Improving YOUR Online Security [Windows 10 & 11, Randomize your WiFi address]

market-ticker.or ^ | 8/22/2024 | Karl Denninger

[ransomnote]

Its a small difference, but a real one.

Go into your operating system and for all WiFi connections set MAC address randomization.

For Windows 11 it is under Network & Internet -> WiFi right at the bottom -- "Random hardware addresses."

For Android it is on by default for WiFi connections -- check all of them you use, and it should be on.

I suspect IOS on Macs has a similar feature.

Unfortunately for most systems there is no similar setting for hardware connections (e.g. cabled.)

This didn't used to matter much in the world of IPv4 because MAC addresses do not travel beyond the local network.  They have to be unique within the local network domain (e.g. your WiFi access point or similar) because that's how the network builds the mapping table so it knows what IP address (for example) goes to what machine.  Since they never leave the local domain the only real value in the IPv4 universe was preventing some local actor from mapping recurring device presence in a given place.  It would take a great deal of effort to put together any sort of "coalition" between such locations to develop any sort of effective "profiling" capability.

Unfortunately in the IPv6 world this is no longer true. SLACC, which is what most IPv6 networks use for local devices, results in a globally-unique address that is specifically tied to your hardware and is visible anywhere on the Internet you connect to!

So now when you connect to any site on the Internet and are using IPv6 the other end has a globally-unique identifier for your specific device, and unless you can randomize the MAC address it uses you now have dropped a "breadcrumb" that identifies your specific machine.

[steve86]

If you’re running only IPV4, probably not if you have a good up-to-date router set up properly (with firewall protection), and (optionally) software firewalls running on your end devices. If you’re running IPV6 to the Internet via the LAN and no use of VPN, then yes, you should use MAC randomization.

[powerset]

IPv6 was necessary because IPv4’s 32 bits was inadequate even for every human to have their own IP address, much less the number of computers we have now.

But they “improved” things in a foolish way (IMHO). Not only was IPv6 quite incompatible with IPv4 (it needed new software and often new hardware), but they killed privacy by designing it to require a *unique* IPv6 address (128 bits) for every device on the Internet (computer, phone, TV, automobile, air conditioner, etc.).

It’s too bad they didn’t follow the lead of Ma Bell when they introduced Area Codes and Direct Distance Dialing in a backward compatible manner. When that was done (by simply adding digits to the phone number), you didn’t have to get a second phone number and add a new phone to use the new feature.

There were (and still are) some reserved IPv4 addresses that could have been used to indicate that what followed was actually IPv6, which then could probably have been handled in a compatibility mode.

[ransomnote]

For Windows 7, all I found was the ability for the user to change their mac address (spoofing). This is not nearly as private as randomizing - but it does change it.

https://www.digitalcitizen.life/change-mac-address-windows/

[steve86]

Password-type security really doesn’t have anything to do with this; it is about broadcasting your IPV6 address to the whole world which invites IP-based attacks of various kinds.

I turned off my firewall for a few minutes the other day when reconfiguring the LAN and there were tens of attempted attacks during that time and not even related to IPV6.

[steve86]

Remember in V4 that address doesn’t go out past the router / firewall anyway.

[ransomnote]

 

In the General/Chat forum, on a thread titled Improving YOUR Online Security [Windows 10 & 11, Randomize your WiFi address], steve86 wrote:

Remember in V4 that address doesn’t go out past the router / firewall anyway.

As steve86 points out, the older internet protocol (V4) doesn't expose your MAC address. If you are already using V4, no need to do anything. If you're using V6, you could just switch to V4 to conceal your MAC address.

https://support.nordvpn.com/hc/en-us/articles/19919186892305-How-to-disable-IPv6-on-Windows

[Openurmind]

Good stuff! There is another concern and I honestly do not know how to beat it. Ever device has a unique device ID number. They now have device ID recognition software. They use it for security purposes, but it could be used just as well for watching for when a unique device pops up on the WWW. Point being not sure hiding a MAC address would do anything to help with this issue. Maybe someone who knows more than I do about it could chime in.

[GrandmaPatriot]

Bkmk

[webheart]

iOS doesn’t run on macs

[Bob434]

bump to top

[Bigg Red]

Mark

[Paul R.]

MAC can apply to Dems / Libs, too: Many ARE Crazy.

[Paul R.]

I have enough problems trying to make our home network behave as it is...!

[SunkenCiv]

• "Satya Nadella says Windows PCs will have a photographic memory feature called Recall that will remember and understand everything you do on your computer by taking constant screenshots" [05/20/2024]
• Elon Musk Suggests Shifting 'Consumer Desktops To Linux' As Satya Nadella Promotes Microsoft's New Windows AI Feature 'Recall' With Photographic Memory [05/22/2024]
• Elon Musk urges millions to switch-off controversial Windows 11 feature that takes screenshots on your PC [09/04/2024]
• Oh, no! Windows Security Update Breaks Dual-Boot Linux Systems [08/27/2024]

[Gideon7]

With IPv6 there are four days to allocate a unique IPv6 address for a device: SLAAC, DHCPv6 (stateful), RD (stateless), or static.

SLAAC (Stateless Address Autoconfiguration) is the default method for allocating a local LAN address. It uses the MAC address for the bottom 64 bits of the 128 bit address.

It didn’t take long for privacy concerns to be raised about SLAAC in the developer community, so they started randomizing the bottom 64 bits by default. Today, Windows, Android, Linux and Apple all use randomized SLAAC.

A SLAAC address is not routable on the public Internet. The upper 64-bits are hardwired to FE80:0:0:0. As such, it only works inside the LAN in your home (same as your MAC address). Conceptually it works similar to WiFi privacy settings for the MAC address. For this reason, some people like to change the default to back to the old way of using the MAC address for the bottom half, which can use useful in a home setting for tracking your devices.

A web/mail server will typically use a fixed public routable 128 bit IPv6 address, which gets published in DNS.

For non-static routable IPv6 addresses, the choices are DHCPv6 (stateful) or RD (stateless). DHCPv6 allocates the bottom bits from a fixed pool of manually assigned addresses. It is more complicated to set up than RD, as it requires a server to track the allocations (the state). The advantage is that it allows the centralized tracking all addresses on your LAN, which can be useful in a large organization that is concerned about internal security, e.g., to prohibit the use of unauthorized devices on the premises. Use of DHCPv6 is rare otherwise. (ISPs with older IPv6 implementations also sometimes use something called DHCPv6-PD for public routing.)

Most modern ISPs today use RD (Router Discovery). A set-top box that your ISP gives you will announce the 64-bit bit public prefix via periodic IPCMPv6 broadcasts on your home network. Your PC or phone picks up the broadcasts to get the routable prefix. RD is stateless in that router merely announces the upper 64-bit prefix and doesn’t care about the lower 64 bits. RD works similarly to SLAAC, except instead of using a fixed upper half (FE80:0:0:0) it uses whatever the your ISP announces as the public routable prefix.

RD newer than DHCPv6-PD, so it always has randomization baked-in for the bottom half. This is by design for privacy. I think you can turn it off if you want (similar to SLAAC). But be careful, however, because RD allocates a *public* IPv6 address prefix for your device. This means that it can be used to fingerprint your device using the bottom 64 bits. For this reason I recommend leaving your RD configuration alone if you care about anonymity on the Internet.

In the IPv6 world, every device gets at assigned least two addresses: a SLAAC address and an RD address. SLAAC is for local communication only, so privacy isn’t as much of an issue for it.

[Gideon7]

See #35 for an explanation of IPv6 address-privacy.

[ransomnote]

Thank you for taking the time to provide the details and recommendations!

[minnesota_bound]

How to protect against these criminals?
They are even hiding a secret service agent so he cannot testify.
Or they murdered him.

Breanna Morello
@BreannaMorello
https://x.com/BreannaMorello/status/1831658555310506047
The obama Administration ILLEGALLY spied on journalists and obtained their phone records to find their sources.

Sharyl Attkisson was working for CBS News when she caught the Obama regime hacking into her electronics and looking to plant explicit content on her husband’s devices.

[RoosterRedux]

Gotcha. And thx.

I am using IPv4.

As an aside, should I contact my ISP and upgrade?

[powerset]

It turns out that D.J. Bernstein (https://cr.yp.to/djb.html), who is well known for his cryptographic and computer security expertise, already had observed in his article “The IPv6 mess” (https://cr.yp.to/djbdns/ipv6mess.html) that:

“The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an *alternative* to the IPv4 address space, rather than an *extension* to the IPv4 address space.”