Microsoft publishes Wi-Fi data collection code Microsoft has published code for the software that its roving vehicles use to collect wireless network information. The move is an apparent attempt to make Microsoft look good next to Google. On Tuesday, the software giant proudly told the world that it had published some of the code used by the Microsoft vehicles that drive …
They used to collect personally identifying information about handsets, but then Google got a shitload of flak over their wardriving and it was too good a PR opportunity to miss.
Microsoft, you are as bad as Google and Apple for this. Worse, possibly. At least Google admitted they fucked up. To take it to an extreme, it's a little like one serial killer being caught and another saying "yeah but I don't kill people ANY MORE. At least, after that last one got caught anyway. That means I'm better."
Oh god I just made an analogy.
Google may have admitted it effed up, but only after denying it effed up, then saying it may have effed up, than saying "it was just a simple mistake".
Kind of a scary mistake, to "accidentally include code" in a non-test environment that grabs personal data from unencrypted wi-fi communications and store them. Wonder how that got "overlooked".
Here's to watching it all go down, knowing it all sucks and we aren't getting a slice of the pie (though they're getting a slice of some emails, apparently!)
..I'm pretty sure that airodump-ng defaults to slurping everything it can, and you have to do further processing on the .cap file to grab the SSID/BSSIDs. It wouldn't be beyond the realms of possibility for the guys who wrote the data-slurping software to have just used an existing tool rather than re-invent the wheel.
http://linux.die.net/man/1/airodump-ng
Now whether Google would have just extracted the identifiers and deleted the rest of the data, I'll let everyone else form their theories on that.
"They used to collect personally identifying information about handsets, but then Google got a shitload of flak over their wardriving and it was too good a PR opportunity to miss."
Yes.. And they still are. If you want them to do it..
It's called track my phone, which you can use if you want (off by default). Using this service you can try to locate your phone if you have lost it..
There is a quite clearly written privacy statement you can read when you enable this feature. Location data is private and not used for other purposes (based on statement)
Same goes with using location data. It's always off by default and every application asks a separate permission to use it. This data used to have and unique identifier, but it was an randomly generated one unless you used Track my Phone.
So I would guess that they have dropped this random identifier altogether.
But this was not the thing what sparked the criticism against Google. It was the Fact that Google was tracking phones without a permission from user of the phone.
Microsoft instead provided the Always Off -approach with easy to read Privacy statements what that is gathered and how it's used if user enables these features.
So not quite a same.
I actually like the idea that Microsoft has chosen the privacy and openness road. I think that after a while those two will be quite valued things.
Without the complete sources and the ability to run a diff against that in their vehicles, we have only their word for it.
What? Believe the old Evil Empire cum Patent Shark in the middle of a dig at Google? Not likely. Especially with Ballmer in the picture, the only thing I'm inclined to believe has something to do with "developers", apparently.
Given that it must capture the SSID and the geo-coordinates associated to be of any use, I'm not quite sure how capturing the associated MAC (if it does) makes it any more identifiable than it already is. Knowing this information, if knowing the MAC really floats your boat just drive round there and ask it.
Now, if they captured and stored the MACs using that point at the time it would be an issue I'll grant. There would be no justification for that, although I am not quite sure what nefarious purposes such data in isolation could be put to.
Erm how is a MAC address personally identifiable information? Surely Media Access Control (MAC) identifies err the media. Not you. If you have something that correlates the MAC address of your router / access point to your personal information then your a little silly.
A MAC address is to identify hardware not you.
Therefore MAC address has the potential to identify the user.
The EPC in a barcode that is scanned at check out is unique to the device being purchased and identifies that particular device. Therefore there is a link between the device purchased and the customer's card information should the customer have used a card. If cash is used for payment, POS software records the time and date of transaction and if the store has CCTV, you best be smiling or have your good side facing the camera.
Manufacturers know which device has which MAC address/Serial No and to whom it was shipped and when.
So a MAC address leads to a manufacturer and then to the store in which the device was sold.
A search of sales records will show when and to whom the device was sold.
Whilst this trail maybe a little difficult for your average stalker to follow, authorities won't have any problem at all.
Not only that but it doesn't have to be, either. The only place a MAC has to be unique is in relation to other MACs on the same network. If my MAC address is the same as some guy down the street or in another country, nothing stops working asides maybe someone's attempt at wifi-based geolocation.
Anyway, if you're that paranoid you can change the WAN MAC (and accordingly, the BSSID) of most home routers. Just set it to be 00:11:22:33:44:55 or some other unlikely-to-be-unique value. If you have some techie ability and fancy really fucking around, write a little script to log into your router and swap the WAN MAC around every five minutes. That may, however, cause you to stick out like a sore thumb amongst the rest of the normally-behaving routers.
"The EPC in a barcode that is scanned at check out is unique to the device being purchased and identifies that particular device."
No, it identifies that particular product. The barcode for say, a Netgear DG834 will be the same as the barcode for other Netgear DG834s, at least within the same batch of however-many hundreds of thousands.
... more of a wipe-over with a dirty cloth.
Still, it's refreshing to see some openness from them. I would have been happier if the public statements were more exact, though - eg the statement "...the software does not intercept wireless data transmissions from consumers’ computers..." still leaves open the interception of data returned to the computers from the access point. The only way to be sure is to delve into the code, which I'm going to attempt for a laugh.
Surely there needs to be a balance between the security of data that can only loosely be defined as 'personal' and the usefulness of such data.
If you broadcast your MAC address then don't complain if others use it to assist in navigation. If you don't want anyone to know switch the bloody wireless access point off!
To pre-emptly defend myself from the "it's my data brigade" I will tell you about the last time data useful for navigation was suppressed. During the war road signs, station signs and other useful labels were removed. The bright idea was to make life difficult for spies. The net result was chaos, as you can well imagine.
Foreign sounding gentleman "Excuse me, what station is this?"
Local person thinks 'bloody hell a whole carriage full of spies!"
Reality - a whole carriage full of French sailors (serving with the Royal Navy) wondering where the hell they are because they have to change trains at Crewe on the way to Liverpool to pick up a ship. (true story - one of the sailors was my dad)
Modern reality. GPS is great but it doesn't work in big cities with big tall buildings - where most of us live. WiFi identification data does work in pinpointing your location with a fair amount of precision.
Still not convinced? - OK so not only should you turn off your WiFi but cover up your street sign and very definitely remove the house number or name from your front door or front gate. That will show them!
adnim,
what authority would feel the need to go to all that trouble faffing around with MACs when they themselves surely already have access to a government database of houses and their residents?
You're not telling me that if you pay your taxes, and/or have bills on utilities such as electrics and gas to pay, that it already isn't much easier to find out the name of who lives somewhere?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
