[AusNOG] Metadata retention... it's now (almost) a thing

Mark Andrews marka at isc.org
Thu Oct 30 14:09:23 EST 2014 

In message <CAJcib_5GpLT-t6zqHVgY_qhPiQj7Ts=gCYO8Pi6Fv1RP5pzg+Q at mail.gmail.com>
, thelionroars writes:
> 
> I'm surprised MAC address tracking is being taken seriously by anyone here.
> A conviction based on it would never stand.

Not alone but as part of a complete brief, yes it could be used.
It also provides data which can be corollated with other data.

I can well imagine having a random MAC per stream eventually.  802.11
cards supporting thousands of simultaneous associations.

People don't like to be tracked even if they are not doing anything
wrong.

Mark

> On 30 Oct 2014 13:52, "Paul Julian" <paul at oxygennetworks.com.au> wrote:
> 
> > They would only catch small time script kiddies with MAC address, anybody
> > who knows what they are doing won't be using their machine or will be using
> > different ones all the time, I mean seriously, busting somebody based on
> > MAC address would be small time stuff surely, sure it might get the people
> > pirating movies and porn etc but this bill is supposed to be to save the
> > country from the terr0rists isn't it ?? I really can't see a person like
> > this who would go to elaborate lengths to not get caught being busted by
> > using the same MAC address multiple times.
> >
> > Paul
> >
> > -----Original Message-----
> > From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Matt
> > Palmer
> > Sent: Thursday, 30 October 2014 1:33 PM
> > To: ausnog at lists.ausnog.net
> > Subject: Re: [AusNOG] Metadata retention... it's now (almost) a thing
> >
> > On Thu, Oct 30, 2014 at 01:00:00PM +1100, thelionroars wrote:
> > > I would hope someone involved realises that identifying with a MAC
> > > address is worse than useless.
> >
> > On the contrary, a MAC address identifies a device (to a reasonable
> > degree).
> > It may not help a *huge* amount with making an arrest[1], but it'll
> > provide a solid piece of evidence to use towards gaining a conviction.  Or
> > at least confirming that you're water-boarding the right dissident (if you
> > worry about those things).
> >
> > - Matt
> >
> > [1] Although finding the same MAC address using multiple different
> > networks at different times[2], you can get a good indication of movement
> > patterns, which may then provide more data to aid in apprehension.
> >
> > [2] That's even *with* iOS 8's MAC address randomization on probes.  For
> > any device that *doesn't* do randomization, I'd be amazed if law
> > enforcement doesn't quickly gain the technology required to track that --
> > if they aren't already doing it.
> >
> > --
> > "You are capable, creative, competent, careful.  Prove it."
> >                 -- Seen in a fortune cookie
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> 
> --001a113a62909a24eb05069b091a
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <p dir=3D"ltr">I'm surprised MAC address tracking is being taken seriou=
> sly by anyone here. A conviction based on it would never stand.</p>
> <div class=3D"gmail_quote">On 30 Oct 2014 13:52, "Paul Julian" &l=
> t;<a href=3D"mailto:paul at oxygennetworks.com.au">paul at oxygennetworks.com.au<=
> /a>> wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote" st=
> yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">They =
> would only catch small time script kiddies with MAC address, anybody who kn=
> ows what they are doing won't be using their machine or will be using d=
> ifferent ones all the time, I mean seriously, busting somebody based on MAC=
>  address would be small time stuff surely, sure it might get the people pir=
> ating movies and porn etc but this bill is supposed to be to save the count=
> ry from the terr0rists isn't it ?? I really can't see a person like=
>  this who would go to elaborate lengths to not get caught being busted by u=
> sing the same MAC address multiple times.<br>
> <br>
> Paul<br>
> <br>
> -----Original Message-----<br>
> From: AusNOG [mailto:<a href=3D"mailto:ausnog-bounces at lists.ausnog.net">aus=
> nog-bounces at lists.ausnog.net</a>] On Behalf Of Matt Palmer<br>
> Sent: Thursday, 30 October 2014 1:33 PM<br>
> To: <a href=3D"mailto:ausnog at lists.ausnog.net">ausnog at lists.ausnog.net</a><=
> br>
> Subject: Re: [AusNOG] Metadata retention... it's now (almost) a thing<b=
> r>
> <br>
> On Thu, Oct 30, 2014 at 01:00:00PM +1100, thelionroars wrote:<br>
> > I would hope someone involved realises that identifying with a MAC<br>
> > address is worse than useless.<br>
> <br>
> On the contrary, a MAC address identifies a device (to a reasonable degree)=
> .<br>
> It may not help a *huge* amount with making an arrest[1], but it'll pro=
> vide a solid piece of evidence to use towards gaining a conviction.=C2=A0 O=
> r at least confirming that you're water-boarding the right dissident (i=
> f you worry about those things).<br>
> <br>
> - Matt<br>
> <br>
> [1] Although finding the same MAC address using multiple different networks=
>  at different times[2], you can get a good indication of movement patterns,=
>  which may then provide more data to aid in apprehension.<br>
> <br>
> [2] That's even *with* iOS 8's MAC address randomization on probes.=
> =C2=A0 For any device that *doesn't* do randomization, I'd be amaze=
> d if law enforcement doesn't quickly gain the technology required to tr=
> ack that -- if they aren't already doing it.<br>
> <br>
> --<br>
> "You are capable, creative, competent, careful.=C2=A0 Prove it."<=
> br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -- Seen in a fortun=
> e cookie<br>
> <br>
> _______________________________________________<br>
> AusNOG mailing list<br>
> <a href=3D"mailto:AusNOG at lists.ausnog.net">AusNOG at lists.ausnog.net</a><br>
> <a href=3D"http://lists.ausnog.net/mailman/listinfo/ausnog" target=3D"_blan=
> k">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
> <br>
> _______________________________________________<br>
> AusNOG mailing list<br>
> <a href=3D"mailto:AusNOG at lists.ausnog.net">AusNOG at lists.ausnog.net</a><br>
> <a href=3D"http://lists.ausnog.net/mailman/listinfo/ausnog" target=3D"_blan=
> k">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
> </blockquote></div>
> 
> --001a113a62909a24eb05069b091a--
> 
> --===============2588354896716480880==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> --===============2588354896716480880==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list