It's even more unfortunate that the committees designing these protocols don't think this way. People with an identifier number tattooed on their arm don't walk around continually reciting it. In fact, they generally wear long sleeves.
The comparison between willingly assigned and transmitted MAC addresses and death camp tattoos is utterly absurd, both because it unnecessarily pulls Nazis into the conversation, and because they have no useful parallels purely from a technical point of view.
Calling them "willingly" transmitted is a bit of a stretch, given that people don't have much choice to turn just them off and defaults are a powerful thing.
The useful parallel is the general inventorying and tracking of people. Luckily we don't have the rest of totalitarianism (yet), but this cornerstone is well laid due to naive designers.
BTW you were the one who brought up the subject of Nazis.
Right, when you said "People with an identifier number tattooed on their arm" you weren't even thinking of Nazi concentration camp victims. Sure. Pull the other one.
Every router I've ever seen has a pretty clear setup option for creating a hidden network. I agree that defaults are powerful, but they don't make it any less "willing," they merely expose people's indifference.
Actually I was thinking of prisoners of the Japanese in WWII. As I said, the Nazis were hardly the only ones to number prisoners, and I suspect the phenomenon has more to do with technology than with the supreme evil tidily ascribed to losers of wars.
I'm making a general point about identifiers and protocols. The same thing applies to client MACs, which are obviously being used to track phone users with wifi on. Obviously MAC addresses can be cycled, but that takes active diligence. If the protocol had simply been designed to eschew and hide such identifiers in the first place, the entire issue wouldn't even exist.
> Actually I was thinking of prisoners of the Japanese in WWII.
I've never heard of this, and have family that served in the Pacific during WWII. I'm also having difficulty discovering any sources that mention the practice, let alone reliable ones.
> I certainly see plenty of references to "POW number" for various conflicts.
AFAIK, it was never policy of the Allied forces to tattoo anything on captured POWs. I would be very surprised if captured Axis soldiers were not given some sort of uniform, unique tracking number.
> It's even more unfortunate that the committees designing these protocols don't think this way.
So. How would you design a system to permit associated or unassociated stations to passively determine whether or not they were in range of a given AP? Remember that unassociated stations may never have ever interacted with the AP in question before this moment.
That's the easy part. If previous contact hasn't taken place, persistence is irrelevant. Simply envision the current system with a periodically changing BSSID as your proof of existence.
If the AP and client possess a shared secret (as in WPA2), then there's no reason for a third party to be able to deduce any identifying information.
> That's the easy part. If previous contact hasn't taken place, persistence is irrelevant. A periodically-changing ID would do.
Okay. How would you design a system to permit associated or unassociated stations to passively determine whether or not they were in range of a given AP? Remember that human-friendly names for a given AP are almost certain to collide.
First, for purposes of this comment I only need to address the situation where WPA2 is currently used (the majority of private APs). Second, I'm one person taking a few minutes to write a HN comment, not a design committee.
Simple protocol: The AP and client have shared secret K (similar to the present WPA2 key). We define the identity of a network as this secret key. The AP can change "BSSID" every hour, while broadcasting [BSSID, Hash(BSSID, K)]. An interested client runs through their database of known private networks, checking if the broadcaster is any they know.
This obviously has a number of shortcomings (eg our attacker is also known to groom people into uploading K to their silos), but it should illustrate the concept.
As I said originally, just change the BSSID periodically. The network name is the network identity, and people deal with collisions just fine. Also, this is back to the case of non-WPA2 (otherwise the user would have to enter the secret K anyway, merely changing the process slightly).
Are you designing two half systems, one of which periodically changes BSSID but provides no other anonymity protection, and the other which hashes the BSSID with the WPA2 PSK?
Or are you designing one system with a rotating BSSID that transmits -in cleartext- the BSSID and the hashed BSSID?
I'm pointing out existence certificates of each independent property. View them as two systems, or assume they can be merged into one system.
It's obviously impossible to have a publicly-available network that hides its existence to the public (while a private network can obviously hide its existence to the public completely), so each problem will obviously have different ideal solutions.
> View them as two systems, or assume they can be merged into one system.
It's the merging and the details of the same that's the complicated bit, and the only thing worth talking about in this sub-thread.
You made the assertion that the "the committees designing [wireless communications] protocols don't think [that things screamed on the street corner are public data]". [0] This is simply not true. The folks who designed 802.11 had to make several key-management-complexity/computational-power/ease-of-use tradeoffs.
> ...while a private network can obviously hide its existence to the public completely...
Not if it's a relatively-high-performance radio network operating in a relatively tiny slice of spectrum, [1] it can't.
Merging them really only means merging the concepts for a common model of administration. Public and private are two completely different modes, and don't exist simultaneously.
A high-bandwith radio transmitter obviously gives its presence up, but that doesn't mean it needs to identify itself. Of course the FCC likes transmitters to do this, but that too is an anti-feature with respect to public-use spectrum.
There were obviously tradeoffs involved for 802.11, which is how we got WEP. I'd just be surprised if having a (semi-)fixed MAC address was ever questioned, given that it's the basis for 802.3 and leaking some associated identity is basically a forgone conclusion in today's world of license plates, etc. But with the obvious effects of mechanized tracking and aggregation, it really shouldn't be. So I stand by my assertion that the designers would have benefited from a perspective where being pushed to do the equivalent of continually shouting/showing one's identity is a very bad thing.
