
rhodey
rhodey at anhonesteffort.org
Sun Nov 10 16:39:22 PST 2013
>> does it have to be a MAC address?
Yes. We only (at most) have control of the mesh nodes (access points) in
our network-- not the mesh clients (desktop, laptop, cellphone).
Desktops, laptops, cellphones all have networking stacks and they will
all use a MAC address. If they are cellphones it is likely that the MAC
address cannot be changed/spoofed without rooting the OS (not user
friendly).
--
-- rhodey ˙ ͜ʟ˙
On 11/10/2013 04:31 PM, Jeremy Entwistle wrote:
> Well, one question that's been on my mind is does it have to be a MAC
> address? I think ideally we would have something comparable to a
> fingerprint or randomly generated addresses that are assigned by the
> network. Also, in looking at SSL vs pre-shared keys, apparently its
> slower and more demanding of our resources to use SSL... but at the same
> time, I'm not sure how to securely distribute and verify pre-shared keys
> throughout a network. Also, it seems to me that speed and preventing any
> latency on the network is more important than the key itself, because
> anybody can join the network, and there's the possibility of generating
> keys every couple of hours.
>
> I guess what I'm saying is that the internet depends on IPs, Meshes have
> been dependent on MACs, but I don't see why we have to depend on either.
>
>
> On Sun, Nov 10, 2013 at 3:54 PM, Mitar <mitar at tnode.com
> <mailto:mitar at tnode.com>> wrote:
>
> Hi!
>
> So we might create an app for people to install to change MAC addresses
> randomly. :-) So a privacy preserving app for mesh networks.
>
> It would make sure that your WiFi does not broadcast a list of known
> networks as well.
>
>
> Mitar
>
> > I looked into this awhile ago and it's very easy to change mac
> addresses.
> > Kali Linux Tutorials: How to Change or Spoof a MAC Address
> > https://www.youtube.com/watch?v=JyP8aGtPZpA
> >
> >
> > On Sun, Nov 10, 2013 at 3:03 PM, <mesh-request at lists.sudoroom.org
> <mailto:mesh-request at lists.sudoroom.org>> wrote:
> >
> >> Send mesh mailing list submissions to
> >> mesh at lists.sudoroom.org <mailto:mesh at lists.sudoroom.org>
> >>
> >> To subscribe or unsubscribe via the World Wide Web, visit
> >> http://lists.sudoroom.org/listinfo/mesh
> >> or, via email, send a message with subject or body 'help' to
> >> mesh-request at lists.sudoroom.org
> <mailto:mesh-request at lists.sudoroom.org>
> >>
> >> You can reach the person managing the list at
> >> mesh-owner at lists.sudoroom.org
> <mailto:mesh-owner at lists.sudoroom.org>
> >>
> >> When replying, please edit your Subject line so it is more specific
> >> than "Re: Contents of mesh digest..."
> >>
> >>
> >> Today's Topics:
> >>
> >> 1. Re: Fwd: [Commotion-discuss] Seattle Police mesh network for
> >> surveillance? (rhodey)
> >>
> >>
> >>
> ----------------------------------------------------------------------
> >>
> >> Message: 1
> >> Date: Sun, 10 Nov 2013 15:03:01 -0800
> >> From: rhodey <rhodey at anhonesteffort.org
> <mailto:rhodey at anhonesteffort.org>>
> >> To: mesh at lists.sudoroom.org <mailto:mesh at lists.sudoroom.org>
> >> Subject: Re: [Mesh] Fwd: [Commotion-discuss] Seattle Police mesh
> >> network for surveillance?
> >> Message-ID: <528010A5.8030704 at anhonesteffort.org
> <mailto:528010A5.8030704 at anhonesteffort.org>>
> >> Content-Type: text/plain; charset=UTF-8
> >>
> >> Police, govt, and other evil adversaries are free to setup their own
> >> hardware, their own mesh, the idea is not to prevent this but to
> prevent
> >> the use of good mesh networks for evil. I want to give more
> thought to
> >> this subject sometime in the near future but for now this is what
> I have...
> >>
> >> The major concern here (as I see it) is the persistence of MAC
> >> addresses. The average user does not know how to change their MAC
> >> address and in the case of most mobile devices it is not possible to
> >> change the MAC address. We can ensure that IP addresses are cycled
> >> frequent enough because we'll have control over a majority of the
> DHCP
> >> servers on the mesh so I'll be focusing on MAC addresses.
> >>
> >> In any local network a MAC address can be associated with network
> >> traffic, the obvious solution here is to use encryption. The problem
> >> with MAC addresses in a mesh network is that they could also be
> >> associated with a location.
> >>
> >> On any layer 2 network it is possible for any connected host to
> >> determine the route to any other host using a MAC address as an
> >> identifier. Because mesh nodes have a fixed (and likely known)
> physical
> >> location it can be assumed that the last hop in the route
> corresponds to
> >> the physical location of the specific host.
> >>
> >> It is important to realize that only mesh nodes (access points) have
> >> *potential* knowledge of signal strength and other 802.11
> broadcast type
> >> frames-- sure Oakland PD can setup a device to listen to all 802.11
> >> traffic, but remember we're only focusing on how existing
> hardware can
> >> be abused. So, one host *cannot* triangulate the location of another
> >> host. *From the perspective of a host on the mesh, a host can only be
> >> connected to one mesh node or disconnected from the network.* In the
> >> context of physical location, the privacy of a host on the mesh is a
> >> function of the area covered by the mesh node it is connected to.
> >>
> >> To increase user privacy I would like to experiment with a MAC
> address
> >> spoofing service that could run on mesh nodes or volunteer hosts. The
> >> service would basically pretend to be just another host on the
> network
> >> identified by some MAC address. The service could intelligently spawn
> >> fake hosts depending on the number of other hosts connected to the
> >> shared mesh node. Mesh nodes with fewer connected hosts need more
> >> spoofed hosts to increase privacy, etc. But it is not that simple of
> >> course, because spoofed MAC addresses need to persist just as
> legitimate
> >> MAC addresses do, and move about in the physical world (connect to
> >> different mesh nodes) just as other legitimate users will. I've
> thought
> >> some of this through but it is a large undertaking that needs further
> >> planning.
> >>
> >> Another thing to keep in mind is that although MAC addresses could be
> >> used as a persistent identifier *they alone do not represent any
> >> identity.* It is not until an adversary obtains additional
> information
> >> that a MAC address could be used to identify an individual
> person. Not
> >> to say the surveillance of pseudo-anonymous individual and group
> >> movement is negligible, just pointing this out.
> >>
> >> In conclusion (for now) by keeping our software and build
> processes open
> >> we can convince reasonable users that it is not possible for us
> to track
> >> them with more than neighborhood level accuracy. If we go further and
> >> deploy something like the MAC spoofing service it could be
> possible to
> >> extend this guarantee further. I think it is also likely that
> this MAC
> >> spoofing service could be designed to prevent/degrade 802.11 style
> >> surveillance by hardware outside our control.
> >>
> >> --
> >> -- rhodey ?????
> >>
> >> On 11/10/2013 11:44 AM, Steve Berl wrote:
> >>> Couldn't a community mesh network be suspected of having the
> same sort
> >>> of tracking abilities?
> >>> How do we convince potential mesh network users that we aren't
> >>> collecting location data on them?
> >>>
> >>> Steve
> >>>
> >>>
> >>> On Friday, November 8, 2013, Jenny Ryan wrote:
> >>>
> >>>
> >>>
> >>> ---------- Forwarded message ----------
> >>> From: *Preston Rhea* <prestonrhea at opentechinstitute.org
> <mailto:prestonrhea at opentechinstitute.org>
> >>> <javascript:_e({}, 'cvml',
> 'prestonrhea at opentechinstitute.org
> <mailto:prestonrhea at opentechinstitute.org>');>>
> >>> Date: Thu, Nov 7, 2013 at 6:49 AM
> >>> Subject: Fwd: [Commotion-discuss] Seattle Police mesh
> network for
> >>> surveillance?
> >>> To: Jenny Ryan <jenny at thepyre.org <mailto:jenny at thepyre.org>
> <javascript:_e({}, 'cvml',
> >>> 'jenny at thepyre.org <mailto:jenny at thepyre.org>');>>, Shaun
> Houlihan <shaunhoulihan at gmail.com <mailto:shaunhoulihan at gmail.com>
> >>> <javascript:_e({}, 'cvml', 'shaunhoulihan at gmail.com
> <mailto:shaunhoulihan at gmail.com>');>>
> >>>
> >>>
> >>> Thought this would interest y'all, I don't know if you are
> already on
> >>> the Commotion listserv Jenny.
> >>>
> >>>
> >>> ---------- Forwarded message ----------
> >>> From: Dan Staples <danstaples at opentechinstitute.org
> <mailto:danstaples at opentechinstitute.org>
> >>> <javascript:_e({}, 'cvml', 'danstaples at opentechinstitute.org
> <mailto:danstaples at opentechinstitute.org>');>>
> >>> Date: Wed, Nov 6, 2013 at 9:32 PM
> >>> Subject: [Commotion-discuss] Seattle Police mesh network for
> >>> surveillance?
> >>> To: commotion-discuss <commotion-discuss at lists.chambana.net
> <mailto:commotion-discuss at lists.chambana.net>
> >>> <javascript:_e({}, 'cvml',
> 'commotion-discuss at lists.chambana.net
> <mailto:commotion-discuss at lists.chambana.net>
> >> ');>>
> >>>
> >>>
> >>>
> >>
> http://www.thestranger.com/seattle/you-are-a-rogue-device/Content?oid=18143845
> >>>
> >>> You Are a Rogue Device
> >>> A New Apparatus Capable of Spying on You Has Been Installed
> >> Throughout
> >>> Downtown Seattle. Very Few Citizens Know What It Is, and
> Officials
> >> Don?t
> >>> Want to Talk About It.
> >>>
> >>> by Matt Fikse-Verkerk and Brendan Kiley
> >>>
> >>> If you're walking around downtown Seattle, look up: You'll see
> >> off-white
> >>> boxes, each one about a foot tall with vertical antennae,
> attached to
> >>> utility poles. If you're walking around downtown while
> looking at a
> >>> smartphone, you will probably see at least one?and more
> likely two or
> >>> three?Wi-Fi networks named after intersections: "4th&Seneca,"
> >>> "4th&Union," "4th&University," and so on. That is how you
> can see the
> >>> Seattle Police Department's new wireless mesh network,
> bought from a
> >>> California-based company called Aruba Networks, whose
> clients include
> >>> the Department of Defense, school districts in Canada,
> oil-mining
> >>> interests in China, and telecommunications companies in
> Saudi Arabia.
> >>>
> >>> The question is: How well can this mesh network see you?
> >>>
> >>> How accurately can it geo-locate and track the movements of your
> >> phone,
> >>> laptop, or any other wireless device by its MAC address (its
> "media
> >>> access control address"?nothing to do with Macintosh?which is
> >> analogous
> >>> to a device's thumbprint)? Can the network send that
> information to a
> >>> database, allowing the SPD to reconstruct who was where at
> any given
> >>> time, on any given day, without a warrant? Can the network
> see you
> >> now?
> >>>
> >>> The SPD declined to answer more than a dozen questions from The
> >>> Stranger, including whether the network is operational, who has
> >> access
> >>> to its data, what it might be used for, and whether the SPD
> has used
> >> it
> >>> (or intends to use it) to geo-locate people's devices via
> their MAC
> >>> addresses or other identifiers.
> >>>
> >>> Seattle Police detective Monty Moss, one of the leaders of the
> >>> mesh-network project?one part of a $2.7 million effort, paid
> for by
> >> the
> >>> Department of Homeland Security?wrote in an e-mail that the
> >> department
> >>> "is not comfortable answering policy questions when we do
> not yet
> >> have a
> >>> policy." But, Detective Moss added, the SPD "is actively
> >> collaborating
> >>> with the mayor's office, city council, law department, and
> the ACLU
> >> on a
> >>> use policy." The ACLU, at least, begs to differ: "Actively
> >>> collaborating" is not how they would put it. Jamela Debelak,
> >> technology
> >>> and liberty director of the Seattle office, says the ACLU
> submitted
> >>> policy-use suggestions months ago and has been waiting for a
> >> response.
> >>>
> >>> Detective Moss also added that the mesh network would not be
> used for
> >>> "surveillance purposes... without City Council's approval
> and the
> >>> appropriate court authorization." Note that he didn't say
> the mesh
> >>> network couldn't be used for the surveillance functions we asked
> >> about,
> >>> only that it wouldn't?at least until certain people in power
> say it
> >> can.
> >>> That's the equivalent of a "trust us" and a handshake.
> >>>
> >>> His answer is inadequate for other reasons as well. First,
> the city
> >>> council passed an ordinance earlier this year stating that any
> >> potential
> >>> surveillance equipment must submit protocols to the city
> council for
> >>> public review and approval within 30 days of its acquisition and
> >>> implementation. This mesh network has been around longer
> than that,
> >> as
> >>> confirmed by Cascade Networks, Inc., which helped install
> it. Still,
> >> the
> >>> SPD says it doesn't have a policy for its use yet. Mayor
> McGinn's
> >> office
> >>> says it expects to see draft protocols sometime in
> December?nearly
> >> nine
> >>> months late, according to the new ordinance.
> >>>
> >>> Second, and more importantly, this mesh network is part of a
> whole
> >> new
> >>> arsenal of surveillance technologies that are moving faster
> than the
> >>> laws that govern them are being written. As Stephanie K.
> Pell (former
> >>> counsel to the House Judiciary Committee) and Christopher
> Soghoian
> >>> (senior policy analyst at the ACLU) wrote in a 2012 essay
> for the
> >>> Berkeley Technology Law Journal:
> >>>
> >>> The use of location information by law enforcement
> agencies is
> >>> common and becoming more so as technological improvements enable
> >>> collection of more accurate and precise location data. The legal
> >> mystery
> >>> surrounding the proper law enforcement access standard for
> >> prospective
> >>> location data remains unsolved. This mystery, along with
> conflicting
> >>> rulings over the appropriate law enforcement access
> standards for
> >> both
> >>> prospective and historical location data, has created a messy,
> >>> inconsistent legal landscape where even judges in the same
> district
> >> may
> >>> require law enforcement to meet different standards to compel
> >> location
> >>> data.
> >>>
> >>> In other words, law enforcement has new tools?powerful tools. We
> >> didn't
> >>> ask for them, but they're here. And nobody knows the rules
> for how
> >> they
> >>> should be used.
> >>>
> >>> This isn't the first time the SPD has purchased surveillance
> >> equipment
> >>> (or, as they might put it, public-safety equipment that
> happens to
> >> have
> >>> powerful surveillance capabilities) without telling the rest
> of the
> >>> city. There was the drones controversy this past winter,
> when the
> >> public
> >>> and elected officials discovered that the SPD had bought two
> unmanned
> >>> aerial vehicles with the capacity to spy on citizens. There
> was an
> >>> uproar, and a few SPD officers embarked on a mea culpa tour of
> >> community
> >>> meetings where they answered questions and endured (sometimes
> >> raucous)
> >>> criticism. In February, Mayor Mike McGinn announced he was
> grounding
> >> the
> >>> drones, but a new mayor could change his mind. Those SPD
> drones are
> >>> sitting somewhere right now on SPD property.
> >>>
> >>> Meanwhile, the SPD was also dealing with the port-camera
> surveillance
> >>> scandal. That kicked off in late January, when people in
> West Seattle
> >>> began wondering aloud about the 30 cameras that had appeared
> >> unannounced
> >>> on utility poles along the waterfront. The West Seattle
> neighborhood
> >>> blog (westseattleblog.com <http://westseattleblog.com>
> <http://westseattleblog.com>) sent
> >>> questions to city utility companies, and
> >>> the utilities in turn pointed at SPD, which eventually
> admitted that
> >> it
> >>> had purchased and installed 30 surveillance cameras with federal
> >> money
> >>> for "port security." That resulted in an additional uproar and
> >> another
> >>> mea culpa tour, much like they did with the drones, during which
> >>> officers repeated that they should have done a better job of
> >> educating
> >>> the public about what they were up to with the cameras on Alki.
> >>> (Strangely, the Port of Seattle and the US Coast Guard
> didn't seem
> >> very
> >>> involved in this "port security" project?their names only
> appear in a
> >>> few cursory places in the budgets and contracts. The SPD is
> clearly
> >> the
> >>> driving agency behind the project. For example, their early
> tests of
> >>> sample Aruba products?beginning with a temporary Aruba mesh
> network
> >> set
> >>> up in Pioneer Square for Mardi Gras in 2009?didn't have
> anything to
> >> do
> >>> with the port whatsoever.)
> >>>
> >>> The cameras attracted the controversy, but they were only
> part of the
> >>> project. In fact, the 30 pole-mounted cameras on Alki that
> caused the
> >>> uproar cost $82,682?just 3 percent of the project's $2.7 million
> >>> Homeland Security?funded budget. The project's full title
> was "port
> >>> security video surveillance system with wireless mesh network."
> >> People
> >>> raised a fuss about the cameras. But what about the mesh
> network?
> >>>
> >>> Detective Moss and Assistant Chief Paul McDonagh mentioned the
> >> downtown
> >>> mesh network during those surveillance-camera community
> meetings,
> >> saying
> >>> it would help cops and firefighters talk to each other by
> providing a
> >>> wireless network for their exclusive use, with the potential for
> >> others
> >>> to use overlaid networks handled by the same equipment. (Two-way
> >> radios
> >>> already allow police officers to talk to each other, but
> officers
> >> still
> >>> use wireless networks to access data, such as the information an
> >> officer
> >>> looks for by running your license plate number when you've been
> >> pulled
> >>> over.)
> >>>
> >>> As Brian Magnuson of Cascade Networks, Inc., which helped
> install the
> >>> Aruba system, explained the possible use of such a system:
> "A normal
> >>> cell-phone network is a beautiful thing right up until the
> time you
> >>> really need it?say you've just had an earthquake or a large
> storm,
> >> and
> >>> then what happens? Everybody picks up their phone and
> overloads the
> >>> system." The network is most vulnerable precisely when it's most
> >> needed.
> >>> A mesh network could be a powerful tool for streaming video from
> >>> surveillance cameras or squad car dash-cams across the network,
> >> allowing
> >>> officers "real-time situational awareness" even when other
> >> communication
> >>> systems have been overloaded, as Detective Moss explained in
> those
> >>> community meetings.
> >>>
> >>> But the Aruba mesh network is not just for talking, it's
> also for
> >>> tracking.
> >>>
> >>> After reviewing Aruba's technical literature, as well as
> talking to
> >> IT
> >>> directors and systems administrators around the country who
> work with
> >>> Aruba products, it's clear that their networks are adept at
> seeing
> >> all
> >>> the devices that move through their coverage area and visually
> >> mapping
> >>> the locations of those devices in real time for the system
> >>> administrators' convenience. In fact, one of Aruba's major
> selling
> >>> points is its ability to locate "rogue" or "unassociated"
> >> devices?that
> >>> is, any device that hasn't been authorized by (and maybe
> hasn't even
> >>> asked to be part of) the network.
> >>>
> >>> Which is to say, your device. The cell phone in your pocket, for
> >>> instance.
> >>>
> >>> The user's guide for one of Aruba's recent software products
> states:
> >>> "The wireless network has a wealth of information about
> unassociated
> >> and
> >>> associated devices." That software includes "a location
> engine that
> >>> calculates associated and unassociated device location every 30
> >> seconds
> >>> by default... The last 1,000 historical locations are stored
> for each
> >>> MAC address."
> >>>
> >>> For now, Seattle's mesh network is concentrated in the
> downtown area.
> >>> But the SPD has indicated in PowerPoint presentations?also
> acquired
> >> by
> >>> The Stranger?that it hopes to eventually have "citywide
> deployment"
> >> of
> >>> the system that, again, has potential surveillance
> capabilities that
> >> the
> >>> SPD declined to answer questions about. That could give a
> whole new
> >>> meaning to the phrase "real-time situational awareness."
> >>>
> >>> So how does Aruba's mesh network actually function?
> >>>
> >>> Each of those off-white boxes you see downtown is a wireless
> access
> >>> point (AP) with four radios inside it that work to shove giant
> >> amounts
> >>> of data to, through, and around the network, easily handling
> >>> bandwidth-hog uses such as sending live, high-resolution
> video to or
> >>> from moving vehicles. Because this grid of APs forms a
> latticelike
> >> mesh,
> >>> it works like the internet itself, routing traffic around
> bottlenecks
> >>> and "self-healing" by sending traffic around components that
> fail.
> >>>
> >>> As Brian Magnuson at Cascade Networks explains: "When you
> have 10
> >> people
> >>> talking to an AP, no problem. If you have 50, that's a problem."
> >> Aruba's
> >>> mesh solution is innovative?instead of building a few
> high-powered,
> >>> herculean APs designed to withstand an immense amount of
> traffic,
> >> Aruba
> >>> sprinkles a broad area with lots of lower-powered APs and
> lets them
> >>> figure out the best way to route all the data by talking to each
> >> other.
> >>>
> >>> Aruba's technology is considered cutting-edge because its
> systems are
> >>> easy to roll out, administer, and integrate with other
> systems, and
> >> its
> >>> operating system visualizes what's happening on the network in a
> >> simple,
> >>> user-friendly digital map. The company is one of many firms
> in the
> >>> networking business, but, according to the tech-ranking firm
> Gartner,
> >>> Aruba ranks second (just behind Cisco) in "completeness of
> vision"
> >> and
> >>> third in "ability to execute" for its clever ways of getting
> around
> >>> technical hurdles.
> >>>
> >>> Take Candlestick Park, the San Francisco 49ers football stadium,
> >> which,
> >>> Magnuson says, is just finishing up an Aruba mesh network
> >> installation.
> >>> The stadium has high-intensity cellular service needs?70,000
> people
> >> can
> >>> converge there for a single event in one of the most high-tech
> >> cities in
> >>> America, full of high-powered, newfangled devices. "Aruba's
> solution
> >> was
> >>> ingenious," Magnuson says. It put 640 low-power APs under the
> >> stadium's
> >>> seats to diffuse the data load. "If you're at the stadium
> and trying
> >> to
> >>> talk to an AP," Magnuson says, "you're probably sitting on it!"
> >>>
> >>> Another one of Aruba's selling points is its ability to
> detect rogue
> >>> devices?strangers to the system. Its promotional "case studies"
> >> trumpet
> >>> this capability, including one report about Cabela's hunting and
> >>> sporting goods chain, which is an Aruba client: "Because
> Cabela's
> >> stores
> >>> are in central shopping areas, the company captures huge
> quantities
> >> of
> >>> rogue data?as many as 20,000 events per day, mostly from
> neighboring
> >>> businesses." Aruba's network is identifying and
> distinguishing which
> >>> devices are allowed on the Cabela's network and which are
> within the
> >>> coverage area but are just passing through. The case study also
> >>> describes how Cabela's Aruba network was able to locate a lost
> >>> price-scanner gun in a large warehouse by mapping its
> location, as
> >> well
> >>> as track employees by the devices they were carrying.
> >>>
> >>> It's one thing for a privately owned company to register
> devices it
> >>> already owns with a network. It's another for a local police
> >> department
> >>> to scale up that technology to blanket an entire downtown?or an
> >>> entire city.
> >>>
> >>> Aruba also sells a software product called "Analytics and
> Location
> >>> Engine 1.0." According to a document Aruba has created about the
> >>> product, ALE "calculates the location of associated and
> unassociated
> >>> wifi devices... even though a device has not associated to the
> >> network,
> >>> information about it is available. This includes the MAC
> address,
> >>> location, and RSSI information." ALE's default setting is
> anonymous,
> >>> which "allows for unique user tracking without knowing who the
> >>> individual user is." But, Aruba adds in the next sentence,
> >> "optionally
> >>> the anonymization can be disabled for richer analytics and user
> >> behavior
> >>> tracking." The network has the ability to see who you
> are?how deeply
> >> it
> >>> looks is up to whoever's using it. (The Aruba technology, as
> far as
> >> we
> >>> know, does not automatically associate a given MAC address
> with the
> >> name
> >>> on the device's account. But figuring out who owns the
> account?by
> >> asking
> >>> a cell-phone company, for example?would not be difficult for a
> >>> law-enforcement agency.)
> >>>
> >>> Geo-location seems to be an area of intense interest for
> Aruba. Last
> >>> week, the Oregonian announced that Aruba had purchased a
> Portland
> >>> mapping startup called Meridian, which, according to the
> article, has
> >>> developed software that "pinpoints a smartphone's location
> inside a
> >>> venue, relying either on GPS technology or with localized
> wireless
> >>> networks." The technology, the article says, "helps people
> find their
> >>> way within large buildings, such as malls, stadiums, or
> airports and
> >>> enables marketing directed at a phone's precise location."
> >>>
> >>> How does that geo-location work? Devices in the network's
> coverage
> >> area
> >>> are "heard" by more than one radio in those APs (the off-white
> >> boxes).
> >>> Once the network hears a device from multiple APs, it can
> compare the
> >>> strength and timing of the signal to locate where the device is.
> >> This is
> >>> classic triangulation, and users of Aruba's AirWave
> software?as in
> >> the
> >>> Cabela's example?report that their systems are able to locate
> >> devices to
> >>> within a few feet.
> >>>
> >>> In the case of large, outdoor installations where APs are
> more spread
> >>> out, the ability to know what devices are passing through is
> >>> useful?especially, perhaps, to policing agencies, which
> could log
> >> that
> >>> data for long-term storage. As networking products and their
> uses
> >>> continue to evolve, they will only compound the "legal mystery"
> >> around
> >>> how this technology could and should be used that Pell and
> Soghoian
> >>> described in their Berkeley Technology Law Journal piece.
> Aruba's
> >> mesh
> >>> network is state-of-the-art, but something significantly
> smarter and
> >>> more sensitive will surely be on the market this time next
> year. And
> >> who
> >>> knows how much better the software will get.
> >>>
> >>> An official spokesperson for Aruba wrote in an e-mail that the
> >> company
> >>> could not answer The Stranger's questions because they
> pertained "to
> >> a
> >>> new product announcement" that would not happen until
> Thanksgiving.
> >>> "Aruba's technology," the spokesperson added, "is designed
> for indoor
> >>> (not outdoor) usage and is for consumer apps where they opt in."
> >> This is
> >>> in direct contradiction to Aruba's own user's manuals, as
> well as the
> >>> fact that the Seattle Police Department installed an outdoor
> Aruba
> >> mesh
> >>> network earlier this year.
> >>>
> >>> One engineer familiar with Aruba products and similar
> systems?who
> >>> requested anonymity?confirmed that the mesh network and its
> software
> >> are
> >>> powerful tools. "But like anything," the engineer said, it
> "can be
> >> used
> >>> inappropriately... You can easily see how a user might abuse
> this
> >>> ability (network admin has a crush on user X, monitors user X's
> >> location
> >>> specifically)." As was widely reported earlier this year, such
> >> alleged
> >>> abuses within the NSA have included a man who spied on nine
> women
> >> over a
> >>> five-year period, a woman who spied on prospective
> boyfriends, a man
> >> who
> >>> spied on his girlfriend, a husband who spied on his wife,
> and even a
> >> man
> >>> who spied on his ex-girlfriend "on his first day of access
> to the
> >> NSA's
> >>> surveillance system," according to the Washington Post. The
> practice
> >> was
> >>> so common within the NSA, it got its own classification:
> "LOVEINT."
> >>>
> >>> Other Aruba clients?such as a university IT director, a
> university
> >> vice
> >>> president, and systems administrators?around the country
> confirmed it
> >>> wouldn't be difficult to use the mesh network to track the
> movement
> >> of
> >>> devices by their MAC addresses, and that building a historical
> >> database
> >>> of their movements would be relatively trivial from a
> data-storage
> >>> perspective.
> >>>
> >>> As Bruce Burton, an information technology manager at the
> University
> >> of
> >>> Cincinnati (which uses an Aruba network), put it in an
> e-mail: "This
> >>> mesh network will have the capability to track devices (MAC
> >> addresses)
> >>> throughout the city."
> >>>
> >>> Not that the SPD would do that?but we don't know. "We
> definitely feel
> >>> like the public doesn't have a handle on what the
> capabilities are,"
> >>> says Debelak of the ACLU. "We're not even sure the police
> department
> >>> does." It all depends on what the SPD says when it releases its
> >>> mesh-network protocols.
> >>>
> >>> "They're long overdue," says Lee Colleton, a systems
> administrator at
> >>> Google who is also a member of the Seattle Privacy Coalition, a
> >>> grassroots group that formed in response to SPD's drone and
> >>> surveillance-camera controversies. "If we don't deal with
> this kind
> >> of
> >>> thing now, and establish norms and policies, we'll find
> ourselves in
> >> an
> >>> unpleasant situation down the road that will be harder to
> change."
> >>>
> >>> The city is already full of surveillance equipment. The Seattle
> >>> Department of Transportation, for example, uses license-plate
> >> scanners,
> >>> sensors embedded in the pavement, and other mechanisms to
> monitor
> >>> individual vehicles and help estimate traffic volume and
> wait time.
> >> "But
> >>> as soon as that data is extrapolated," says Adiam Emery of SDOT,
> >> "it's
> >>> gone." They couldn't turn it over to a judge if they tried.
> >>>
> >>> Not that license-plate scanners have always been so
> reliable. Doug
> >> Honig
> >>> of the ACLU remembers a story he heard from a former staffer a
> >> couple of
> >>> years ago about automatic license-plate readers on police
> cars in
> >>> Spokane. Automatic license-plate readers "will read a chain-link
> >> fence
> >>> as XXXXX," Honig says, "which at the time also matched the
> license
> >> plate
> >>> of a stolen car in Mississippi, resulting in a number of false
> >> alerts to
> >>> pull over the fence."
> >>>
> >>> Seattle's mesh network is only one instance in a trend of
> Homeland
> >>> Security funding domestic surveillance equipment. Earlier
> this month,
> >>> the New York Times ran a story about a $7 million Homeland
> Security
> >>> grant earmarked for "port security"?just like the SPD's
> mesh-network
> >>> funding?in Oakland.
> >>>
> >>> "But instead," the Times reports, "the money is going to a
> police
> >>> initiative that will collect and analyze reams of
> surveillance data
> >> from
> >>> around town?from gunshot- detection sensors in the barrios
> of East
> >>> Oakland to license plate readers mounted on police cars
> patrolling
> >> the
> >>> city's upscale hills."
> >>>
> >>> The Oakland "port security" project, which the Times reports was
> >>> formerly known as the "Domain Awareness Center," will
> "electronically
> >>> gather data around the clock from a variety of sensors and
> databases,
> >>> analyze that data, and display some of the information on a
> bank of
> >>> giant monitors." The Times doesn't detail what kind of
> "sensors and
> >>> databases" the federally funded "port security" project will
> pay for,
> >>> but perhaps it's something like Seattle's mesh network with its
> >> ability
> >>> to ping, log, and visually map the movement of devices in
> and out of
> >> its
> >>> coverage area.
> >>>
> >>> Which brings up some corollary issues, ones with
> implications much
> >>> larger than the SPD's ability to call up a given time on a
> given day
> >> and
> >>> see whether you were at work, at home, at someone's else
> home, at a
> >> bar,
> >>> or at a political demonstration: What does it mean when
> money from a
> >>> federal agency like the Department of Homeland Security is being
> >>> funneled to local police departments like SPD to purchase
> and use
> >>> high-powered surveillance gear?
> >>>
> >>> For federal surveillance projects, the NSA and other federal
> spying
> >>> organizations have at least some oversight?as flawed as it may
> >> be?from
> >>> the Foreign Intelligence Surveillance Court (also known as
> the FISA
> >>> court) and the US Congress. But local law enforcement
> doesn't have
> >> that
> >>> kind of oversight and, in Seattle at least, has been buying and
> >>> installing DHS-funded surveillance equipment without
> explaining what
> >>> it's up to. The city council's surveillance ordinance
> earlier this
> >> year
> >>> was an attempt to provide local oversight on that kind of
> policing,
> >> but
> >>> it has proven toothless.
> >>>
> >>> It's reasonable to assume that locally gleaned information
> will be
> >>> shared with other organizations, including federal ones. An SPD
> >> diagram
> >>> of the mesh network, for example, shows its information
> heading to
> >>> institutions large and small, including the King County
> Sheriff's
> >>> Office, the US Coast Guard, and our local fusion center.
> >>>
> >>> Fusion centers, if you're unfamiliar with the term, are
> >>> information-sharing hubs, defined by the Department of Homeland
> >> Security
> >>> as "focal points" for the "receipt, analysis, gathering, and
> >> sharing" of
> >>> surveillance information.
> >>>
> >>> If federally funded, locally built surveillance systems with
> little
> >> to
> >>> no oversight can dump their information in a fusion
> center?think of
> >> it
> >>> as a gun show for surveillance, where agencies freely swap
> >> information
> >>> with little restriction or oversight?that could allow federal
> >> agencies
> >>> such as the FBI and the NSA to do an end-run around any
> limitations
> >> set
> >>> by Congress or the FISA court.
> >>>
> >>> If that's their strategy in Seattle, Oakland, and elsewhere,
> it's an
> >>> ingenious one?instead of maintaining a few high-powered,
> herculean
> >>> surveillance agencies designed to digest an immense amount
> of traffic
> >>> and political scrutiny, the federal government could sprinkle an
> >> entire
> >>> nation with lots of low-powered surveillance nodes and let them
> >> figure
> >>> out the best way to route the data by talking to each other. By
> >>> diffusing the way the information flows, they can make it
> flow more
> >>> efficiently.
> >>>
> >>> It's an innovative solution?much like the Aruba mesh network
> itself.
> >>>
> >>> The Department of Homeland Security has not responded to
> requests for
> >>> comment.
> >>>
> >>> --
> >>> Dan Staples
> >>>
> >>> Open Technology Institute
> >>> https://commotionwireless.net
> >>> OpenPGP key: http://disman.tl/pgp.asc
> >>> Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
> >>> _______________________________________________
> >>> Commotion-discuss mailing list
> >>> Commotion-discuss at lists.chambana.net
> <mailto:Commotion-discuss at lists.chambana.net> <javascript:_e({}, 'cvml',
> >>> 'Commotion-discuss at lists.chambana.net
> <mailto:Commotion-discuss at lists.chambana.net>');>
> >>> https://lists.chambana.net/mailman/listinfo/commotion-discuss
> >>>
> >>>
> >>>
> >>> --
> >>> Preston Rhea
> >>> Field Analyst, Open Technology Institute
> >>> New America Foundation
> >>> +1-202-570-9770 <tel:%2B1-202-570-9770>
> >>> Twitter: @prestonrhea
> >>>
> >>>
> >>>
> >>> --
> >>> -steve
> >>>
> >>>
> >>> _______________________________________________
> >>> mesh mailing list
> >>> mesh at lists.sudoroom.org <mailto:mesh at lists.sudoroom.org>
> >>> http://lists.sudoroom.org/listinfo/mesh
> >>>
> >>
> >>
> >> ------------------------------
> >>
> >> _______________________________________________
> >> mesh mailing list
> >> mesh at lists.sudoroom.org <mailto:mesh at lists.sudoroom.org>
> >> http://lists.sudoroom.org/listinfo/mesh
> >>
> >>
> >> End of mesh Digest, Vol 10, Issue 16
> >> ************************************
> >>
> >
> >
> >
> > _______________________________________________
> > mesh mailing list
> > mesh at lists.sudoroom.org <mailto:mesh at lists.sudoroom.org>
> > http://lists.sudoroom.org/listinfo/mesh
> >
>
> --
> http://mitar.tnode.com/
> https://twitter.com/mitar_m
>
>
>
>
> _______________________________________________
> mesh mailing list
> mesh at lists.sudoroom.org
> http://lists.sudoroom.org/listinfo/mesh
>
More information about the mesh
mailing list