Are we all handing to Google the SSID of our home routers?

Yeah, that's a potential but different problem. We're discussing keeping your location hidden from Google and friends. If you're worried about using a common SSID because it's used as a "seed" for encrypting your WPA/WPA2 key, I guess that's more important than hiding from Google.

No, because Google will still know where you're located.

That doesn't work. Using the router feature of MAC address cloning or changing only changed the MAC address for the WAN (internet) port. That's useful for the few remaining ISP's that authenticate by MAC address, but not really a good privacy measure. The MAC addresses for the LAN side, including the wireless, remains unchanged. Since Google wants the LAN MAC address for their directory of wi-fi devices, you're stuck with the MAC address delivered by your wireless router vendor.

The only way I can currently think of changing the wi-fi MAC address is to plug a wireless card into a PC or SBC (single board computah), set it up to act as an access point, and change the MAC address in Linux. I haven't tried this.

In case it's not obvious, I am somewhat joking. I don't consider hiding from Google and SSID mutilation to be worthy exercises.

You're mixing two separate and independent problems.

  1. Google knows your location by SSID and MAC address.
  2. Evil hackers might crack your WPA2/AES pass phrase because the SSID is known. This assumes that Google is not trying to crack your pass phrase.

The first is not worth solving because Google only stores the SSID, MAC address, and whatever else it can sniff, for a limited amount of time. I think it's 30 days, but I'm not sure. I can't find the URL where they mention this, but it's understandable. WiFi location data gets stale quickly, especially with mobile hotspots.

The second is strictly a matter of minimizing the chances of ending up in the rainbow tables. I have already mentioned what I consider a good way to avoid the entire issue, by using WPA2/AES/Enterprise encryption, with one time keys that are not easily cracked and non-shared (i.e. no PSK) keys, that cannot be "borrowed" from another user on the same system.

I hate security discussions, especially on weekends.

Reply to
Jeff Liebermann
Loading thread data ...

I can only offer sympathy for your confusion. However, if you ask a decent question, I can try to answer.

If you have an Android device, you must have a Google account in order to operate it. Usually, it's a gmail.com account. If you're using the Google play store, then use that login and password. None of the links I provided in my previous rant will work without being logged into a Google account.

Your phone signs in to your Google account automagically when you are online. None of the Google apps and many of the Android features will not work if you fail to login.

If you turn OFF syncing contacts, email, settings, etc to the Google cloud, as was previous described, you will NOT be syncing anything to Google. However, you may still be logging into your Google account when you connect to the internet.

Bottom line: You cannot effectively use your Android phone if you do NOT have a working Google account.

Sometimes, I wonder if even Google understands their own products.

Reply to
Jeff Liebermann

Using a common SSID is risky, in that it makes the well-known time-space tradeoffs for WPA-PSK passphrase cracking worthwhile.

formatting link
l-)

But how strong is ?as needed?? (Assuming a unique SSID...)

WPA derives PMK from PSK using PBKDF2 with 4096 rounds of HMAC-SHA1. HMAC invokes the hash function twice, and the input each time is 2 blocks. 256 bits of output are required so there?ll be 2 output blocks.

That gives 4096*2*2*2=32768 invocations of the SHA1 compression function (plus a trivial amount more for the PTK derivation and MIC calculation).

formatting link
quotes results up to 37Ghash/second on a single well-stocked chassis (costing I think around $10K), i.e. about a million WPA-PSK passphrases per second.

If you can estimate your adversary?s equipment budget (and power/cooling budget!) and how long they?re willing to spend attacking your network, you now have enough information to work out a lower bound on passphrase complexity.

Check my workings before relying on any of this!

Reply to
Richard Kettlewell

Welcome to two factor authentication. Actually, Google calls it a "recovery phone" number. Allegedly, they will contact you on the stored phone number if they detect "unusual activity". I use email for password recovery, not SMS.

You're correct that it's a plot for Google to collect your cell phone number. My Google account was created before 2009 when Google implemented this nonsense, so Google does NOT have my cell phone number and does NOT ask for two factor authentication. This might help: What I did when Google demanded my cell phone number was to give it to them, do their authentication dance, and then remove the phone number from my account using the dashboard or account details. Click the pencil icon under "Add recovery phone".

Google only had my cell phone number for about 5 minutes, but that was enough for me to get about 10 SMS spam messages and 2 voice spam messages. Google claimed that was impossible, but I think otherwise. The spam died down after about 2 weeks.

However, your situation is probably a special case. Changing the Google account name so many times on a single Android device probably triggered some security alarms at Google. I would certainly call that "unusual activity". I don't know what might happen, but Google is probably interested in determining your identity and possibly contacting you.

Reply to
Jeff Liebermann

Only if they know my location. They know it *approximately* from the phone being on but that's all they *have* to know.

Reply to
cl

This depends entirely on your particular threat model. I you live in an area where the houses are 400 ft apart then "Do not crack this pass-phrase." might be enough as you would spot someone parked in your driveway while trying to log in.

If you store data that is worth much to anyone who can get it then something like "`

Reply to
Mike Yetto

Sorry. I wasn't specific enough. Google knows the location of your wireless router by SSID and MAC addresses. They might also be sniffing for smartphones, client radios, range extenders, repeaters, WISPs, laptops, tablets, PDAs, game machines, wireless media players, RC controlled airplanes, drones, or anything that might benefit from an overdose of advertising. However, these are uncertain and part of a different discussion. We're currently discussing a home wireless router.

Reply to
Jeff Liebermann

Jeff, I (almost) debate that sentence.

I think we *can* log out of almost all of the Google accounts. I know I have tried (see details below).

Any advice for what I've missed would be excellent!

Here are all the Google Apps that I can think of on my phone:

formatting link

  1. Google Play Store* Hamburger > {Settings, My account} There does not seem to be any way to sign OUT of Google Play!
    formatting link
  2. Google Search HardMenu > Settings > Privacy & accounts > Google Account = I seem to be signed out permanently.
    formatting link
  3. Google Maps HardMenu > Settings > Sign in I seem to be signed out permanently.
    formatting link
  4. Google Gmail Hamburger > Sign in I seem to be signed out permanently.
    formatting link
  5. Google YouTube Hamburger > Sign in I seem to be signed out permanently.
    formatting link
  6. Google Chrome HardMenu > Settings I seem to be signed out permanently.
    formatting link
  7. Google Hangouts* Automatically logs you in when you start the app! Signing out kills the app! HardMenu > Settings > Sign out
    formatting link
  8. Google My Tracks HardMenu > Settings Does not seem to have any log in capability
    formatting link

Every single one of those, I have long ago expressly logged OUT of and I have never logged back in, and my phone seems to work just fine.

  • The only ones I can't seem to log out of are Google Play, and Hangouts, although I don't have to actually *use* either one of those in day to day activities.
Reply to
Alice J.

Not on this planet. We have locally administered MAC addresses" in addition to the usual counterfeit and bogus MAC addresses.

Reply to
Jeff Liebermann

I am very experienced in avoiding giving Google any phone number or ancillary email.

It has been getting harder than ever in the past year.

I use VPN and Google really hates when you come in from multiple IP addresses. I also change my user agent string a lot (it's random, to avoid fingerprinting).

So, at this point, in the last few months, it has been almost impossible to start a Gmail account without giving them a phone number. Sigh.

Reply to
Alice J.

That's fine. 99.99% of the people out there don't even *know* what you know, for example.

But, for those who both know and care, then we (those people) can work together.

Besides, I'm just asking as a thought experiment, would it work?

Would it work if we all did these three things?

  1. Set our SSID to the same ssid (e.g., DEFAULT_nomap).
  2. Set our MAC to the same MAC (e.g., DE:AD:BE:EF:CA:FE).
  3. Set a very strong passphrase ('cuz we'd need it!).

Would that work?

Reply to
Alice J.

AFAIK, it would only work for Google who "says" they'll honor it.

See: Google Announces ?_nomap? WiFi Opt-out Option, Wants Other Location Providers To Go Along

formatting link

I think you're wrong, Mike. It's rare that I know more than you do, but, at the level of the router, which is behind the cable or dsl modem or wisp tranceiver, it wouldn't matter at all, I think, if we all had the same DE:AD:BE:EF:CA:FE MAC address.

Am I right?

(Someone here must know the answer to that question.)

I guess whether the modem is set up as a "bridge" or "router" might matter. Jeff might know more about that.

Reply to
Alice J.

I fully understood that the salt for wpa2 encryption is the ssid, which is why our passphrases would have to be as strong as we can make them.

It would have to NOT be in the rainbow tables at the very least. I see what you're saying is that it exposes us to brute-force attacks.

Reply to
Alice J.

Except that your MAC gives you away.

Reply to
Alice J.

So it is writ by Alice J. , so mote it be.

You should look at this tool supplied by EFF (THE ELECTRONIC FRONTIER FOUNDATION).

Mike "don't know if anyone takes it to this level" Yetto

Reply to
Mike Yetto

Jeff, Wouldn't DE:AD:BE:EF:CA:FE work on almost all routers?

The router is behind the modem (or transceiver in the case of WISP).

I guess it depends on whether the modem (or transceiver) is set up as a bridge or router, but, wouldn't it work in most cases?

Reply to
Alice J.

DRAT.

Can you further clarify WHICH mac address Google is getting?

I know a typical SOHO router has a bunch of mac addresses, one for each NIC. MAC0 = WAN Ethernet port

Reply to
Alice J.

:)

Reply to
Alice J.

I've been battling my browser fingerpints for a few years now.

That's why I'm happy to see the very latest tor browser bundle finally bundled the fonts inside the browser.

My browser comes up unique because of the darn fonts and the darn oddball screen size. Drives me crazy.

So I have to futz with other things that are otherwise fine, just to be *differently* unique each time.

Drives me crazy.

Reply to
Alice J.

Nevermind.

I saw your post that said Google gets the LAN SSID/MAC and not the WAN MAC, which is what "cloning" changes.

Sigh.

Reply to
Alice J.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.