Hidden SSID broadcast

[paul]

How do you automatically turn off your WiFi broadcast when away from home?

It's well known setting your home router ap to a hidden SSID doesn't aid in
security but where it helps is by not broadcasting the SSID most foreign
Android phones won't upload your SSID, BSSID, GPS and Signal Strength to
Google servers (regardless of whether or not you added_nomap at the end of
all your access point SSIDs as keyword filtering is not done on those
foreign Android phones).

It's just as well known that setting your own phone to that hidden SSID will
generally cause your own phone to continually broadcast that SSID in an
attempt to connect with the hidden SSID that it knows about.

It's also well known that it's advantageous to security to have a unique
SSID (coupled with a non-dictionary passphrase) such that your hash won't
(hopefully) be found in butterfly hash tables available throughout the net.

It's a catch-22 that you can't win but you can perhaps ameliorate somehow.
1... If you don't hide your SSID it gets uploaded to Google servers
2... If you hide your SSID it gets broadcast by your phone looking for it

How do you ameliorate that second problem of your own phone seeking it?
(assuming you hide it to keep your SSID from being uploaded to Google)

Is there an app which will turn off the WiFi based on no connection to
the AP SSID for a given period of time (perhaps for a quarter of an hour)?

[VanguardLH]

paul <nos...@nospam.invalid> wrote:

> How do you automatically turn off your WiFi broadcast when away from
> home?

https://play.google.com/store/apps/details?id=de.j4velin.wifiAutoOff&hl=en_US&gl=US

There are apps that will toggle wifi on/off based on your phone's
connection with a particular cell tower, its GPS location, time of day,
and so on.

The numbers nailed to your house do not affect your security or privacy
whether you are home or not. An SSID is just a string of characters,
but often are memorable to the owner of the wifi router, like to show
the SSIDs are for their wifi router, and which one is for 2.4 GHz and
5.0 GHz bands. You don't operate an open (non-passworded) wifi router,
do you? Even with a phone scanning for and reporting what SSIDs it
found within its range, that won't provide access to those that are
locked (passworded). Do you use short and weak wifi passkeys?

In addition, devices that connect to your router are still going to
present their MAC address. So, configure your wifi router to accept
connects only from MAC addresses for *your* devices. Change MAC
filtering mode from Allow-All to Allow, and specify the MAC addresses
you allow connects to your router.

Presumably you already disabled WAN-side remote access to your router,
and changed the login password to something other than the default, like
a long strong password.

Don't know which phone you use. Mine doesn't broadcast any SSIDs that
it found before nor those that are configured for auto-reconnect. My
phone scans for SSIDs, not broadcast them. The only reason I attempt to
use unique SSIDs for the 2.4 and 5.0 bands of my wifi router is so that
*I* recognize they are for my router. My phone sees all the SSIDs in
the nearby neighborhood homes. I don't know their passkeys nor would I
be in the MAC filtering lists.

Uploading of your SSID would be worthless. Whoever got it, like Google,
won't be within range of connecting to that SSID. Only those driving
around your home will find your SSID *and* could possible use your wifi
router if you didn't specify a long strong passkey *and* you allowed
every MAC to connect to your wifi router.

Unclear if your concern is about an attack vector through your router,
or if you are worried about someone tracking your location under the 100
meter range of wifi by your phone by looking for your home's SSID and
the phone announcing its MAC address. Security and privacy are separate
issues. Do you lie to everyone that walks up to you to ask your name?

To eliminate someone from tailing you by keeping close enough to monitor
your phone's wifi transmission means you have some nefarious reason for
not wanting someone to know where you are. So, change your home
router's SSID to some random character string that has nothing to
identify you, and change its SSID everytime you leave home. There are
costs to hiding and being paranoid.

Of course, if you are that paranoid or nefarious and want to eliminate
anyone trailing you, just turn off wifi on your phone. Also of course,
you better configure your phone to NOT auto-reconnect to previously
found wifi hotspots when your wifi is on, because scammers can use SSIDs
of anyplace, like the Starbucks you visited before whos SSID is all of
"starbucks". As for tracking your without having someone trail you
physically by monitoring your wifi broadcasts, a gov't would have deep
enough pockets to place thousands of "snoopy" devices that are within
wifi range of each other to catch your phone's wifi transmissions,
report what they caught in their range back to a database, and track you
as you move around with your phone ... *if* you leave wifi on even when
you have no intent of connecting to any hotspot while travelling.

https://www.youtube.com/watch?v=GvrB6S_O0BE
(dated 2014)

All about tracking you using wifi (and MAC) on your cell phone, not
about invading your home network through your router.

[nospam]

In article <rdqan0ywusvw$.dlg@v.nguard.lh>, VanguardLH <V...@nguard.LH>
wrote:

> paul <nos...@nospam.invalid> wrote:
> > How do you automatically turn off your WiFi broadcast when away from
> > home?
>
>
> https://play.google.com/store/apps/details?id=de.j4velin.wifiAutoOff&hl=en_US&
> gl=US
>
> There are apps that will toggle wifi on/off based on your phone's
> connection with a particular cell tower, its GPS location, time of day,
> and so on.

he wants to switch off his home base station when away, not the phone.

mac address filtering is a waste of time since mac addresses are easily
spoofed.

> Presumably you already disabled WAN-side remote access to your router,
> and changed the login password to something other than the default, like
> a long strong password.
>
> Don't know which phone you use. Mine doesn't broadcast any SSIDs that
> it found before nor those that are configured for auto-reconnect.

yes it does. that's how auto-reconnect works.

it's possible to capture those broadcasts and many times, identify
someone based on what wifi networks they've previously used.

> My
> phone scans for SSIDs, not broadcast them. The only reason I attempt to
> use unique SSIDs for the 2.4 and 5.0 bands of my wifi router is so that
> *I* recognize they are for my router. My phone sees all the SSIDs in
> the nearby neighborhood homes. I don't know their passkeys nor would I
> be in the MAC filtering lists.

both 2.4 & 5 ghz should use the same ssid so the phone can switch
between them automatically as needed, and your neighbors are likely not
using mac filtering.

> Uploading of your SSID would be worthless. Whoever got it, like Google,
> won't be within range of connecting to that SSID. Only those driving
> around your home will find your SSID *and* could possible use your wifi
> router if you didn't specify a long strong passkey *and* you allowed
> every MAC to connect to your wifi router.

false. there are several well known databases of ssids with their gps
coordinates, which is how wifi geolocation works.

> Unclear if your concern is about an attack vector through your router,
> or if you are worried about someone tracking your location under the 100
> meter range of wifi by your phone by looking for your home's SSID and
> the phone announcing its MAC address. Security and privacy are separate
> issues. Do you lie to everyone that walks up to you to ask your name?

he keeps changing his name on usenet, so he probably does that in real
life too.

> To eliminate someone from tailing you by keeping close enough to monitor
> your phone's wifi transmission means you have some nefarious reason for
> not wanting someone to know where you are. So, change your home
> router's SSID to some random character string that has nothing to
> identify you, and change its SSID everytime you leave home. There are
> costs to hiding and being paranoid.

that will just add additional entries to the database.

> Of course, if you are that paranoid or nefarious and want to eliminate
> anyone trailing you, just turn off wifi on your phone.

that's not his concern, at least in this post.

> Also of course,
> you better configure your phone to NOT auto-reconnect to previously
> found wifi hotspots when your wifi is on, because scammers can use SSIDs
> of anyplace, like the Starbucks you visited before whos SSID is all of
> "starbucks".

and does so by broadcasting ssids

> As for tracking your without having someone trail you
> physically by monitoring your wifi broadcasts, a gov't would have deep
> enough pockets to place thousands of "snoopy" devices that are within
> wifi range of each other to catch your phone's wifi transmissions,
> report what they caught in their range back to a database, and track you
> as you move around with your phone ... *if* you leave wifi on even when
> you have no intent of connecting to any hotspot while travelling.

or they could use the existing cellular network, who will gladly hand
over someone's location data for little to no cost, and someone doesn't
need to be government to obtain it either.

[Andy Burns]

paul wrote:

> Is there an app which will turn off the WiFi based on no connection to
> the AP SSID for a given period of time (perhaps for a quarter of an hour)?

I should imagine Tasker could do it ...

[paul]

VanguardLH wrote on 10.05.2021 22:51

>> How do you automatically turn off your WiFi broadcast when away from
>> home?
>
> https://play.google.com/store/apps/details?id=de.j4velin.wifiAutoOff
>

> There are apps that will toggle wifi on/off based on your phone's
> connection with a particular cell tower, its GPS location, time of day,
> and so on.

Thanks for that j4velin WiFiAutoOff app as it seems to do what I want which
is turn off the phone's WiFi when I leave the house (so that the phone
doesn't constantly shout out that it's looking for my unique hidden SSID).
https://play.google.com/store/apps/details?id=de.j4velin.wifiAutoOf

There seemed to be a similar app I saw next to it of the name AutoWifi
https://play.google.com/store/apps/details?id=tech.edie.autowifi
But that kicked off a Google Play Protect warning so I didn't install it.
"Blocked by Play Protect... AutoWiFI... This app may be harmful"

While I was looking at that app I also saw this one which is different:
https://play.google.com/store/apps/details?id=com.alivezoned.autowifi
(It turns off the wifi when the screen blanks out - or based on a data
limit, or time limit configurable by the user.)

There were also apps that turned off the wifi on a schedule such as
https://play.google.com/store/apps/details?id=com.vlab.tools.wifiauto

I think the best idea is for the WiFi to be turned off when a given cellular
tower is no longer visible as that wouldn't require the GPS always to be on.

>> Is there an app which will turn off the WiFi based on no connection to
>> the AP SSID for a given period of time (perhaps for a quarter of an hour)?
>
> The numbers nailed to your house do not affect your security or privacy
> whether you are home or not. An SSID is just a string of characters,
> but often are memorable to the owner of the wifi router, like to show
> the SSIDs are for their wifi router, and which one is for 2.4 GHz and
> 5.0 GHz bands.

I appreciate the further details about what an SSID is but the unique part
is the BSSID and the location itself of your home which is part of the data
that is uploaded by almost every Android phone to many public servers (not
just Google servers).

Control access point inclusion in Google's Location services
https://support.google.com/maps/answer/1725632

The AP BSSID is unique as are your GPS coordinates, both of which are
uploaded by most Android phones to Mozilla, Google, Wigle, Kismet,
& other servers if you broadcast your SSID. https://wigle.net/
https://play.google.com/store/apps/details?id=net.wigle.wigleandroid
https://play.google.com/store/apps/details?id=org.prowl.wifiscanner

> You don't operate an open (non-passworded) wifi router, do you?

The AP is passphrase protected. WPA2-PSK. Standard stuff.

> Even with a phone scanning for and reporting what SSIDs it
> found within its range, that won't provide access to those that are
> locked (passworded). Do you use short and weak wifi passkeys?

Long and unique (as much as I can make them long & unique anyway).

> In addition, devices that connect to your router are still going to
> present their MAC address. So, configure your wifi router to accept
> connects only from MAC addresses for *your* devices. Change MAC
> filtering mode from Allow-All to Allow, and specify the MAC addresses
> you allow connects to your router.

I'm not trying to prevent access to my home router by others because hiding
the broadcast doesn't really hide it from anyone determined to connect.
https://www.accessagility.com/blog/why-ssid-hiding-is-not-secure

I hide my SSID broadcast because I'm trying to stop people from uploading my
BSSID & GPS coordinates to Wigle, Google, Mozilla and other public servers.
https://www.zdnet.com/article/how-google-and-everyone-else-gets-wi-fi-location-data/

Even adding _nomap does NOT stop that from happening (Google says they'll
delete it but there are more public servers than just Google out there).
https://www.tomshardware.com/news/Google-Maps-Wi-Fi-Location-SSID,14000.html

> Presumably you already disabled WAN-side remote access to your router,
> and changed the login password to something other than the default, like
> a long strong password.

I can't make the router admin password longer than 8 characters though.
At least not on my router I can't.
It will accept a longer password but it stops checking at 8 characters.

> Don't know which phone you use. Mine doesn't broadcast any SSIDs that
> it found before nor those that are configured for auto-reconnect.

AFAIK, all phones with WiFi do this query for "hidden" SSIDs AFAIK (at least
if you don't want to type in the long SSID every time you connect).

So do all Windows PCs.
It's how WiFi works when your SSID broadcast from the AP is disabled.

> My phone scans for SSIDs, not broadcast them.

If you connected to a hidden SSID (that was set to be remembered) then the
phone would have to ask "are you there" which is a different kind of
broadcast. https://www.alphr.com/should-broadcast-wifi-ssid/

You don't do this for security; you do it for privacy.
And even then it's a catch 22 (as I mentioned in the opening post).
https://apple.stackexchange.com/questions/244171/ios-10-warning-using-a-hidden-network-can-expose-personally-identifiable-inform

> The only reason I attempt to
> use unique SSIDs for the 2.4 and 5.0 bands of my wifi router is so that
> *I* recognize they are for my router.

A unique AP SSID helps keep you out of public butterfly hash tables.
https://www.ethicalhackx.com/wpa-psk-rainbow-tables-download/

The idiots who designed WPA-PSK screwed up the salting process by making it
based on the SSID itself.
https://www.tomshardware.com/reviews/wireless-security-hack,2981-5.html

> My phone sees all the SSIDs in the nearby neighborhood homes.

No it doesn't. Not by default anyway.

Your Android phone doesn't normally display the hidden AP SSIDs by default
(although there are plenty of 3rd party Android WiFi utilities which will
show the BSSID & signal strength for those hidden AP SSIDs).
https://play.google.com/store/apps/details?id=de.teamusec.ssidsnooper

> I don't know their passkeys nor would I be in the MAC filtering lists.

You could hack into WPA2-PSK if you knew how to use the butterfly hash
tables which are published on the net.

> Uploading of your SSID would be worthless. Whoever got it, like Google,
> won't be within range of connecting to that SSID.

It's a public database. Just like Wigle and Mozilla and God knows how many
others are out there. Do you trust all of them?

And why should they have your AP SSID/BSSID/GPS/SignalStrength anyway in a
public database without your express consent?

The only way to stop it is to hide the AP SSID broadcast as there is no
filtering on the phones that prevents your AP SSID from being uploaded even
if it ends with _nomap.

> Only those driving
> around your home will find your SSID *and* could possible use your wifi
> router if you didn't specify a long strong passkey *and* you allowed
> every MAC to connect to your wifi router.

You don't do it for security; you do it for privacy.
On principle alone if for no other reason.

Why should your AP SSID be in a public database on the Internet without
anyone ever asking for your permission to do that?

> Unclear if your concern is about an attack vector through your router,
> or if you are worried about someone tracking your location under the 100
> meter range of wifi by your phone by looking for your home's SSID and
> the phone announcing its MAC address.

It's a privacy issue on principle.
Why should your AP SSID be in a public database when nobody asked for your
permission to put it there?

BTW, you can also be tracked but let's not go there because most people
don't understand how these public lookups work and I don't feel like
explaining it because being tracked isn't my concern for this purpose.
https://developers.google.com/maps/documentation/geolocation/overview

Just know that it can be done (and if you want to argue about it, look it up
first because it can be done - but you have to know some bits of data about
the phone to do it).

> To eliminate someone from tailing you by keeping close enough to monitor
> your phone's wifi transmission means you have some nefarious reason for
> not wanting someone to know where you are.

You don't have any idea how these public databases can be abused to track
someone but that's not my main issue so when you educate yourself on how
they can be abused then tell me about tracking. (I don't want to go there.)

> So, change your home
> router's SSID to some random character string that has nothing to
> identify you, and change its SSID everytime you leave home. There are
> costs to hiding and being paranoid.

Of course there are costs to privacy.
Nobody said there wasn't.

And changing your SSID every time you leave home is more work than just
automatically shutting off the WiFi on the phone every time you leave home.

> Of course, if you are that paranoid or nefarious and want to eliminate
> anyone trailing you, just turn off wifi on your phone.

Of course. And bluetooth. And NFC. And probably a whole host of other
radios. But that wasn't the purpose nor intent.

> Also of course,
> you better configure your phone to NOT auto-reconnect to previously
> found wifi hotspots when your wifi is on, because scammers can use SSIDs
> of anyplace, like the Starbucks you visited before whos SSID is all of
> "starbucks".

Yup. The phone usually defaults to remembering all the WiFi connections
you've had in the past (but this can be changed).

> As for tracking your without having someone trail you
> physically by monitoring your wifi broadcasts, a gov't would have deep
> enough pockets to place thousands of "snoopy" devices that are within
> wifi range of each other to catch your phone's wifi transmissions,
> report what they caught in their range back to a database, and track you
> as you move around with your phone ... *if* you leave wifi on even when
> you have no intent of connecting to any hotspot while travelling.

Tracking is easier than that.
You need to educate yourself on how you can be tracked by the information in
these public databases. Google tries to limit the amount of abuse by
requiring a key and a limited number of queries - but under some
circumstances you _can_ be tracked quite easily from afar.

That is someone in Russia (for just an example) can track you in the United
States if they know a bit of data about you and your phone (technically
they're tracking your phone). Again you need to educate yourself because you
don't know this is possible and I'm not saying it's likely nor am I saying
that it's what I'm worried about - but you can't go on saying people can't
track you when they can (under certain circumstances) using this database.
https://developers.google.com/maps/documentation/geolocation/overview

Again, I'm not saying that is what I'm trying to prevent (because it's not).
I'm just saying it's possible under certain circumstances to track you.

> https://www.youtube.com/watch?v=GvrB6S_O0BE
> (dated 2014)

The Machines That Betrayed Their Masters by Glenn Wilkinson
https://www.youtube.com/watch?v=GvrB6S_O0BE

I'll watch that hour long presentation soon.

> All about tracking you using wifi (and MAC) on your cell phone, not
> about invading your home network through your router.

The only thing I'm trying to do is not have people upload my MAC address and
SSID and GPS location to public servers on the Internet.

There is no reason for my data to be on the Internet without people asking
my permission but I can't stop their phone from uploading this information
unless I turn off the SSID broadcast (it doesn't matter that _nomap is in
the SSID for this purpose).

Also it helps to keep the SSID out of the hash tables (but like all
security, it can be defeated too).

Thanks for the suggestion of the j4velin wifiAutoOf app.
It's installed and I will be testing it soon.

[paul]

Andy Burns wrote on 11.05.2021 08:55

>> Is there an app which will turn off the WiFi based on no connection to
>> the AP SSID for a given period of time (perhaps for a quarter of an hour)?
>
> I should imagine Tasker could do it ...

I hadn't thought of that but it's a great idea since other people have!
https://tasker.joaoapps.com/userguide/en/loctears.html

An advantage of using cell towers is that GPS doesn't need to be on
(although in later Android that might not always be the case anymore).

2011 Android – Turn WIFI On and Off Automatically with Tasker
https://photoframd.com/2011/03/09/android-turn-wifi-on-and-off-automatically-with-tasker/

2012 [Tasker] setting up a 'Wifi At Home' profile
https://androidforums.com/threads/tasker-setting-up-a-wifi-at-home-profile.481604/

2013 Tasker (4.0u1m) Turn off unconnected Wifi
https://forum.xda-developers.com/t/tasker-4-0u1m-turn-off-unconnected-wifi.2237645/

2014 HOW TO: Automate Wifi with Tasker (Android)
https://techaeris.com/2014/07/08/how-to-automate-wifi-with-tasker-android/

2018 Automatically Toggle WiFi based on Location without GPS (via Tasker)
https://101android.com/automatically-toggle-wifi-based-on-location-without-gps-tasker/

2020 Managing Android Wifi with Tasker
https://pig-monkey.com/2020/12/tasker-wifi/

The smart network switch may also be of use perhaps?

How to Enable / Disable Smart Network Switch on Android
https://appuals.com/enable-disable-smart-network-switch-android/

But some people apparently hate that Samsung smart network switch

How to Disable Samsung's Smart Network Switch
https://www.howtogeek.com/256663/how-to-disable-samsungs-smart-network-switch-to-avoid-too-much-data-usage/

[nospam]

In article <s7dbr6$53f$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> Why should your AP SSID be in a public database on the Internet without
> anyone ever asking for your permission to do that?

they don't need your permission.

you are broadcasting into public airspace.

> You need to educate yourself on how you can be tracked by the information in
> these public databases. Google tries to limit the amount of abuse by
> requiring a key and a limited number of queries - but under some
> circumstances you _can_ be tracked quite easily from afar.

*you* need to educate yourself on how it works because what you said is
false.

> That is someone in Russia (for just an example) can track you in the United
> States if they know a bit of data about you and your phone (technically
> they're tracking your phone). Again you need to educate yourself because you
> don't know this is possible and I'm not saying it's likely nor am I saying
> that it's what I'm worried about - but you can't go on saying people can't
> track you when they can (under certain circumstances) using this database.
> https://developers.google.com/maps/documentation/geolocation/overview

no.

> Again, I'm not saying that is what I'm trying to prevent (because it's not).
> I'm just saying it's possible under certain circumstances to track you.

it isn't.

> The only thing I'm trying to do is not have people upload my MAC address and
> SSID and GPS location to public servers on the Internet.

the only way to prevent that is by turning your home wifi completely
off.

it's also pointless since it's not in any way nefarious.

[paul]

nospam wrote on 11.05.2021 14:36

>> Why should your AP SSID be in a public database on the Internet without
>> anyone ever asking for your permission to do that?
>
> they don't need your permission.
> you are broadcasting into public airspace.

I'm only answering your unhelpful comments because the details I bothered
to add below (details which you never add because you don't intend on being
helpful) may help others understand that which you are incapable of.

People driving by your house don't need your permission to post your
children's pictures & phone numbers & email addresses on the Internet either
but it is also similarly rude if and when people do that too.

*Once it's on the Internet the potential for abuse increases dramatically.*
"From an intelligence perspective, once I put a name to a MAC address,
I can cross reference logs from many places and track you in any places
that I can listen - and you will never know. I can drive past your house,
listen for any probe requests and log those. If I see your MAC address
anywhere else, I know exactly where you live as well as the data about
what you do while in my buildings."
https://www.crc.id.au/tracking-people-via-wifi-even-when-not-connected/
"Thankfully, the solution to stop this tracking is simple. Turn off WiFi
and Bluetooth unless you are actually using it. Not only will it give
you a longer battery life for your phone, laptop or tablet device
you literally disappear from the radar."

Even without privacy being the goal it's still a useful question of how to
automatically control WiFi even if for no other reason than battery savings.
https://apple.stackexchange.com/questions/244171/ios-10-warning-using-a-hidden-network-can-expose-personally-identifiable-inform
"Now as to why this is a privacy issue:
1... Should I point out the irony of broadcasting an SSID in the direct
vicinity of the access point trying to hide it? Except instead of only
having the AP broadcasting it, every client in range does.
Then the AP responds to each of those clients with the SSID anyway.

2... Instead of limiting SSIDs to the vicinity of their respective APs
(like in the case of visible networks), your phone goes and broadcasts
those hidden SSIDs to everyone near you, everywhere you go.
Worse, SSIDs may include first and/or last names, which I've seen
people use in network names.

3... Your set of preferred hidden SSIDs acts as a signature that may
uniquely identify you. Let's say for instance that my neighbor uses
the hidden SSID My Secret SSID. Now if I sniff a broadcast beacon
containing My Secret SSID at Starbucks, I can infer that a member
of his household is nearby, or one of his guests. Based on the other
hidden SSIDs among that person's broadcast beacons, I may be able to
determine exactly who I'm dealing with. Conversely, I could walk up to
that person, recognize them, then assign a face to their unique set
of hidden SSIDs.

4... Let's say you carry your phone with you everywhere you go.
Someone with a large-enough network of radio receivers could know where
you are at any given time, figure out where you work, where you spend
your time, whether you're home, etc."

Even so the question is only asking how to automatically turn off WiFI
when you leave the house. It's a simple question but may have many answers.

Everyone but you focused on answering the question where I'm testing the
proposed solutions and I will report back when those tests are completed.

https://play.google.com/store/apps/details?id=de.j4velin.wifiAutoOff
https://play.google.com/store/apps/details?id=tech.edie.autowifi
https://play.google.com/store/apps/details?id=com.alivezoned.autowifi
https://play.google.com/store/apps/details?id=com.vlab.tools.wifiauto
https://play.google.com/store/apps/details?id=net.dinglisch.android.taskerm
https://www.gizmochina.com/2019/11/12/best-android-apps-to-automate-tasks/

[paul]

nospam wrote on 11.05.2021 06:50

> mac address filtering is a waste of time since mac addresses are easily
> spoofed.

You're infamous for making unsubstantiated statements like that but let's
assume for once you actually know what you're talking about - shall we?

Tell us how we can "easily spoof" a home router's AP broadcast MAC address.

Tell us.
Please.

The unfortunate fact is that this is actually extremely difficult to do.
(at least I don't know how to do it so if you do - tell us how - please)

If you feel an AP broadcast BSSID is so easily spoofed on our home routers
(Netgear, Cisco, TPLink, etc.) then please just tell us all how to do it.

I for one would _love_ to be able to spoof my router's AP broadcast BSSID.

[nospam]

In article <s7e5ev$tb2$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

>
> > mac address filtering is a waste of time since mac addresses are easily
> > spoofed.
>
> You're infamous for making unsubstantiated statements like that but let's
> assume for once you actually know what you're talking about - shall we?

if you insist.

> Tell us how we can "easily spoof" a home router's AP broadcast MAC address.

that's not what's being spoofed.

what's being spoofed is the mac address of the *client* *device* to a
mac address that is in the base station's allowed list, thereby gaining
access when it otherwise would be blocked due to mac address filtering.

spoofing mac addresses is trivial, which means bypassing mac address
filter is also trivial.

the best way to lock down a wifi base station is use an impossible to
guess passphrase, or better yet, use radius authentication, which is
overkill for a home network but nevertheless an option.

it's possible to spoof the bssid of a base station, depending on which
one, but that is entirely pointless.

> The unfortunate fact is that this is actually extremely difficult to do.
> (at least I don't know how to do it so if you do - tell us how - please)

you don't know how to do a lot of things.

that doesn't mean they're difficult, it just means you don't know how.

[paul]

nospam wrote on 11.05.2021 10:52

>> Tell us how we can "easily spoof" a home router's AP broadcast MAC address.
>
> that's not what's being spoofed.

I knew you couldn't spoof the one MAC address that this thread is all about.

> spoofing mac addresses is trivial, which means bypassing mac address
> filter is also trivial.

Spoofing "some" MAC addresses is indeed trivial but spoofing the one AP
broadcast BSSID that is clearly the main subject of this thread is decidedly
not even close to trivial on most of our typical common home routers.

>> The unfortunate fact is that this is actually extremely difficult to do.
>> (at least I don't know how to do it so if you do - tell us how - please)
>
> you don't know how to do a lot of things.
> that doesn't mean they're difficult, it just means you don't know how.

I'm different than you are in that I readily admit I don't know how to
change the MAC address of the AP broadcast (which is why I hide it instead).

I don't know of ANYONE (certainly not you!) who knows how to "easily spoof"
the one AP broadcast BSSID that matters for the purpose of this thread.

If that person exists - then I'd be grateful if they could show us how.

[nospam]

In article <s7efnm$2uh$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> > spoofing mac addresses is trivial, which means bypassing mac address
> > filter is also trivial.
>
> Spoofing "some" MAC addresses is indeed trivial but spoofing the one AP
> broadcast BSSID that is clearly the main subject of this thread is decidedly
> not even close to trivial on most of our typical common home routers.

nope.

someone claimed that the various wifi networks in the neighborhood
would be using mac address filtering for security. that's extremely
rare, and if they did, it's trivial to bypass.

nothing was said about spoofing a bssid, which is both pointless and
stupid.

> >> The unfortunate fact is that this is actually extremely difficult to do.
> >> (at least I don't know how to do it so if you do - tell us how - please)
> >
> > you don't know how to do a lot of things.
> > that doesn't mean they're difficult, it just means you don't know how.
>
> I'm different than you are in that I readily admit I don't know how to
> change the MAC address of the AP broadcast (which is why I hide it instead).

hiding the ssid doesn't do what you might hope, i.e., it does nothing.

google, apple, microsoft, etc., who have wifi location databases don't
care whether the ssid is hidden or not.

anyone who wants to find out what the ssid actually is can easily do
so, although they do need to be nearby.

[Alan Baker]

On 2021-05-10 5:15 p.m., paul wrote:
> How do you automatically turn off your WiFi broadcast when away from home?
>

> It's well known...

..whereby "well known", you mean "I read in some blog somewhere".

Carry on.

[kelown]

> Spoofing "some" MAC addresses is indeed trivial but spoofing the one AP
> broadcast BSSID that is clearly the main subject of this thread is decidedly
> not even close to trivial on most of our typical common home routers.

The Kali Linux penetration tester will instantly display all nearby
SSIDs whether they're hidden or not.

[paul]

kelown wrote on 12.05.2021 03:05

Let's not lose sight of what the goal is - which is to NOT have Google,
Kismet, Wigle, Mozilla (etc) servers on the net get our home AP BSSIDs.

The problem is how best to do that - where one method is to hide broadcast.

Keep in mind even if you add "_nomap" to your AP broadcast SSID your unique
BSSID information is _still_ uploaded to those public servers by most phones
because the phones can still easily "see" the broadcast BSSID information.

However when you turn off the AP broadcast then it's my understanding most
phones will not automatically upload your AP unique BSSID & GPS location to
these public servers.

That solves one problem but in reality it morphs to another problem which is
that your phone is constantly broadcasting all the access points in its
history. On Android (but not on iOS) you can clear this history on a case by
case basis but then you have to set up the connection anew each time you
wish to reconnect.

Perhaps better to shut off Android Wi-Fi automatically when you leave home.
And then to automatically turn your phone's Wi-Fi back on when you return.

Whether or not you decide to broadcast your home router AP BSSID, as Glennn
at Sensepost said at time point 53:15 in the QA of that Blackhat Asia 2014
conference Vanguard kindly suggested said, you really have only two options.
https://youtu.be/GvrB6S_O0BE?t=3200
a. *Turn off your wifi when you're not at home* (with SSID broadcast or not)
b. Delete your network lists (but then your AP has to broadcast the SSID)
Android 11 Settings > Connections > longpress Wi-Fi > threedots >
Advanced > Manage networks > longpress on any network > delete

The whole point of this thread is to do exactly what Glenn at Sensepost said
to do but do to it automatically when you go out of range of your home AP.

Given GPS location is problematic it's likely best to turn off the Wi-Fi
automatically when out of range of the home cellular tower if possible.

Interestingly others also want to automatically turn the phone Wi-Fi off
when they leave the house & then turn back on when they return (usually
based on signal from a known local cellular tower as shown below).

*Using Tasker*
https://photoframd.com/2011/03/09/android-turn-wifi-on-and-off-automatically-with-tasker/

*Using IFTTT*
https://www.ghacks.net/2017/03/20/top-ifttt-recipes-improve-android/

*Using Llama*
https://www.howtogeek.com/142186/use-llama-to-automatically-change-your-android-phones-settings-based-on-your-location/

[paul]

nospam wrote on 11.05.2021 19:58

> someone claimed that the various wifi networks in the neighborhood
> would be using mac address filtering for security. that's extremely
> rare, and if they did, it's trivial to bypass.

Fair enough. Plenty of people think hiding the BSSID or MAC filtering is
good security but it's just like putting a towel over your belongings at the
beach - it just hides stuff from the people who wouldn't take it anyway.

Given that was the focus of your response to Vanguard, I apologize for
challenging you to show us how to change the AP broadcast BSSID which is
designed to be both unique & permanent (which is also why you don't want
your unique BSSID & GPS to be uploaded into a public database by almost
every phone that happens to pass by your house that is badly set up).

None of this is being done for security - it's being done for privacy.
And on principle.

It's not much different in principle than if people were snapping photos of
your kids playing outside and then their phones would be so badly configured
that they were automatically uploading those photos of your kids with your
GPS location to public databases that anyone anywhere in the world can
easily search on for whatever it is they wish to search for.

It's better (IMHO) for me to configure my home access point and my own
cellphone such that my unique SSID/BSSID/GPS/(+strength) isn't uploaded
by (almost) every (badly configured) phone that passes by my home.

At this point in time I have more potential free ad free Android solutions
than I need so I'm combing through the two fundamental ways of automatically
turning off Wi-Fi when you leave home and automatically turning that Wi-Fi
back on when returning home (using cellular towers most likely, not GPS).

*Dedicated free ad free Wi-Fi automation apps*
WiFi Automatic (de.j4velin.wifiAutoOff)
Wifi Auto (com.theanykey.wifiauto)
Wifi Auto (com.vlab.tools.wifiauto)
Auto-Wifi (com.alivezoned.autowifi)

*General purpose free ad free automation apps*
IFTTT (com.ifttt.ifttt)
Automate (com.llamalab.automate)

I'll test these out and report back when/if I am successful in setting up
cell tower based automation (sans GPS) to turn the phone WiFi off when
leaving home and to turn the phone WiFi back on when returning home.

[Joerg Lorenz]

Am 11.05.21 um 02:15 schrieb paul:

> How do you automatically turn off your WiFi broadcast when away from home?

This is completely unnecessary.
You proved already in other threads that you have no clue what
encryption really means.

[nospam]

In article <s7goep$2h4$2...@dont-email.me>, Joerg Lorenz <hugy...@gmx.ch>
wrote:

> Am 11.05.21 um 02:15 schrieb paul:
> > How do you automatically turn off your WiFi broadcast when away from home?
>
> This is completely unnecessary.

yep

> You proved already in other threads that you have no clue what
> encryption really means.
>

the last four words should be removed for a more accurate statement.

[Joerg Lorenz]

Am 11.05.21 um 06:50 schrieb nospam:

> he wants to switch off his home base station when away, not the phone.

For what purpose? He can easily stop that forever on the router.

> mac address filtering is a waste of time since mac addresses are easily
> spoofed.

SIC

> yes it does. that's how auto-reconnect works.
>
> it's possible to capture those broadcasts and many times, identify
> someone based on what wifi networks they've previously used.

So what?

> both 2.4 & 5 ghz should use the same ssid so the phone can switch
> between them automatically as needed, and your neighbors are likely not
> using mac filtering.

Modern routers let you chose whether you want switching or not.

> false. there are several well known databases of ssids with their gps
> coordinates, which is how wifi geolocation works.

Why should anyone want to prevent this?

> he keeps changing his name on usenet, so he probably does that in real
> life too.

He shares his e-mail with you dear. *ROTFLSTC*

> that will just add additional entries to the database.

SIC

> or they could use the existing cellular network, who will gladly hand
> over someone's location data for little to no cost, and someone doesn't
> need to be government to obtain it either.

It unclear what this person called "paul" who is probably Arlen Holder
alias Ragnussen alias I don't know wants to achieve or ask.

[nospam]

In article <s7gpgo$r47$1...@dont-email.me>, Joerg Lorenz <hugy...@gmx.ch>
wrote:

> > he wants to switch off his home base station when away, not the phone.
>
> For what purpose? He can easily stop that forever on the router.

his stated goal is to prevent his wifi network from being included in
various databases, and the only way to do that is by switching it off.

> > mac address filtering is a waste of time since mac addresses are easily
> > spoofed.
>
> SIC
>
> > yes it does. that's how auto-reconnect works.
> >
> > it's possible to capture those broadcasts and many times, identify
> > someone based on what wifi networks they've previously used.
>
> So what?

it's possible to identify people based on their ssid broadcasts.

it's also paranoia.

> > both 2.4 & 5 ghz should use the same ssid so the phone can switch
> > between them automatically as needed, and your neighbors are likely not
> > using mac filtering.
>
> Modern routers let you chose whether you want switching or not.

it needs the same ssid to switch.

> > false. there are several well known databases of ssids with their gps
> > coordinates, which is how wifi geolocation works.
>
> Why should anyone want to prevent this?

they shouldn't.

such databases are extremely useful for geolocation without using gps.

> > he keeps changing his name on usenet, so he probably does that in real
> > life too.
>
> He shares his e-mail with you dear. *ROTFLSTC*

not a valid one.

> > that will just add additional entries to the database.
>
> SIC
>
> > or they could use the existing cellular network, who will gladly hand
> > over someone's location data for little to no cost, and someone doesn't
> > need to be government to obtain it either.
> It unclear what this person called "paul" who is probably Arlen Holder
> alias Ragnussen alias I don't know wants to achieve or ask.

it is indeed arlen, who has babbled about the very same thing.

[paul]

nospam wrote on 12.05.2021 19:18

> his stated goal is to prevent his wifi network from being included in
> various databases, and the only way to do that is by switching it off.

While that's an excellent summary I will characterize the principle as being
one and the same with all of us not wanting photos of our kids playing in
the front yard and their associated names & GPS coordinates being constantly
uploaded to who-knows-how-many public databases by (almost) every person who
drives by our house (with a badly configured cellphone in their pocket).

The goal is to add value to our capabilities (whereas for people like nospam
& Joerg - their goal is to waste everyone's time & energy it seems).

>>> it's possible to capture those broadcasts and many times, identify
>>> someone based on what wifi networks they've previously used.
>>
>> So what?
>
> it's possible to identify people based on their ssid broadcasts.
> it's also paranoia.

It's no more paranoid on principle than the example I provide of having
photos of your children with their names & GPS coordinates being uploaded.

> such databases are extremely useful for geolocation without using gps.

To be clear the goal is to prevent the _upload_ of the information given the
filtering (of _nomap) is not done on the phone (as far as any of us know).

The filtering is done back at the public Internet server for the reputable
servers (of which Google & Mozilla are known to be respecting the _nomap).

But who knows what filtering Kismet & Wigle & Apple & OpenBmap & OpenWifi
(and whatever other organizations who provide SSIDs to the public) perform.
https://www.mylnikov.org/archives/1170
https://www.skyhook.com/
https://wigle.net/
https://osintcurio.us/2019/01/15/tracking-all-the-wifi-things/
etc.

As far as anyone has ever stated in this thread, the easiest (and most
effective) way to stay out of all those databases is to hide the SSID.

I realize people like Joerg Lorenz don't have the mental capacity to
comprehend that goal, and I further realize people like nospam don't have
the intention to ever contribute meaningfully to any technical conversation,
but I'm appreciative of the others (like vanguard, kelown & Andy) who helped
me come up with workable solutions that will work for anyone on Android.

I've already tested all the wifi apps listed and all failed in some way or
another so I'm currently working on the Android automation apps.

The goal is to add value to our capabilities (whereas for people like nospam
& Joerg - their goal is to waste everyone's time & energy it seems).

Never once have either added on topic technical value to any topic.
They can't.

And they don't want to.
Because they don't care about anybody but themselves.

Meanwhile I'll keep working solutions to add to our combined capabilities.

[paul]

nospam wrote on 12.05.2021 16:35

Purposefully unhelpful people like Joerg & nospam always are of like mind.

Unfortunately it's often that both Joerg Lorenz & nospam prove incapable of
understanding even basic merits of the topic at hand in most conversations.

Worse - each proves - each time - they have no intention of being helpful.
Why?
Probably because they don't care about anyone but themselves (most likely).

What's sad isn't so much that Joerg is a moron but that nospam isn't.
Of all the supremely unhelpful people who post - nospam "can" help out.

*Nospam has technical capabilities such that he _can_ understand the topic!*
Joerg doesn't.

*It's clear Joerg is - in fact - an idiot - but nospam isn't an idiot.*

Nospam isn't well educated (which is easily shown by how he devolves into
childishness whenever confronted with facts he was completely unaware of)...

But nospam isn't stupid (while Joerg proves to be incomprehensively stupid).
Joerg can't add value to any technical topic but nospam (paradoxically) can.

Nospam understands what the question is asking (although at first he didn't
but that's my fault for not being clearer for him about the goal & problem).

The goal is to prevent _upload_ of our personal information (just as it
would be if people were uploading names & photos & GPS of our kids) to the
public database servers.

*Notice the goal is preventing the _upload_ of the personal data.*

Given the only known proposed solution is to turn off the router broadcast
of the SSID this presents a solvable technical problem for Android phones.

That technical problem is how to configure an Android phone such that it
doesn't shout out the same identifiable personal information away from home.

Only vanguard, kelown and Andy contributed to our overall combined knowledge
where I will write up a working solution once I have it more fully tested.

[nospam]

In article <s7h4me$kab$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

>
> > his stated goal is to prevent his wifi network from being included in
> > various databases, and the only way to do that is by switching it off.
>
> While that's an excellent summary I will characterize the principle as being
> one and the same with all of us not wanting photos of our kids playing in
> the front yard and their associated names & GPS coordinates being constantly
> uploaded to who-knows-how-many public databases by (almost) every person who
> drives by our house (with a badly configured cellphone in their pocket).

two totally different and unrelated things.

> >>> it's possible to capture those broadcasts and many times, identify
> >>> someone based on what wifi networks they've previously used.
> >>
> >> So what?
> >
> > it's possible to identify people based on their ssid broadcasts.
> > it's also paranoia.
>
> It's no more paranoid on principle than the example I provide of having
> photos of your children with their names & GPS coordinates being uploaded.

two totally different and unrelated things, plus your example
demonstrates even more paranoia.

> > such databases are extremely useful for geolocation without using gps.
>
> To be clear the goal is to prevent the _upload_ of the information given the
> filtering (of _nomap) is not done on the phone (as far as any of us know).

you can't, other than shutting off the wifi base station.

you are broadcasting a signal into public airspace. anyone can legally
detect its presence and do whatever they want with that information.

what's not legal is cracking the passcode to gain access without
authorization, which isn't what any of the databases are doing.

>
> As far as anyone has ever stated in this thread, the easiest (and most
> effective) way to stay out of all those databases is to hide the SSID.

that does absolutely nothing and anyone who said it would is wrong.

[nospam]

In article <s7h5pa$150f$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> That technical problem is how to configure an Android phone such that it
> doesn't shout out the same identifiable personal information away from home.

broadcasting ssids is not 'identifiable personal information' unless
one or more of your ssids contains such information.

[paul]

nospam wrote on 12.05.2021 16:19

>> While that's an excellent summary I will characterize the principle as being
>> one and the same with all of us not wanting photos of our kids playing in
>> the front yard and their associated names & GPS coordinates being constantly
>> uploaded to who-knows-how-many public databases by (almost) every person who
>> drives by our house (with a badly configured cellphone in their pocket).
>
> two totally different and unrelated things.

How is it different in that in both cases your unique names and location
information is uploaded to public Internet databases by phones
(whose _only_ relationship to you is they drove past your house).

>> It's no more paranoid on principle than the example I provide of having
>> photos of your children with their names & GPS coordinates being uploaded.
>
> two totally different and unrelated things, plus your example
> demonstrates even more paranoia.

It's rude.

You don't put a sign outside your house saying "*It's rude to take pictures*
*of my kids & to then upload their unique names & GPS location to the net*"
(just because you happened to drive by my house when the kids were playing).

It's exactly the same in principle.

>>> such databases are extremely useful for geolocation without using gps.
>>
>> To be clear the goal is to prevent the _upload_ of the information given the
>> filtering (of _nomap) is not done on the phone (as far as any of us know).
>
> you can't, other than shutting off the wifi base station.

There are two values of "you can't" which even you should be well aware of.

The first is that most Android phones are configured by default not to.
The second is that anyone can configure their phone to upload hidden SSIDs.

So you can. At least for the normal person you can. (Which is most people.)

>
> you are broadcasting a signal into public airspace. anyone can legally
> detect its presence and do whatever they want with that information.

Android (at least) but I'm not sure about how iPhones do it) is at least
configured to respect the "sign" you have outside your AP saying essentially
*"It's rude to take snapshots of my Wi-Fi & to then upload their unique*
*names & GPS location to the net*" (just because you happened to drive by my
house when the APs were playing).

>
> what's not legal is cracking the passcode to gain access without
> authorization, which isn't what any of the databases are doing.

And yet even you have enough intelligence to comprehend those public
databases facilitate doing exactly what you say they're not doing.

If your SSID is sufficiently rare (or even unique) that rare/unique
information is then more easily found and hence more easily automatically
added to butterfly hash tables whose exitence - in and of itself -
facilitates that illegal cracking into your network you speak of.

>
>>
>> As far as anyone has ever stated in this thread, the easiest (and most
>> effective) way to stay out of all those databases is to hide the SSID.
>
> that does absolutely nothing and anyone who said it would is wrong.

Maybe that's what happens with iPhones but it doesn't happen on Android.

To be clear since you appear to be ignorant of the salient facts (as usual),
I'm well aware that disabling AP SSID broadcast doesn't stop Android owners
who are uploading hidden SSID information *on purpose* - but most people on
Android aren't adding software to sniff out & upload hidden AP SSID data.

If you have even a single cite that backs up your claim that most phones are
automatically uploading AP SSID information even when it's hidden under
default software circumstances (i.e., the owners didn't expressly load and
configure software to perform that task) - then back up your statement with
that cite.

Without a cite backing up your statement you have absolutely no credibility.

[paul]

nospam wrote on 12.05.2021 23:19

>> That technical problem is how to configure an Android phone such that it
>> doesn't shout out the same identifiable personal information away from home.
>
> broadcasting ssids is not 'identifiable personal information' unless
> one or more of your ssids contains such information.

They work off of BSSIDs which are essentially unique and pegged to your
geolocation once they're uploaded to a public Internet database.

The BSSID is like a Social Security Number for your children.

*People who have no relationship to you other than they happened to pass*
*your home are automatically uploading essentially the equivalent of the*
*identifying common names of your children along with unique SSN of your*
*children along with the exact geolocation they were found playing outside*
*in your front yard.*

I don't know if iPhones do the same - but that's rude of Android phones.

[Eli the Bearded]

In comp.mobile.android, paul <nos...@nospam.invalid> wrote:
> nospam wrote on 11.05.2021 06:50
>> mac address filtering is a waste of time since mac addresses are easily
>> spoofed.

MAC addresses being easily spoofed does not make MAC address filtering a
"waste of time", just a small incremental improvement over not
filtering.

> You're infamous for making unsubstantiated statements like that but let's
> assume for once you actually know what you're talking about - shall we?
> Tell us how we can "easily spoof" a home router's AP broadcast MAC address.

I frequently find nospam's unsupported assertions irritating, but in
this case that's not the part of his assertion I'd question.

If you know the MAC address, telling your (linux/unix) device to use it
is as trivial as setting up a static IP instead of using DHCP. As for
finding AP MAC addresses, a simple "sudo iwlist $interface scan" will
get you that. Client MAC addresses? That's what Kismet is for.

This is Wardriving 101.

sudo iwlist wlp0s20f3 scanning | grep -E 'Cell .*Address|ESSID:'
Cell 01 - Address: 58:EF:68:37:[redacted]
ESSID:"Alfonso"
Cell 02 - Address: E0:CB:BC:33:[redacted]
ESSID:"Cartel de Medell\xC3\xADn"
Cell 03 - Address: EE:CB:BC:33:[redacted]
ESSID:"Noir Cartel"
Cell 04 - Address: A4:2B:8C:0A:[redacted]
ESSID:"krinky"
Cell 05 - Address: DE:CB:BC:33:[redacted]
ESSID:""
Cell 06 - Address: 6C:AE:F6:98:[redacted]
ESSID:""
Cell 07 - Address: 6C:AE:F6:98:[redacted]
ESSID:""
ESSID:"2c9a7c"
Cell 08 - Address: 50:6A:03:BA:[redacted]
ESSID:"NTGR_VMB_1406851534"
Cell 09 - Address: D2:40:D0:44:[redacted]
ESSID:"The Bar on [redacted]"
Cell 10 - Address: D2:40:D0:44:[redacted]
ESSID:"The Bar on [redacted]"
Cell 11 - Address: E0:CB:BC:B9:[redacted]
ESSID:"Cartel de Medell\xC3\xADn"
Cell 12 - Address: EE:CB:BC:B9:[redacted]
ESSID:"Noir Cartel"
Cell 13 - Address: DE:CB:BC:B9:[redacted]
ESSID:""
Cell 14 - Address: 5E:EF:68:37:[redacted]
ESSID:""
Cell 15 - Address: 3C:37:86:3D:[redacted]
ESSID:"[redacted]"
Cell 16 - Address: B0:E4:D5:30:[redacted]
ESSID:"Nomadic Lifestyle"
Cell 17 - Address: CC:F4:11:86:[redacted]
ESSID:"Nomadic Lifestyle"
Cell 18 - Address: 46:D9:E7:FA:[redacted]
ESSID:"CloudCity-Guest"
Cell 19 - Address: 56:D9:E7:FA:[redacted]
ESSID:"CloudCity-IoT"
Cell 20 - Address: 44:D9:E7:FA:[redacted]
ESSID:"CloudCity"
Cell 21 - Address: 58:EF:68:37:[redacted]
ESSID:"Alfonso"
Cell 22 - Address: 5E:EF:68:37:[redacted]
ESSID:""
Cell 23 - Address: 42:2B:50:A2:[redacted]
ESSID:"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
Cell 24 - Address: 58:EF:68:37:[redacted]
ESSID:"Alfonso"
Cell 25 - Address: 58:EF:68:37:[redacted]
ESSID:"Alfonso"
Cell 26 - Address: CC:40:D0:44:[redacted]
ESSID:"The Bar on [redacted]"
Cell 27 - Address: 40:2B:50:A2:[redacted]
ESSID:""
Cell 28 - Address: 46:2B:50:A2:[redacted]
ESSID:"ATT7eVq5Am"

Elijah
------
big city, big selection of networks

[paul]

Eli the Bearded wrote on 11.05.2021 20:22

> This is Wardriving 101.

We are discussing different points, all of which are valid - but different.

The claim nospam made about spoofing some MAC addresses being useless may or
may not be the case depending on how much effort someone wants to expend to
connect to your home network (assuming you added MAC filtering).

However, the point of this thread has nothing to do with someone trying to
connect to our networks - or to spoofing - or to do with MAC filtering.

The point of this thread is privacy - not security.

The specific goal of this thread is to keep our network SSID, BSSID, GPS and
Signal Strength from being automatically _uploaded_ to the public databases
by every badly configured phone that happens to pass by our homes.

It's no different in principle than keeping badly configured phones from
automatically uploading photos of our kids along with their names and unique
social security numbers in addition to the GPS location of where those
photos were taken.

The _only_ way to prevent badly configured phones from uploading this unique
information (as far as anyone reputable has said) is to disable broadcast.

However once you disable broadcast, the phone is constantly asking for that
network by name so you need to also prevent the phone from doing that.

From what I gathered in the video that Vanguard recommended, many phones
typically ask for all the networks they've previously been connected to,
and, according to that presentation, on iOS you can't stop that unless you
wipe out everything you've ever connected to - where at least on Android,
according to that video, you can selectively wipe out the networks you no
longer need to connect to.

In summary the presentation Vanguard suggested claimed that almost EVERYONE
has this problem on their phone, whether or not they choose to disable the
router's broadcasting of their SSID, which, if correct, means it's even more
important the solution to this problem set for everyone.

[Joerg Lorenz]

Am 12.05.21 um 23:19 schrieb nospam:

+1
It is an identifier like Blue, Red, Yellow or a numeration.

[nospam]

In article <eli$21051...@qaz.wtf>, Eli the Bearded

<*@eli.users.panix.com> wrote:

> >> mac address filtering is a waste of time since mac addresses are easily
> >> spoofed.
>
> MAC addresses being easily spoofed does not make MAC address filtering a
> "waste of time", just a small incremental improvement over not
> filtering.

it's a waste of time because it doesn't stop anyone intent on gaining
access from doing so. that 'small incremental improvement' might add a
few seconds to the attempt, but that's about it. it's insignificant.

what *does* stop people from accessing a network is using a complex
passphrase that isn't in any of the password dictionaries.

[nospam]

In article <s7hikt$qq2$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> > you are broadcasting a signal into public airspace. anyone can legally
> > detect its presence and do whatever they want with that information.
>
> Android (at least) but I'm not sure about how iPhones do it) is at least
> configured to respect the "sign" you have outside your AP saying essentially
> *"It's rude to take snapshots of my Wi-Fi & to then upload their unique*
> *names & GPS location to the net*" (just because you happened to drive by my
> house when the APs were playing).

_nomap is done serverside and there's nothing you can do on other
people's phones to stop it. the signal is in public space.

> > what's not legal is cracking the passcode to gain access without
> > authorization, which isn't what any of the databases are doing.
>
> And yet even you have enough intelligence to comprehend those public
> databases facilitate doing exactly what you say they're not doing.
>
> If your SSID is sufficiently rare (or even unique) that rare/unique
> information is then more easily found and hence more easily automatically
> added to butterfly hash tables whose exitence - in and of itself -
> facilitates that illegal cracking into your network you speak of.

nonsense.

> >> As far as anyone has ever stated in this thread, the easiest (and most
> >> effective) way to stay out of all those databases is to hide the SSID.
> >
> > that does absolutely nothing and anyone who said it would is wrong.
>
> Maybe that's what happens with iPhones but it doesn't happen on Android.

it has nothing to do with android or ios.

your wifi basestation broadcasts a signal into public space, hidden
ssid or not, and *any* device can pick it up.

[nospam]

In article <s7hivj$v06$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> >> That technical problem is how to configure an Android phone such that it
> >> doesn't shout out the same identifiable personal information away from
> >> home.
> >
> > broadcasting ssids is not 'identifiable personal information' unless
> > one or more of your ssids contains such information.
>
> They work off of BSSIDs which are essentially unique and pegged to your
> geolocation once they're uploaded to a public Internet database.
>
> The BSSID is like a Social Security Number for your children.

nonsense.

the bssid does not contain any personally identifiable information and
is not in any way like a social security number.

[paul]

Joerg Lorenz wrote on 13.05.2021 10:30

> It is an identifier like Blue, Red, Yellow or a numeration.

What's consistent is that the fools like nospam & Joerg always agree.
And yet they always disagree with the published experts in the field.

Clearly nospam and Joerg Lorenz are blissfully ignorant of what the Rhodes
Scholar pen tester Glenn Wilkinson said about Wi-Fi identification (which is
going on everywhere as he tested it around the world) in that hour long
video which VanguardLH had kindly referenced (and which I watched).

Black Hat "The Machines That Betrayed Their Masters by Glenn Wilkinson"
https://youtu.be/GvrB6S_O0BE?t=130

He pretty much identified a few dozen people by their WiFi activity only.

And that was way back in 2014 (and he has a shoestring budget using FOSS).
Can you imagine how much more Wi-Fi tracking there is now?
Or from well funded dragnet systems (which he discusses massively exist).

What Glenn Wilkinson suggested is to do EXACTLY what we're doing here!
He even said _all_ smartphone owners need do to exactly what we're doing.
--
Of course Joerg Lorenz knows more than that silly Rhodes Scholar does.

[paul]

nospam wrote on 13.05.2021 15:24

> what *does* stop people from accessing a network is using a complex
> passphrase that isn't in any of the password dictionaries.

In case people are trying to learn something from what nospam says he needs
to add that the SSID should _also_ not be something that is common either.

Because the SSID is the salt for the WPA2-PSK encryption algorithm most of
us are likely using on a typical home router, the SSID should be unique.

Google "rainbow butterfly hash table" before you dispute that suggestion.
https://epicsearch.in/search?pno=1&q=rainbow+table+butterfly+hash+table

[paul]

nospam wrote on 13.05.2021 15:24

> _nomap is done serverside and there's nothing you can do on other
> people's phones to stop it. the signal is in public space.

When he's caught bullshitting nospam then always drops into stating what
everyone knows & what everyone already knew before this thread was started.

*The whole point of this thread is that the SSID "_nomap" is too late.*

Preventing that upload is the entire focus of this thread _because_ the
"_nomap" is not done on the phone but on the public server people upload to.

The _only_ known way to prevent that upload on typical phones (ie those not
specifically configured to be wardrivers) is to disable AP SSID broadcast.

But your own phone still shouts out that hidden SSID everywhere it goes.
Which is why it matters to be able to auto turn that off away from home.

[Frank Slootweg]

Isn't that what 'Intelligent Wi-Fi' does/can_do?

AFAIK, 'Intelligent Wi-Fi' is a Samsung feature, but I assume that
other modern smartphones have a similar feature.

Samsung's 'Intelligent Wi-Fi' has a 'Turn on Wi-Fi automatically'
switch (on/off) which says:

"Turn on Wi-Fi automatically when you're in
places you use it frequently and turn it off
elsewhere."

When tapped, the setting lists the names/SSIDs of your frequently used
APs. They also have a 'pin', which when tapped show the location of the
AP on the map. (I don't know what is shown - if anything - if a SSID is
hidden.)

I assume that when not close to these APs, Wi-Fi is indeed turned off
and hence does *not* broadcasts your hidden SSID.

(Of course there's still Wi-Fi activity even if Wi-Fi is turned off,
but AFAIK, that's only listening, not broadcasting.)

[paul]

Frank Slootweg wrote on 13.05.2021 17:35

> Isn't that what 'Intelligent Wi-Fi' does/can_do?

Thank you for that suggestion of Samsung Inteligent Wi-Fi.
My phone is a Samsung on Android 11 so I will test out your suggestion.

Here's the first hit but it must be for an older Android version
because the menu selections are slightly different from mine.
https://r2.community.samsung.com/t5/Others/Samsung-Intelligent-Wi-Fi/td-p/2471560
Open the settings menu and go to connections
Select Wi-Fi
Tap on the Advanced link on the top right corner of the screen
Make sure the toggle next to Smart Network Switch/Adaptive Wi-Fi is set ON

Bear in mind I don't have my Samsung Android 11 phone set up with either
a Google or Samsung account and I keep Location turned off by default
and the Location "Improve accuracy" settings are all set to off
(ie both Wi-Fi and Bluetooth scanning are turned off) and each of my
Wi-Fi saved SSIDs are all set to _not_ "Auto reconnect" by default.

My Android 11 selections are slightly different but similar.
Settings > Connections > Wi-Fi > 3dots > Advanced > Intelligent Wi-Fi

In that Samsung "Intelligent Wi-Fi" section are four subsections.
*Switch to mobile data* = yes/no
(Use mobile data whenever your Wi-Fi Internet connection
is slow or unstable)
*Detect suspicious networks* = yes/no
(Get notified when suspicious activity is detected
on the current Wi-Fi network)
*Show network quality info* = yes/no
(Show network quality info in the list of available Wi-Fi networks.)

And...

*Turn on Wi-Fi automatically* = yes/no [which is grayed out]
(Turn on Location to use this feature).
But when I turned on Location the information above changed to:
Turn on Wi-Fi automatically = yes/no [but it was still grayed out]
(Turn on Wi-Fi scanning in Settings > Location >
Improve accuracy to use this feature)

Heading on over to "Settings > Location > Improve accuracy" I am
presented with two choices (both of which were initially off).

Wi-Fi scanning
(Let apps use Wi-Fi for more accurate location detection,
even when Wi-Fi is off.)
Bluetooth scanning
(Let apps use Bluetooth for more accurate location detection,
even when Bluetooth is off.)

After turning on only Wi-Fi scanning I headed back to Intelligent Wi-Fi.
Finally the "Tun on Wi-Fi automatically" option was no longer grayed out.

So now it's on (at the cost of Wi-Fi scanning also being turned on).

>
> AFAIK, 'Intelligent Wi-Fi' is a Samsung feature, but I assume that
> other modern smartphones have a similar feature.
>
> Samsung's 'Intelligent Wi-Fi' has a 'Turn on Wi-Fi automatically'
> switch (on/off) which says:
>
> "Turn on Wi-Fi automatically when you're in
> places you use it frequently and turn it off
> elsewhere."
>
> When tapped, the setting lists the names/SSIDs of your frequently used
> APs. They also have a 'pin', which when tapped show the location of the
> AP on the map. (I don't know what is shown - if anything - if a SSID is
> hidden.)

Subsequent to changing the settings as shown above, when I revisited the
Advanced connections settings and tapped on "Turn on Wi-Fi automatically",
it brought me to an almost empty page which didn't let _any_ Wi-Fi SSIDs.

Maybe it needs either a reboot or some time to work?
Or maybe it needs to figure out the location of the Wi-Fi SSID's first?
(All of my saved SSIDs are in the same location.)
(And of my saved SSIDs are set to _not_ "Auto reconnect" by default.)

>
> I assume that when not close to these APs, Wi-Fi is indeed turned off
> and hence does *not* broadcasts your hidden SSID.
>
> (Of course there's still Wi-Fi activity even if Wi-Fi is turned off,
> but AFAIK, that's only listening, not broadcasting.)

This is a decent general purpose albeit Samsung solution if it works.

There doesn't seem to be a way to manually specify _where_ the SSID
is located (in terms of GPS coordinates) so maybe that has to be learned?

The drawback is it apparently uses GPS which itself is a can of worms.
It also requires background Wi-Fi scanning which also is a can of worms.
It may require "autoconnect" to be turned on (although it didn't say so).

I'll test it for now to see how it works but in the end as I do think
it's a nice general purpose solution for most people on Samsung phones.

But I'm working toward a solution which works off the cellular tower
for the obvious reason that the cellular connection is already turned on
whereas the GPS is off 99.95% of the time (as well it should be).
--
Note this is only a two minute test so far so stay tuned for developments.

[paul]

nospam wrote on 13.05.2021 15:24

>> The BSSID is like a Social Security Number for your children.
>
> nonsense.
>
> the bssid does not contain any personally identifiable information and
> is not in any way like a social security number.

Listen to Vanguard's video which says the exact opposite of what you claim.

[Frank Slootweg]

AFAIK, it needs to 'learn' which SSID(s) you use frequently. I.e.
after turning it on, it doesn't know anything yet, it still has to
'learn'.

> Or maybe it needs to figure out the location of the Wi-Fi SSID's first?
> (All of my saved SSIDs are in the same location.)
> (And of my saved SSIDs are set to _not_ "Auto reconnect" by default.)
>
> > I assume that when not close to these APs, Wi-Fi is indeed turned off
> > and hence does *not* broadcasts your hidden SSID.
> >
> > (Of course there's still Wi-Fi activity even if Wi-Fi is turned off,
> > but AFAIK, that's only listening, not broadcasting.)
>
> This is a decent general purpose albeit Samsung solution if it works.

As I mentioned, I think other brands have similar facilities and
AFAIK there are apps which do this kind of stuff.

> There doesn't seem to be a way to manually specify _where_ the SSID
> is located (in terms of GPS coordinates) so maybe that has to be learned?

Exactly. See above.

> The drawback is it apparently uses GPS which itself is a can of worms.

No, it uses *Location* (services), which *may* use GPS, but can also
use other sources of location information, without using GPS. My phone
doesn't use GPS, unless I use a navigation app (like (Google) Maps or
OsmAnd). If GPS is on, there's a GPS icon (upside down teardrop) in the
Notification Area.

> It also requires background Wi-Fi scanning which also is a can of worms.

FWIW, on my phone (Samsung Galaxy A51) 'Wi-Fi scanning' is *off*, but
'Turn on Wi-Fi automatically' is on. I don't think I have changed the
'Wi-Fi scanning' setting at any time. so I don't know why you have to
turn 'Wi-Fi scanning' on, in order to be able to turn on 'Turn on Wi-Fi
automatically'. Perhaps you should turn 'Wi-Fi scanning' back off and
see what happens to the 'Turn on Wi-Fi automatically' setting.

> It may require "autoconnect" to be turned on (although it didn't say so).
>
> I'll test it for now to see how it works but in the end as I do think
> it's a nice general purpose solution for most people on Samsung phones.
>
> But I'm working toward a solution which works off the cellular tower
> for the obvious reason that the cellular connection is already turned on
> whereas the GPS is off 99.95% of the time (as well it should be).

As mentioned above, GPS is off, unless some app turns it on, so the
'Turn on Wi-Fi automatically' feature should work with GPS off (and
'Location' on).

[paul]

Frank Slootweg wrote on 13.05.2021 20:43

> AFAIK, it needs to 'learn' which SSID(s) you use frequently. I.e.
> after turning it on, it doesn't know anything yet, it still has to
> 'learn'.

Thank you for the clarification, with which I would tend to agree. It very
likely needs to learn which SSIDs we use most frequently and where they're
located (given I didn't see a manual setting for either value).

>> This is a decent general purpose albeit Samsung solution if it works.
>
> As I mentioned, I think other brands have similar facilities and
> AFAIK there are apps which do this kind of stuff.

Thank you for letting us know other brands have similar features as all
questions here should have general purpose solutions if possible.

The apps which geofence based on GPS radios are less useful in my opinion
than those which geofence based on cellular towers (or some other metric)
simply because GPS is off 99.95% of the time but the cellular radio is on
99.95% of the time.

>> The drawback is it apparently uses GPS which itself is a can of worms.
>
> No, it uses *Location* (services), which *may* use GPS, but can also
> use other sources of location information, without using GPS. My phone
> doesn't use GPS, unless I use a navigation app (like (Google) Maps or
> OsmAnd). If GPS is on, there's a GPS icon (upside down teardrop) in the
> Notification Area.

My Samsung "Intelligent Wi-Fi" is grayed out unless I turn on both the
teardrop tile "Location" & the "Improve Accuracy" background "Wi-Fi
scanning" yes/no slider switch.

I just tested all the permutations & combinations with either turned off and
what happens is that "Intelligent Wi-Fi" "Turn on Wi-Fi automatically" grays
out whenever _either_ is turned off (or both turned off).

The funny thing regarding your statement that Location may not necessarily
mean "GPS" is that the "Location" forms don't explicitly say the GPS radio
is what the Location teardrop tile turns on but there is no _other_ way to
explicitly turn on the GPS radios that I can find - so that teardrop tile
Location icon _must_ be turning on the GPS receivers.

What else can that "teardrop" tile switch be doing but turning on GPS?

>
>> It also requires background Wi-Fi scanning which also is a can of worms.
>
> FWIW, on my phone (Samsung Galaxy A51) 'Wi-Fi scanning' is *off*, but
> 'Turn on Wi-Fi automatically' is on. I don't think I have changed the
> 'Wi-Fi scanning' setting at any time. so I don't know why you have to
> turn 'Wi-Fi scanning' on, in order to be able to turn on 'Turn on Wi-Fi
> automatically'. Perhaps you should turn 'Wi-Fi scanning' back off and
> see what happens to the 'Turn on Wi-Fi automatically' setting.

Mine is the A32 (I just got a handful of them for free from T-Mobile in
addition to iPhones which were essentially offered at half price).

The funny thing is that if I start with everything blue & turned on
Location = blue and set to on
Wi-Fi scanning = blue and set to on
Turn on Wi-Fi automatically = blue and set to on

And then if I turn off either "Location" or "Wi-Fi scanning", then what
happens is the "Turn on Wi-Fi automatically" remains in the on position
but it grays out.

What does that indicate?
Is it really on but just not changable to off?
Or is it off?

I interpreted that to mean it is off.

> As mentioned above, GPS is off, unless some app turns it on, so the
> 'Turn on Wi-Fi automatically' feature should work with GPS off (and
> 'Location' on).

With "Turn on Wi-Fi automatically" blue and set to on, the instant I turn
off the Location teardrop or I turn off Wi-Fi scanning the
"Turn on Wi-Fi automatically" stays in the on position but it grays out.

I'm confused for a few reasons, one of which is that I'm not sure what a
grayed out indication means when the switch position remains at "on"
and another of which is that if the teardrop pulldown "Location" tile
doesn't turn on the GPS receiver - what does it do and how do you turn on
the GPS receiver then?

[nospam]

In article <s7jenp$1fjp$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

>
> > what *does* stop people from accessing a network is using a complex
> > passphrase that isn't in any of the password dictionaries.
>
> In case people are trying to learn something from what nospam says he needs
> to add that the SSID should _also_ not be something that is common either.

a unique ssid doesn't make much of a difference.

> Because the SSID is the salt for the WPA2-PSK encryption algorithm most of
> us are likely using on a typical home router, the SSID should be unique.
>
> Google "rainbow butterfly hash table" before you dispute that suggestion.
> https://epicsearch.in/search?pno=1&q=rainbow+table+butterfly+hash+table

learn about cracking wifi first.

[nospam]

In article <s7jf54$1mfa$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

>
> Preventing that upload is the entire focus of this thread _because_ the
> "_nomap" is not done on the phone but on the public server people upload to.

the only way to prevent being included in a wifi database is by turning
off your wifi base station or converting your house into a faraday cage
so that there's zero leakage outside, which has the drawback of no
windows.

> The _only_ known way to prevent that upload on typical phones (ie those not
> specifically configured to be wardrivers) is to disable AP SSID broadcast.

nope. that makes absolutely no difference whatsoever.

> But your own phone still shouts out that hidden SSID everywhere it goes.

yes it does.

> Which is why it matters to be able to auto turn that off away from home.

turn off the phone's wifi, or better yet, leave the phone at home.

while you're out, tin foil is in aisle 6, halfway down on the left.

[nospam]

In article <s7job2$jum$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

it's not his video and it doesn't say what you think it does.

you understand even less than he does, which is quite the
accomplishment, and not a good one.

[paul]

nospam wrote on 13.05.2021 23:08

> while you're out, tin foil is in aisle 6, halfway down on the left.

True to form you turned into a babbling idiot when confronted with facts.

[paul]

nospam wrote on 13.05.2021 22:08

> it's not his video and it doesn't say what you think it does.

Tell us.
What did the Rhodes Scholar security professional warn about in that video?

It's easy to tell you're a bumbling idiot nospam because you have no adult
response to any fact you happen not to like - and as such you are no
different than similar morons like Joerg Lorenz & Alan Baker & Lewis & JR.

You didn't even watch the video.

[paul]

nospam wrote on 13.05.2021 22:08

> a unique ssid doesn't make much of a difference.

You clearly don't understand how those published hash tables are generated.

> learn about cracking wifi first.

As always nospam turned into a bumbling idiot when confronted with fact.

[R.Wieser]

Nospam,

The below is *everything* you responded with in all four posts in this
thread :

- - - - - - - - - - - -

[Wed, 12 May 2021 10:35:28]

> yep

> the last four words should be removed for a more accurate statement.

[Wed, 12 May 2021 17:19:25]

> broadcasting ssids is not 'identifiable personal information'
> unless one or more of your ssids contains such information.

[ Thu, 13 May 2021 09:24:17]

> nonsense.
>
> the bssid does not contain any personally identifiable information
> and is not in any way like a social security number.

You might notice that the above quote is just a repeat of the statement you
made a day before to the same person, with nothing (new) added. Which
makes it a NULL post.

[Thu, 13 May 2021 16:08:18]

> it's not his video and it doesn't say what you think it does.

> you understand even less than he does, which is quite the
> accomplishment, and not a good one.

- - - - - - - - - - - -

You are up to your old tricks : claiming a lot, but explaining / supporting
none of it. And oh yeah, lets not forget your habit of "misunderstanding"
what someone has said.


Personally I think this one is a hoot :

> broadcasting ssids is not 'identifiable personal information'
> unless one or more of your ssids contains such information.

In that case you will have no problem with posting the SSNs of yourself and
all your family members here.

I mean, if a (B)SSID number cannot contain 'identifiable personal
information' than neither can a SSN number. Both are just numbers, right
?

And before you think of replying how a SSN *can be used as* a key into some
big, PII containing list somewhere, how/why do you think that that is
impossible for any other number ?

Regards,
Rudy Wieser

[R.Wieser]

Joerg,

>> broadcasting ssids is not 'identifiable personal information'
>> unless one or more of your ssids contains such information.
>
> +1
> It is an identifier like Blue, Red, Yellow or a numeration.

Do you have a SSN yourself ? How is that /not/ an identifier ?

And even though its just an identifier, the American gouverment strongly
suggests you to keep it to yourself. Do you have any idea why ?

IOW : put your brain into gear before you put your mouth into motion.

Regards,
Rudy Wieser

[nospam]

In article <s7k3bl$j4$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> True to form I turned into a babbling idiot when confronted with facts.

ftfy

[nospam]

In article <s7k3l2$4pc$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> > it's not his video and it doesn't say what you think it does.
>
> Tell us.
> What did the Rhodes Scholar security professional warn about in that video?

as usual, you snipped to alter context.

the video did *not* say that a bssid is like an ssn.

> In article <s7job2$jum$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
> wrote:
> >
> > >> The BSSID is like a Social Security Number for your children.
> > >
> > > nonsense.
> > >
> > > the bssid does not contain any personally identifiable information and
> > > is not in any way like a social security number.
> >
> > Listen to Vanguard's video which says the exact opposite of what you claim.
>

> it's not his video and it doesn't say what you think it does.
>

[nospam]

In article <s7ljdj$ilc$2...@gioia.aioe.org>, R.Wieser

<add...@not.available> wrote:

> >> broadcasting ssids is not 'identifiable personal information'
> >> unless one or more of your ssids contains such information.
> >
> > +1
> > It is an identifier like Blue, Red, Yellow or a numeration.
>
> Do you have a SSN yourself ? How is that /not/ an identifier ?

ssn and bssid are two totally different things. one is for a person and
the other for a hardware device.

> And even though its just an identifier, the American gouverment strongly
> suggests you to keep it to yourself.

no they don't.

the social security administration says to be careful and to ask
questions before disclosing it.

<https://www.ssa.gov/pubs/EN-05-10064.pdf>
You should be careful about sharing your number, even when
youšre asked for it. You should ask why your number is needed,
how itšll be used, and what will happen if you refuse. The answers
to these questions can help you decide if you want to give out your
Social Security number.

> Do you have any idea why ?
>
> IOW : put your brain into gear before you put your mouth into motion.

you should try that sometime.

[nospam]

In article <s7ljdg$ilc$1...@gioia.aioe.org>, R.Wieser

<add...@not.available> wrote:


> You are up to your old tricks : claiming a lot, but explaining / supporting
> none of it. And oh yeah, lets not forget your habit of "misunderstanding"
> what someone has said.

i'm not the one who is misunderstanding anything.

that would be *you* along with 'arlen', currently using the nym 'paul'
in this thread.

> Personally I think this one is a hoot :

only because you don't understand what is being discussed.

what's actually a hoot is thinking that an ssn and bssid are 'just
numbers' and somehow equivalent.

> > broadcasting ssids is not 'identifiable personal information'
> > unless one or more of your ssids contains such information.
>
> In that case you will have no problem with posting the SSNs of yourself and
> all your family members here.
>
> I mean, if a (B)SSID number cannot contain 'identifiable personal
> information' than neither can a SSN number. Both are just numbers, right
> ?

very much wrong.

an ssn is personally identifiable information (pii).

a bssid is not.

a bssid is unique for a particular hardware device (not a person). it
can be spoofed, but that is rare.

do you not understand the difference between a person and an inanimate
object?

> And before you think of replying how a SSN *can be used as* a key into some
> big, PII containing list somewhere, how/why do you think that that is
> impossible for any other number ?

there would need to be a database indexed by 'any other number' that
links to a particular person's identity.

there aren't any databases linking a bssid to a particular person, nor
can there be.

the geolocation databases link a bssid to a *location*, not a person.

almost always, there will be more than one person at a given location,
particularly in urban areas, where there could be thousands of people
associated with a particular location.

[Joerg Lorenz]

Am 13.05.21 um 22:57 schrieb paul:

> nospam wrote on 13.05.2021 22:08
>
>> a unique ssid doesn't make much of a difference.
>
> You clearly don't understand how those published hash tables are generated.

Completely irrelevant in this discussed case.

>> learn about cracking wifi first.
>
> As always nospam turned into a bumbling idiot when confronted with fact.

You are spreading fake news.
You are a Troll.

[Joerg Lorenz]

Am 12.05.21 um 18:18 schrieb nospam:
> In article <s7gpgo$r47$1...@dont-email.me>, Joerg Lorenz <hugy...@gmx.ch>
> wrote:
>
>>> he wants to switch off his home base station when away, not the phone.
>>
>> For what purpose? He can easily stop that forever on the router.
>
> his stated goal is to prevent his wifi network from being included in
> various databases, and the only way to do that is by switching it off.

Once turned on it takes milliseconds to find it and to geolocate it as
well as to include it in any database.

Our dear paul should never dare to turn on his WiFi anymore.

[paul]

Joerg Lorenz wrote on 14.05.2021 16:44

> Our dear paul should never dare to turn on his WiFi anymore.

*Do these morons like Joerg Lorenz & nospam _ever_ post with helpful intent?*

Have they ever even once in this thread or in any thread ever added any value?

Why do they always prove to be idiot little children playing their childish games?

[R.Wieser]

Nospam,

> i'm not the one who is misunderstanding anything.

*Ofcourse* you're not. Its *everyone else* who does that, right ? :-)

> that would be *you*

Kid, you are again giving a prime example of a claim which you do not even
try to explain, let lone underbuild.

But I'll bite : /how/ did I misunderstand this thread (you *and* Paul) ?

> along with 'arlen', currently using the nym 'paul' in this thread.

Lol. The Arlen I know responds with violent personal attacks whenever
someone disagrees with him. In comparision Paul here is an angel, with the
worst he's done is calling you out on your nonsense.

> only because you don't understand what is being discussed.

Well ? What stopped you from educating me there ? Maybe a lack of
understanding it yourself ?

> what's actually a hoot is thinking that an ssn and bssid are
> 'just numbers' and somehow equivalent.

And again : claiming that someone is wrong, but not giving an iota in
explanation or underbuilding it.

Although .... I can understand that it might be a bit hard for some people
to distinguish between what something *is*, and what it's *used as*.

> very much wrong.
>
> an ssn is personally identifiable information (pii).
>
> a bssid is not.

Wrong. Neither number is. Or both are. Take your pick.

(I could explain that, but I'm trying to behave just like you in this
regard. Am I considerate or what ? )

> a bssid is unique for a particular hardware device (not a person).
> it can be spoofed, but that is rare.

Too bad that you can't seem to imagine some "particular hardware device"
that's considered /very/ personal, and as such seldom (if ever) leaves its
owners side.

I'll give you a hint : It starts with a "P" and ends with "hone".

> do you not understand the difference between a person and
> an inanimate object?

How is it you can't seem to figure out that access-points, even though they
seldom used for communication solely between themselves, are not the only
devices using (B)SSIDs ?

> there would need to be a database indexed by 'any other number'
> that links to a particular person's identity.

You mean, just like what needs to happen with a SSN ?

> there aren't any databases linking a bssid to a particular person,
> nor can there be.

Kiddo, you *must/ be trolling. You can't be *that* oblivious to what is
happening all around you.

Hint : it starts with "G" and ends with "oogle".

> the geolocation databases link a bssid to a *location*, not a person.

Who said anything about a *geolocation* database ? I surely didn't.

Besides, what makes you think such databases can't also contain PII ?

> almost always, there will be more than one person at a given
> location,

While that /might/ be true, you're still (willfully?) oblivious to any other
device than an access-point.

> particularly in urban areas, where there could be thousands of
> people associated with a particular location.

And thats utter bullshit.

If not, isn't it rather inconvenient having to share one street address with
all the people of your whole, multiple square mile neighbourhood ? :-)

Regards,
Rudy Wieser

[R.Wieser]

Nospam,

> ssn and bssid are two totally different things. one is for a person
> and the other for a hardware device.

Which is absolutily inconsequential to what you yourself where talking
about. Good try, but no dice I'm afraid. Try again.

>> And even though its just an identifier, the American gouverment
>> strongly suggests you to keep it to yourself.
>
> no they don't.
>
> the social security administration says to be careful and to
> ask questions before disclosing it.

[snip link]

Thats a nice "no, but actually yes" example. :-)

>> IOW : put your brain into gear before you put your mouth into motion.
>
> you should try that sometime.

Nah. I don't really need to when talking to the likes of you. :-p

Regards,
Rudy Wieser

[Eli the Bearded]

In comp.mobile.android, R.Wieser <add...@not.available> wrote:
> I mean, if a (B)SSID number cannot contain 'identifiable personal
> information' than neither can a SSN number. Both are just numbers,
> right?

Nonsense. If I invite you into my home, I'll tell you which of the 20+
SSIDs you can find in my area is mine, and I'll share the password with
you. I would not share SSNs so freely.

Because SSIDs can be used to geolocate someone, I'm not going to post
mine or the ones that are near me unchanged. I'm fine with people
knowing I live in San Francisco, but I'm not giving out my street
address for everyone.

SSNs are "PII": personally identifiable information.
SSIDs are just "personal data".

https://techgdpr.com/blog/difference-between-pii-and-personal-data/

There are three people regularlly using my wifi network, and six or so
others using it sporatically. That means my wifi network will not
identify any particular person, but it does mean that it narrows the
possibilities to a very large degree.

Elijah
------
access to the wifi also grants access to the printer

[Frank Slootweg]

paul <nos...@nospam.invalid> wrote:
> Frank Slootweg wrote on 13.05.2021 20:43

[...]

> The funny thing regarding your statement that Location may not necessarily
> mean "GPS" is that the "Location" forms don't explicitly say the GPS radio
> is what the Location teardrop tile turns on but there is no _other_ way to
> explicitly turn on the GPS radios that I can find - so that teardrop tile
> Location icon _must_ be turning on the GPS receivers.
>
> What else can that "teardrop" tile switch be doing but turning on GPS?

I assume that with "the Location teardrop tile", you mean the 'tile'
(I would say icon) on the panel which you slide down from the top. If
so, if you *fully* slide down that panel, you don't just get the
main/'important' tiles, but all tiles and then these tiles have
*descriptions* below them, for example under the Bluetooth tile, it says
'Bluetooth'. And under "the Location teardrop tile" it says 'Location',
*not* GPS. So, as I mentioned, "the Location teardrop tile" switches the
*Location service* on/off, not GPS (GPS is turned on/off by *apps*, not
by settings).

[...]

> With "Turn on Wi-Fi automatically" blue and set to on, the instant I turn
> off the Location teardrop or I turn off Wi-Fi scanning the
> "Turn on Wi-Fi automatically" stays in the on position but it grays out.
>
> I'm confused for a few reasons, one of which is that I'm not sure what a
> grayed out indication means when the switch position remains at "on"
> and another of which is that if the teardrop pulldown "Location" tile
> doesn't turn on the GPS receiver - what does it do and how do you turn on
> the GPS receiver then?

I do not know what a grayed out switch in the on position means and I
cannot reproduce your scenario. For me the switch is off-and-gray or
on-and-blue, not another combination.

As to "how do you turn on the GPS receiver then?": As I mentioned,
*you* don't turn it on, the *app(s)* you use turn it on. Yes, in The Old
Days (Android 4/5) the teardrop button/tile/<whatever> switch GPS
on/off, but not anymore, at least not on my Samsung Galaxy A51 with
Android 10.

[Alan Baker]

How does that even follow?

I'll happily post my SSID here: Telus-Baker-5G and Telus-Baker-2.4G

Fill your boots.

>
> I mean, if a (B)SSID number cannot contain 'identifiable personal
> information' than neither can a SSN number. Both are just numbers, right

One is a number that is used to access additional personal information
(SSN) while the other serves a single purpose and is absolutely no use
to anyone trying to obtain other personal information (SSID).

> ?
>
> And before you think of replying how a SSN *can be used as* a key into some
> big, PII containing list somewhere, how/why do you think that that is
> impossible for any other number ?

You tell me:

In what way is my SSID associated with any other information about me?

[R.Wieser]

Eli,

>> I mean, if a (B)SSID number cannot contain 'identifiable personal
>> information' than neither can a SSN number. Both are just numbers,
>> right?
>
> Nonsense.

I've got a full reply to you ready to post, but when I do it also answers
most of what I'm trying to get nospam to think about and respond to. Give
me/him a few days.

I can send it to you using email if you want though (just make sure its a
throw-away address).

Regards,
Rudy Wieser

[Eli the Bearded]

In comp.mobile.android, R.Wieser <add...@not.available> wrote:

> Eli,

>
> I've got a full reply to you ready to post, but when I do it also answers
> most of what I'm trying to get nospam to think about and respond to. Give
> me/him a few days.
>
> I can send it to you using email if you want though (just make sure its a
> throw-away address).

If you want to email me, my From: line address works. But I'm quite
willing to wait and see the response in the group.

Elijah
------
is still willing to consider Usenet very asychronous

[Alan Baker]

On 2021-05-14 9:39 a.m., R.Wieser wrote:
> Nospam,
>
>> i'm not the one who is misunderstanding anything.
>
> *Ofcourse* you're not. Its *everyone else* who does that, right ? :-)
>
>> that would be *you*
>
> Kid, you are again giving a prime example of a claim which you do not even
> try to explain, let lone underbuild.
>
> But I'll bite : /how/ did I misunderstand this thread (you *and* Paul) ?
>
>> along with 'arlen', currently using the nym 'paul' in this thread.
>
> Lol. The Arlen I know responds with violent personal attacks whenever
> someone disagrees with him. In comparision Paul here is an angel, with the
> worst he's done is calling you out on your nonsense.

Nope. The attacks take precisely the same form for either nym.

>
>> only because you don't understand what is being discussed.
>
> Well ? What stopped you from educating me there ? Maybe a lack of
> understanding it yourself ?
>
>> what's actually a hoot is thinking that an ssn and bssid are
>> 'just numbers' and somehow equivalent.
>
> And again : claiming that someone is wrong, but not giving an iota in
> explanation or underbuilding it.
>
> Although .... I can understand that it might be a bit hard for some people
> to distinguish between what something *is*, and what it's *used as*.
>
>> very much wrong.
>>
>> an ssn is personally identifiable information (pii).
>>
>> a bssid is not.
>
> Wrong. Neither number is. Or both are. Take your pick.

How is an ssid associated with a PERSON?

>
> (I could explain that, but I'm trying to behave just like you in this
> regard. Am I considerate or what ? )
>
>> a bssid is unique for a particular hardware device (not a person).
>> it can be spoofed, but that is rare.
>
> Too bad that you can't seem to imagine some "particular hardware device"
> that's considered /very/ personal, and as such seldom (if ever) leaves its
> owners side.

Actually, it regularly leaves its owner's "side"...

...when the owner is elsewhere.

[paul]

Frank Slootweg wrote on 15.05.2021 07:40

>> What else can that "teardrop" tile switch be doing but turning on GPS?
>
> I assume that with "the Location teardrop tile", you mean the 'tile'
> (I would say icon) on the panel which you slide down from the top.

I always called them "tiles" but you can call them "icons" if you want.
https://android.gadgethacks.com/how-to/add-your-own-quick-settings-tiles-android-nougat-0173307/

I think the top bar location teardrop icon is called a "quick settings tile"
https://www.learn2crack.com/2017/02/android-using-quick-settings-tiles.html

Apparently each tile is associated with a tile service on Android
https://medium.com/androiddevelopers/quick-settings-tiles-e3c22daf93a8

> If so, if you *fully* slide down that panel, you don't just get the
> main/'important' tiles, but all tiles and then these tiles have
> *descriptions* below them, for example under the Bluetooth tile, it says
> 'Bluetooth'. And under "the Location teardrop tile" it says 'Location',
> *not* GPS.

Yes. I see that under the teardrop tile it says only "Location" & not GPS.

This article implies the teardrop tile turns on "GPS" but it may be wrong.
https://www.wikihow.tech/Turn-on-GPS-on-Android
"The Location icon may look like a pin or a world icon depending on
your Android version. On some versions of Android, this option is
listed as GPS."

And this article implies you can turn on specific location methods
https://answersdrive.com/how-do-i-turn-on-gps-on-my-android-phone-2400040
"Select desired locating method: GPS, Wi-Fi, and mobile networks"

> So, as I mentioned, "the Location teardrop tile" switches the
> *Location service* on/off, not GPS (GPS is turned on/off by *apps*, not
> by settings).

That is probably why I was confused as there is _nothing_ in the "Location"
quick settings tile for GPS options. Everything is Wi-Fi or Bluetooth.

Even the "app permissions" section just says the apps in the list can access
the "location" (without saying _how_ that app figures out the location).

>
>> With "Turn on Wi-Fi automatically" blue and set to on, the instant I turn
>> off the Location teardrop or I turn off Wi-Fi scanning the
>> "Turn on Wi-Fi automatically" stays in the on position but it grays out.
>>
>> I'm confused for a few reasons, one of which is that I'm not sure what a
>> grayed out indication means when the switch position remains at "on"
>> and another of which is that if the teardrop pulldown "Location" tile
>> doesn't turn on the GPS receiver - what does it do and how do you turn on
>> the GPS receiver then?
>
> I do not know what a grayed out switch in the on position means and I
> cannot reproduce your scenario. For me the switch is off-and-gray or
> on-and-blue, not another combination.

Here's what I just did just now to set it up the way you have it set up.

Using the Quick Settings Location tile I set Location = On.
And I set "Improve Accuracy" "Wi-Fi scanning" also = On.

Since I have Wi-Fi automated I made sure the Wi-Fi was connected to my AP
when I pulled down the Quick Settings Wi-Fi tile and then I pressed the 3
dots at the top right of the Wi-Fi settings to get to the "Advanced" menu.

That Advanced menu took me to "Intelligent Wi-Fi" which is now blue and
set to "Turn on Wi-Fi automatically = On"
'Turn on Wi-Fi automatically when you're in places you use it frequently
and turn it off elsewhere.'

The only problem with this set of settings is "Location" must be on
and "Wi-Fi scanning" must be on. Otherwise it's perfect.

> As to "how do you turn on the GPS receiver then?": As I mentioned,
> *you* don't turn it on, the *app(s)* you use turn it on. Yes, in The Old
> Days (Android 4/5) the teardrop button/tile/<whatever> switch GPS
> on/off, but not anymore, at least not on my Samsung Galaxy A51 with
> Android 10.

Mine is the A32 5G where I'll believe you that the old Android turned
on the GPS but this Android 11 let's the apps decide what to turn on.

Thank you for teaching me that bit of Android lore which is useful.
To see which apps are using the GPS, when I long press on the Quick Settings
tile for Location I can then tap on "App permissions" which says
"Apps with this permission can access this device's location"
Allowed all the time = No apps allowed
Allowed only while in use = (there are many apps listed there)
Denied = (there are many apps listed there too)

What is confusing to me but I believe you as what you say seems to be born
out in Android 11 is there is no System setting to turn GPS on or off.

Yet the Android support from Google says the teardrop icon in the top of
your screen indicates an app is specifically using GPS to get your location.
https://support.google.com/android/answer/3467281?hl=en
"When an app is using your phone's location via GPS,
the top of your screen shows Location (teardrop)"

It's confusing but I thank you for pointing out this Samsung feature.

I have it set right now but I probably won't use it long term because
it requires location to be turned on where I would rather only cellular
be turned on instead of location always having to be turned on.

[Piet]

Frank Slootweg wrote:
> As to "how do you turn on the GPS receiver then?": As I mentioned,
> *you* don't turn it on, the *app(s)* you use turn it on. Yes, in
> The Old Days (Android 4/5) the teardrop button/tile/<whatever>
> switch GPS on/off, but not anymore, at least not on my Samsung
> Galaxy A51 with Android 10.

The Old Days comprise Android 6/7 too, at least on my S6.

-p

[R.Wieser]

Alan,

> Nope. The attacks take precisely the same form for either nym.

Yup. On first glance I mistook his later posts as annoyance towards
persons I also found annoying. Sh*t happens.

> How is an ssid associated with a PERSON?

I can read that in at least two different ways, and have already tried to
answered both.

1) The "I've got a (B)SSID and now want to know which person is accociated
with it" tecnical part.
The same way a SSN is tied to a person : you ask a database.

Though in the case if a (B)SSID than being in the vincinity of the target
than using you own phones WiFi and a small "compass" style program will
allow you to identify the person (bypassing the name, DoB and address
requirements :-) ).

2) The "how is a (B)SSID of a device bound to a person" ?
"mobile communication devices" (aka "phones") nowerdays are rather, if not
/very/ personal. Protected by biometric passwords and whatnot. If the
owner does not want you to use it than you, as a common person, are not
going to.

IOW, if-and-when that phone is used than its under the say-so of the owner.
As such I consider the (B)SSID of that persons phone to be bound to that
person. And yes, thats a caveat - not /all/ used (B)SSIDs are bound to a
specific persons.

>Actually, it regularly leaves its owner's "side"...
>
> ...when the owner is elsewhere.

:-) Thats a nice circular redenation.

Yes, It *can*. But I'm arguing that it nowerdays seldom, if ever, does.
Do you disagree with that ?

And no, I cannot solve all the misuses of (B)SSIDs used as a personal
identifier. And no, I cannot do that for SSNs either. :-)


You know what I find remarkable ?

So many posts in which I have tried to explain myself, and *not one*
response in which anyone tries to counter it by explaining how it wouldn't.
Instead of a honest discussion about how it could or could not work
(exchanging information!) all I get is "youre wrong, explain yourself !"
style demands. And that makes me quite tired.

For *once* I would like to see how someone explains how-and-why that it
would not be possible, preferrably compared to how a SSN doesn't have a
similar problem.

:-) It just sprung into focus for me : if nothing changes than this is my
last post on the matter.

Regards,
Rudy Wieser

[Frank Slootweg]

R.Wieser <add...@not.available> wrote:
[...]

> 1) The "I've got a (B)SSID and now want to know which person is accociated
> with it" tecnical part.
> The same way a SSN is tied to a person : you ask a database.
>
> Though in the case if a (B)SSID than being in the vincinity of the target
> than using you own phones WiFi and a small "compass" style program will
> allow you to identify the person (bypassing the name, DoB and address
> requirements :-) ).

That might work somewhat (FSVSVO 'somewhat') for houses which are
spread over some distance, but won't work for houses in a row,
multi-storey houses, appartment buildings, etc..

For example in our appartment building, I 'see' tens and tens of SSIDs
of everybodies Wi-Fi Access Points (APs). No way to tell which SSID/AP
'belongs' to whom, at least not for many/most/all of them.

> 2) The "how is a (B)SSID of a device bound to a person" ?
> "mobile communication devices" (aka "phones") nowerdays are rather, if not
> /very/ personal. Protected by biometric passwords and whatnot. If the
> owner does not want you to use it than you, as a common person, are not
> going to.
>
> IOW, if-and-when that phone is used than its under the say-so of the owner.
> As such I consider the (B)SSID of that persons phone to be bound to that
> person. And yes, thats a caveat - not /all/ used (B)SSIDs are bound to a
> specific persons.

AFAICT, you've got the situation wrong:

The (B)SSID is not associated with a - mobile - *phone* [1] but with
some - normally stationary - *Access Point* (AP). An AP *can* be
'personal', but normally is not. (The *ownership* of the AP might be
'personal', but often even that's not the case.)

[,,,]

[1] Except when the phone is *used as* and AP, which is a small
minority.

[nospam]

In article <s7m955$1lsh$1...@gioia.aioe.org>, R.Wieser

<add...@not.available> wrote:

> > ssn and bssid are two totally different things. one is for a person
> > and the other for a hardware device.
>
> Which is absolutily inconsequential to what you yourself where talking
> about. Good try, but no dice I'm afraid. Try again.

it's not inconsequential.

they are two very different things, for two very different purposes.

> >> And even though its just an identifier, the American gouverment
> >> strongly suggests you to keep it to yourself.
> >
> > no they don't.
> >
> > the social security administration says to be careful and to
> > ask questions before disclosing it.
> [snip link]
>
> Thats a nice "no, but actually yes" example. :-)

you have a habit of snipping links that prove you wrong.

being careful is *not* the same as 'strongly suggests you keep it to
yourself'.

[nospam]

In article <s7m957$1lsh$2...@gioia.aioe.org>, R.Wieser

<add...@not.available> wrote:

> > i'm not the one who is misunderstanding anything.
>
> *Ofcourse* you're not. Its *everyone else* who does that, right ? :-)

nope. just you.

even 'paul' (aka 'arlen') mostly understands it, although he is blinded
by his pathological paranoia.

> > that would be *you*
>
> Kid, you are again giving a prime example of a claim which you do not even
> try to explain, let lone underbuild.
>
> But I'll bite : /how/ did I misunderstand this thread (you *and* Paul) ?

first, by thinking that because an ssn and bssid are both numbers, they
are somehow equivalent. i'm still laughing at that one.

second, your claim that there is a database linking a bssid to a
particular person. there isn't, nor can there be.

next, you don't understand what bssid and ssid actually are, especially
since you repeatedly lump them together by writing '(b)ssid'.

lastly, you don't understand how wifi geolocation works, what 'paul' is
trying to do to thwart it and why his attempts are futile.

> > along with 'arlen', currently using the nym 'paul' in this thread.
>
> Lol. The Arlen I know responds with violent personal attacks whenever
> someone disagrees with him. In comparision Paul here is an angel, with the
> worst he's done is calling you out on your nonsense.

they're the same person, and you clearly have missed the numerous
personal attacks 'paul' has spewed.

> > only because you don't understand what is being discussed.
>
> Well ? What stopped you from educating me there ? Maybe a lack of
> understanding it yourself ?

maybe that you suddenly appeared in this thread and that you aren't
actually interested in learning anything.

but on the off chance you do want to learn something, there is plenty
of information already in this thread. start there. you could also use
the resource you mention below to find even more information.

based on your comments, it's safe to say that you haven't read much of
anything about the topic and will not be doing so in the future.

> > what's actually a hoot is thinking that an ssn and bssid are
> > 'just numbers' and somehow equivalent.
>
> And again : claiming that someone is wrong, but not giving an iota in
> explanation or underbuilding it.
>
> Although .... I can understand that it might be a bit hard for some people
> to distinguish between what something *is*, and what it's *used as*.

at least you understand that you're having such difficulties.

> > very much wrong.
> >
> > an ssn is personally identifiable information (pii).
> >
> > a bssid is not.
>
> Wrong. Neither number is. Or both are. Take your pick.

nope.

one is, the other is not.

> (I could explain that, but I'm trying to behave just like you in this
> regard. Am I considerate or what ? )

or what.

> > a bssid is unique for a particular hardware device (not a person).
> > it can be spoofed, but that is rare.
>
> Too bad that you can't seem to imagine some "particular hardware device"
> that's considered /very/ personal, and as such seldom (if ever) leaves its
> owners side.
>
> I'll give you a hint : It starts with a "P" and ends with "hone".

nobody said that devices which can be linked to a particular person do
not exist.

what you fail to understand is that wifi access points are not among
such devices.

you're also ignoring company-owned phones, where the person using it is
*not* the owner.

the same applies to company-owned wifi access points, which is the norm
for any business offering public wifi.

> > do you not understand the difference between a person and
> > an inanimate object?
>
> How is it you can't seem to figure out that access-points, even though they
> seldom used for communication solely between themselves, are not the only
> devices using (B)SSIDs ?

you could have saved yourself a lot of typing and simply answered 'no'.

also, mesh wifi says hello.

but out of morbid curiosity, what else in your list of devices has a
bssid other than wifi access points?

> > there would need to be a database indexed by 'any other number'
> > that links to a particular person's identity.
>
> You mean, just like what needs to happen with a SSN ?

but not a bssid.

> > there aren't any databases linking a bssid to a particular person,
> > nor can there be.
>
> Kiddo, you *must/ be trolling. You can't be *that* oblivious to what is
> happening all around you.
>
> Hint : it starts with "G" and ends with "oogle".

it ain't me who is oblivious.

google's wifi database (as well as others) maps a bssid to a location.
it does not and cannot map it to a particular person.

the location of a wifi access point tells you absolutely nothing about
who may have used that access point in the past, who is using it right
now, who might use it in the future or who owns the hardware.

> > the geolocation databases link a bssid to a *location*, not a person.
>
> Who said anything about a *geolocation* database ? I surely didn't.

nobody said you did.

you obviously haven't read the thread, which is specifically about such
databases and how to avoid being included in them, despite it being a
complete waste of time and effort in trying.

> Besides, what makes you think such databases can't also contain PII ?

what pii is included in google's wifi database, where did it come from
and how is it kept accurate and up to date? be specific.

> > almost always, there will be more than one person at a given
> > location,
>
> While that /might/ be true, you're still (willfully?) oblivious to any other
> device than an access-point.

it ain't me who is oblivious, although there are more appropriate words
that could be used.

> > particularly in urban areas, where there could be thousands of
> > people associated with a particular location.
>
> And thats utter bullshit.

it's not.

a public wifi hotspot in an urban area can easily have thousands of
people who have used it at some point, sometimes in just one day for
very busy locations.

> If not, isn't it rather inconvenient having to share one street address with
> all the people of your whole, multiple square mile neighbourhood ? :-)

you definitely don't understand how things work.

[paul]

nospam wrote on 16.05.2021 08:43

> the location of a wifi access point tells you absolutely nothing about
> who may have used that access point in the past, who is using it right
> now, who might use it in the future or who owns the hardware.

The location of home router Wi-Fi access points we are talking about here is
your own home which is _easily_ tied to a database of who you are. Period.

The BSSID === you. Period.

If your phone shouts out that BSSID away from home it can be traced to you.
Period.

This thread is about how to prevent that from happening.

You haven't added _any_ value on how to prevent that from happening.
Others have.

I'm testing their proposals & will report back when successful.
It's a worthwhile skill to have to protect our BSSID from interception.

[R.Wieser]

Nospam,

> it's not inconsequential.
>
> they are two very different things, for two very different purposes.

Warning: Statement has been posted before, no additional information has
been supplied.
Warning: Statement ignored, due to no explanation or substanciation to it
being offered.

> you have a habit of snipping links that prove you wrong.

My condolances to you. Most people here are smart enough to be able to
leaf up to the parent post to see what I was responding to, including that
link.

> being careful is *not* the same as 'strongly suggests you keep
> it to yourself'.

Warning: Statement ignored, due to no explanation or substanciation to it
being offered.

Regards,
Rudy Wieser

[R.Wieser]

nospam,

> first, by thinking that because an ssn and bssid are both numbers, they
> are somehow equivalent. i'm still laughing at that one.

Warning: Statement has been posted before, no additional information has
been supplied.
Warning: Statement ignored, due to no explanation or substanciation to it
being offered.

> second, your claim that there is a database linking a bssid to a
> particular person. there isn't, nor can there be.

Warning: Statement has been posted before, no additional information has
been supplied.
Warning: Statement ignored, due to no explanation or substanciation to it
being offered.

> lastly, you don't understand how wifi geolocation works,

Warning: Statement ignored, due to no explanation or substanciation to it
being offered.

> what 'paul' is trying to do to thwart it and why his attempts are futile.

Warning: Statement ignored - an attempted introduction of a subject that has
no relevance to the subject discussed.

[snip rest of post]

Kid, I'm getting tired of you.

Most, if not all of what you do is saying "No, your're wrong!" <full stop> ,
while keeping your hands over your ears, some sleigh-of-hand deflection
attempts and simple innuendo.

Go take a hike, and only come back when you're able to *explain* why you
think someone is wrong. Maybe than we can have an actual discussion on the
merrits of what we both think we know.

Goodbye,
Rudy Wieser

[R.Wieser]

I almost forgot to post it. :-)

Eli,

>> I mean, if a (B)SSID number cannot contain 'identifiable personal
>> information' than neither can a SSN number. Both are just numbers,
>> right?
>
> Nonsense. If I invite you into my home, I'll tell you which of the 20+
> SSIDs you can find in my area is mine, and I'll share the password with
> you. I would not share SSNs so freely.

Ofcourse its nonsense. :-) I wrote that to provoke nospam to think
about it a bit.

But *WHY* is it nonsense ? I don't think you will disagree with me when I
say that both are numbers. So *what makes the one number some much more
special than the other one* ?

I give you a hint : its not the number itself.

> Because SSIDs can be used to geolocate someone, I'm not going
> to post mine or the ones that are near me unchanged.

I'm sorry ? You just told me that you would have no problem with giving us
20+ of the SSIDs in your neighbourhood, including your own, but directly
after that tell us that you won't do such a thing ? I'm confused ...

Also, that latter "I'm not going to post mine" has a reason. What is it ?
Is it maybe that such an SSID can be easily used to figure out who you are ?
If not by the company which have stuffed milions of them in a database (and
keeps updating them), but also have access to quite a bit more of your
personal data thru other means ?

> SSNs are "PII": personally identifiable information.
> SSIDs are just "personal data".
>
> https://techgdpr.com/blog/difference-between-pii-and-personal-data/

I'm sorry, but could you point out where in that document you found either
of the above (preferrably both) definitions, as I can't seem to find them
...

Besides the point that, as you have already made clear yourself, the
distinguishing of them that way is razor-thin, I also disagree with your
classification there - simply because you left stuff out.

You see, a SSN is worthless if you do not have access to the (gouvermental)
DB containing your associated PII. And as most common citizens do not
have that access ... And thats besides the simple fact you can easily hide
your a SSN, just by putting something, anything over it. Which you, as
you've already made clear, have the full intention of doing so.

And SSID on the other hand is something your phone sends out all the time
whenever you want to be able to use a WiFi accesspoint (and possible even
when you have disabled that - as the "assisted" in A-GPS seems to be
overriding that setting ...) Pretty-much the same happens when you have
(Low Energy) BlueTooth enabled by the way.

And as most phones nowerdays are /very/ personal (protected by biometric
passwords and what not) that SSID might as well be burned onto your
forehead. And yes, thats a reference to"the number of the beast".

So yes, I do think that both a SSN *as well as* a SSID can be used to figure
out a single person. With the SSID winning hands-down. And its also way
easier to track you with. :-)

> There are three people regularlly using my wifi network, and six
> or so others using it sporatically. That means my wifi network will
> not identify any particular person,

No, you have *chosen* not to identify them. Thats something quite different.

Regards,
Rudy Wieser

[R.Wieser]

Frank,

> That might work somewhat (FSVSVO 'somewhat') for houses which
> are spread over some distance, but won't work for houses in a row,
> multi-storey houses, appartment buildings, etc..

:-) Than how do you think that geolocation of WiFi accesspoints for use
with A-GPS works ?

No, I think its quite possible to figure out where a certain (B)SSID comes
from. Either by just walking towards the signal, or by triangulation -
which works as well for vertical seperation.

> No way to tell which SSID/AP 'belongs' to whom, at least not for
> many/most/all of them.

Sigh ... If it can be done for a SSN, why do you think its impossible for
a (B)SSID ?

But yes, someone, either you yourself or someone else must have created such
a list first.

In the above I've already mentioned the existence of a geolocation database
(for use by A-GPS) that will translate the SSIDs of WiFi accesspoints to a
specific location. That would be enough for one-person households -
stripping the "/all" an perhaps even "/most/all" from your "at least not
for" claim ...

I can also /easily/ imagine that some of the bigger companies (one of them
starts with "G" and ends on "oogle") have created an even more extensive
database for tracking -> ad-selling purposes, which contains the BSSIDs of
WiFi-capable devices and whatever they got from such devices as the result
of signing up to one or more "social media" accounts.

> The (B)SSID is not associated with a - mobile - *phone* [1] but
> with some - normally stationary - *Access Point* (AP).

:-) You're conflating a certain usage with it being the /only/ usage.

Regards,
Rudy Wieser

[Frank Slootweg]

R.Wieser <add...@not.available> wrote:
> Frank,
>
> > That might work somewhat (FSVSVO 'somewhat') for houses which
> > are spread over some distance, but won't work for houses in a row,
> > multi-storey houses, appartment buildings, etc..
>
> :-) Than how do you think that geolocation of WiFi accesspoints for use
> with A-GPS works ?
>
> No, I think its quite possible to figure out where a certain (B)SSID comes
> from. Either by just walking towards the signal, or by triangulation -
> which works as well for vertical seperation.

I explained why it's not feasible, but you chose to silently snip that
argument. Learning from nospam, are we!? :-(

> > No way to tell which SSID/AP 'belongs' to whom, at least not for
> > many/most/all of them.
>
> Sigh ... If it can be done for a SSN, why do you think its impossible for
> a (B)SSID ?

I explained that in the part you snipped.

> But yes, someone, either you yourself or someone else must have created such
> a list first.

So you confirm such a list doesn't exist and you've not explained how
such a list *could* be created. Noted.

Remember: One can't prove a negative. So the burden of proof - how
such a list *can* be created - is on you.

> In the above I've already mentioned the existence of a geolocation database
> (for use by A-GPS) that will translate the SSIDs of WiFi accesspoints to a
> specific location. That would be enough for one-person households -
> stripping the "/all" an perhaps even "/most/all" from your "at least not
> for" claim ...

Nope, it would *not* be enough for "one-person households", because
you - implicitly - assume that there's enough physical distance between
those housholds, which is often not the case - especially in build-up
areas.

There's a public map which shows the SSIDs in a certain area. I
checked my location and could not find my SSID - nor several others I
know are close by - because there were just too many. I didn't save the
URL of the service, because it was useless for me.

> I can also /easily/ imagine that some of the bigger companies (one of them
> starts with "G" and ends on "oogle") have created an even more extensive
> database for tracking -> ad-selling purposes, which contains the BSSIDs of
> WiFi-capable devices and whatever they got from such devices as the result
> of signing up to one or more "social media" accounts.

You can imagine all kinds of things. I prefer (technical) facts,
logic, proof, etc.. Silly me!

And don't get me started on the 'smartness' of Google. As long as they
can't tell the difference between multiple people using the same router
and can't tell that I have already *bought* what they're advertizing,
while that purchase is *recorded* in *Gmail* for crying out loud,
they're not 'smart', but rather dumb.

> > The (B)SSID is not associated with a - mobile - *phone* [1] but
> > with some - normally stationary - *Access Point* (AP).
>
> :-) You're conflating a certain usage with it being the /only/ usage.

Explain. That comment is as clear as mud.

And BTW, stop snipping my arguments - yes, you snipped other arguments
as well -, if not, it's EOD. (Yes, *I* can look up a parent article, but
one can't assume that others will assume foul play.)

[Alan Baker]

On 2021-05-15 9:30 p.m., paul wrote:
> nospam wrote on 16.05.2021 08:43
>
>> the location of a wifi access point tells you absolutely nothing about
>> who may have used that access point in the past, who is using it right
>> now, who might use it in the future or who owns the hardware.
>
> The location of home router Wi-Fi access points we are talking about here is
> your own home which is _easily_ tied to a database of who you are. Period.

Really? How?

>
> The BSSID === you. Period.

Wrong. Period.

>
> If your phone shouts out that BSSID away from home it can be traced to you.
> Period.

It shouts dozens of SSIDs if it shouts at all; probably hundreds in my case.

[R.Wieser]

Frank,

> I explained why it's not feasible,

No you didn't.

> but you chose to silently snip that argument.

and no I didn't.

The below is *all* I did /not/ quote from your post. Both parts because
they do not, as far as I can tell, add anything of value to what I /did/
quote from the respective paragraphs.

>> For example in our appartment building, I 'see' tens and tens
>> of SSIDs of everybodies Wi-Fi Access Points (APs).

>> An AP *can* be 'personal', but normally is not. (The *ownership*
>> of the AP might be personal', but often even that's not the case.)
>>
>> [,,,]
>>
>> [1] Except when the phone is *used as* and AP, which is a small
>> minority.

You have exactly *one* chance to clarify yourself, as I've had it upto
*there* with people who claim stuff or accuse without even bothering to show
substanciation of what they are talking about.

> So you confirm such a list doesn't exist and you've not
> explained how such a list *could* be created. Noted.

Actually, I've did the opposite on both. In the paragraph starting with "I
can /easily/ imagine"

> Remember: One can't prove a negative.

I know and am very aware of it. That is why I'm not an atheist.

> So the burden of proof - how such a list *can* be created - is on you.

Already done, in two different ways no less.- even if you refuse to
acknowledge either.

> Nope, it would *not* be enough for "one-person households",
> because you - implicitly - assume that there's enough physical
> distance between those housholds, which is often not the case -
> especially in build-up areas.

Even though I can follow your argument there, the burden of proof is now
yours. And no, your anecdotal evidence does not cut it I'm afraid.

Besides that, I thought I made clear that its not the location which binds
the device to the person, but his PII that has passed thru it.

> You can imagine all kinds of things. I prefer (technical) facts,
> logic, proof, etc.. Silly me!

You *claim* you prefer, among other stuff, logic, but when you see it you
offhandedly reject it.

And did you really expect me to hack into Googles servers to grab the
information that will convince you that it actually exists ? Or find one
of the possible other companies that might already have done it and do the
same ?

If not, what /would/ convice you ?

> And don't get me started on the 'smartness' of Google. As long
> as they can't tell the difference between multiple people using the
> same router and can't tell that I have already *bought* what they're
> advertizing, while that purchase is *recorded* in *Gmail* for crying
> out loud, they're not 'smart', but rather dumb.

All see is someone making claims without providing all the parameters (first
claim), as well as assuming that Google "can't tell" because you don't
haven't got a clue what their angle is (second claim). Not really
scientific ...

>> :-) You're conflating a certain usage with it being the /only/ usage.
>
> Explain. That comment is as clear as mud.

I already did in my previous message. Yep, again /that/ paragraph. You're
stuck on /only/ APs having BSSIDs.

> And BTW, stop snipping my arguments

No. I don't think that I will quote all of your message just because you
think - or just claim - that there is important stuff somewhere in it.
Feel free to reintroduce the missing parts in your own post though.

But than do me, or rather yourself, a favour and clarify /why/ it is so
important. Otherwise I will just do the same the next time, and than where
does that leave you ?

And oh yes : if you want to continue our conversation than I suggest you
take that chance I offered you.

Regards,
Rudy Wieser

[nospam]

In article <s7q75q$5tg$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> > the location of a wifi access point tells you absolutely nothing about
> > who may have used that access point in the past, who is using it right
> > now, who might use it in the future or who owns the hardware.
>
> The location of home router Wi-Fi access points we are talking about here is
> your own home which is _easily_ tied to a database of who you are. Period.

no it can't.

> The BSSID === you. Period.

nope. it identifies the wifi access point, which is an inanimate object.

there is no registration of wifi access points, so there's no way to
know who owns it, who has connected to it in the past or who will
connect to it in the future.

> If your phone shouts out that BSSID away from home it can be traced to you.
> Period.

phones don't shout out bssids.

you are confusing bssid with ssid.

> This thread is about how to prevent that from happening.

you can't, other than shutting off the wifi access point or living
inside a faraday cage.

which one of those do you prefer?

> You haven't added _any_ value on how to prevent that from happening.
> Others have.

both false.

> I'm testing their proposals & will report back when successful.

your attempts are futile and will fail.

> It's a worthwhile skill to have to protect our BSSID from interception.

there is nothing worthwhile about it nor is anything being intercepted.

[nospam]

In article <s7qqbu$1fab$1...@gioia.aioe.org>, R.Wieser

<add...@not.available> wrote:

> You see, a SSN is worthless if you do not have access to the (gouvermental)
> DB containing your associated PII.

false.

<https://www.pcmag.com/news/heres-how-much-your-identity-goes-for-on-the-
dark-web>
For people with high credit scores, a Social Security number, birth
date, and full name can sell for $60 to $80 on the digital black
market. It may not sound like much, but for hackers, a good credit
score can fetch a nice premium.

> And as most common citizens do not
> have that access ...

the common citizens aren't the ones you have to worry about.

> And thats besides the simple fact you can easily hide
> your a SSN, just by putting something, anything over it. Which you, as
> you've already made clear, have the full intention of doing so.

that's hilarious.

no, you can't hide an ssn by "putting something, anything over it".

> And SSID on the other hand is something your phone sends out all the time
> whenever you want to be able to use a WiFi accesspoint (and possible even
> when you have disabled that - as the "assisted" in A-GPS seems to be
> overriding that setting ...)

nope. ssids are not always broadcast and a-gps is completely unrelated.

> Pretty-much the same happens when you have
> (Low Energy) BlueTooth enabled by the way.

nope. bluetooth le is entirely different.

> And as most phones nowerdays are /very/ personal (protected by biometric
> passwords and what not) that SSID might as well be burned onto your
> forehead. And yes, thats a reference to"the number of the beast".
>
> So yes, I do think that both a SSN *as well as* a SSID can be used to figure
> out a single person. With the SSID winning hands-down. And its also way
> easier to track you with. :-)

you're wrong about that too.

[nospam]

In article <s7quin$19e5$1...@gioia.aioe.org>, R.Wieser

<add...@not.available> wrote:

> > That might work somewhat (FSVSVO 'somewhat') for houses which
> > are spread over some distance, but won't work for houses in a row,
> > multi-storey houses, appartment buildings, etc..
>
> :-) Than how do you think that geolocation of WiFi accesspoints for use
> with A-GPS works ?

a-gps does not use wifi geolocation.

> No, I think its quite possible to figure out where a certain (B)SSID comes
> from. Either by just walking towards the signal, or by triangulation -
> which works as well for vertical seperation.

if you're near enough to a wifi network to be able to walk towards the
signal or trilaterate among several, then you don't need a database to
determine its location. you are *already* *there*.

> > No way to tell which SSID/AP 'belongs' to whom, at least not for
> > many/most/all of them.
>
> Sigh ... If it can be done for a SSN, why do you think its impossible for
> a (B)SSID ?

because there's no registration for wifi access points. all that's
needed is a power source.

you also continue to conflate bssid and ssid, and have now added a-gps
as part of the mix.

you are very confused.

> But yes, someone, either you yourself or someone else must have created such
> a list first.

nobody has done that because it's not possible to create a database
that links bssids to specific people.

> In the above I've already mentioned the existence of a geolocation database
> (for use by A-GPS) that will translate the SSIDs of WiFi accesspoints to a
> specific location. That would be enough for one-person households -
> stripping the "/all" an perhaps even "/most/all" from your "at least not
> for" claim ...

again, a-gps does not use wifi geolocation databases and an ssid is not
translated into a location either.

> I can also /easily/ imagine that some of the bigger companies (one of them
> starts with "G" and ends on "oogle") have created an even more extensive
> database for tracking -> ad-selling purposes, which contains the BSSIDs of
> WiFi-capable devices and whatever they got from such devices as the result
> of signing up to one or more "social media" accounts.

imagining things does not make them real.

[nospam]

In article <s7ru45$194j$1...@gioia.aioe.org>, R.Wieser

<add...@not.available> wrote:



> And did you really expect me to hack into Googles servers to grab the
> information that will convince you that it actually exists ? Or find one
> of the possible other companies that might already have done it and do the
> same ?

no hacking is required.

had you read this thread, you would have seen a post that details how
someone can make a query to google's database and obtain a location
from a bssid. it does require knowing how to write android apps, so
that probably rules you out.

one of the third party options was also mentioned several times in this
thread, which anyone can use. no android skills required.

> If not, what /would/ convice you ?

by demonstrating that you have even a slight understanding of how
things work.

so far, you have not done that.

> >> :-) You're conflating a certain usage with it being the /only/ usage.
> >
> > Explain. That comment is as clear as mud.
>
> I already did in my previous message. Yep, again /that/ paragraph. You're
> stuck on /only/ APs having BSSIDs.

you have not answered the question of what else has bssids.

here's your opportunity to demonstrate how much you know (or don't
know) about wifi.

[Frank Slootweg]

R.Wieser <add...@not.available> wrote:
> Frank,
[...]

> You have exactly *one* chance to clarify yourself, as I've had it upto
> *there* with people who claim stuff or accuse without even bothering to show
> substanciation of what they are talking about.

[...]

> And oh yes : if you want to continue our conversation than I suggest you
> take that chance I offered you.

Rudy,

I've no interest continuing this (non-)'conversation'. I tried to
bring some clarity to the confusion in this thread. But was 'rewarded'
by foul play, hostility and offense in the face of lack of knowledge/
insight/etc..

I know you're/can_be better than that, so for this thread it's EOD.

[Eli the Bearded]

In comp.mobile.android, R.Wieser <add...@not.available> wrote:

> But *WHY* is it nonsense ? I don't think you will disagree with me when I
> say that both are numbers. So *what makes the one number some much more
> special than the other one* ?

One identifies a person, the other identifies a piece of equipment in a
particular spot.

> I'm sorry ? You just told me that you would have no problem with giving us
> 20+ of the SSIDs in your neighbourhood, including your own, but directly
> after that tell us that you won't do such a thing ? I'm confused ...

I said, if I let you into my house, I'll tell you which is mine and how
to use it. At the point you are in my house, there is no need to keep
secret the location of my house.

> Also, that latter "I'm not going to post mine" has a reason. What is it ?

Think about the consequences of "I'm willing to tell everyone here what
city I live in, but not my exact location." I don't think SSID can be
used to get my exact address, but it can be used to reduce the
candidate addresses considerably.

> Is it maybe that such an SSID can be easily used to figure out
> who you are ?

It can certainly be used to figure out where I am.

> If not by the company which have stuffed milions of them in a database
> (and keeps updating them), but also have access to quite a bit more of
> your personal data thru other means ?

I'm not going to stop Apple / Google / Facebook / et al. from collecting
data on me. The best I can do is make that data as hard to use as
possible.

I wrote:
>> SSNs are "PII": personally identifiable information.
>> SSIDs are just "personal data".
>> https://techgdpr.com/blog/difference-between-pii-and-personal-data/
> I'm sorry, but could you point out where in that document you found either
> of the above (preferrably both) definitions, as I can't seem to find them

Look at the helpful table about one third of the way down. The blue
rectangle is all "Personal data". Inside it is divided into "Personally
Identifiable Information (PII)" which includes examples like

Name
Home Address
Personal identification number

And "Not PII but Personal Data under GDPR" which includes examples:

Device ID
IP addresses

> Besides the point that, as you have already made clear yourself, the
> distinguishing of them that way is razor-thin, I also disagree with your
> classification there - simply because you left stuff out.

I do recognize the device ID part is very thin, but device ID gets you
_an_ address without knowing for whom it is a _home address_.

> You see, a SSN is worthless if you do not have access to the
> (gouvermental) DB containing your associated PII. And as most
> common citizens do not have that access ... And thats besides the
> simple fact you can easily hide your a SSN, just by putting something,
> anything over it. Which you, as you've already made clear, have the
> full intention of doing so.

I think you are overly confident about what stuff is available outside
of governmental databases.

> And SSID on the other hand is something your phone sends out all the time

The device probes for all networks it knows how to join and only when
not on a network (and, of course, when wifi is enabled). That's subtly
different: _an_ address without knowing if it is a _home address_.

> Pretty-much the same happens when you have
> (Low Energy) BlueTooth enabled by the way.

I do not have Bluetooth enabled. But IMSI catchers work on a similar
principle to track cellular devices.

> And as most phones nowerdays are /very/ personal (protected by biometric
> passwords and what not) that SSID might as well be burned onto your
> forehead. And yes, thats a reference to"the number of the beast".

I don't use "biometric" anywhere. Nor do I think your leap is well
founded even if I did.

>> There are three people regularlly using my wifi network, and six
>> or so others using it sporatically. That means my wifi network will
>> not identify any particular person,
> No, you have *chosen* not to identify them. Thats something quite
> different.

Nine people with n => 9 devices that use that network. Finding one of
them does not makt it a particular person. It just narrows the field a
lot.

My car's license plate "broadcasts" its id every where I go, too. But
there are two regular drivers, so who it is can't be certain.

Elijah
------
broadcasts biometrics like height and gait just by walking down the street

[nospam]

In article <eli$21051...@qaz.wtf>, Eli the Bearded

<*@eli.users.panix.com> wrote:

> > Is it maybe that such an SSID can be easily used to figure out
> > who you are ?
>
> It can certainly be used to figure out where I am.

an ssid by itself can't unless it's very unique or contains some key
identifying information, such as full name or street address.

if it's 'linksys' or some other generic default name, then it's going
to be impossible to narrow it down without additional information.

>
> My car's license plate "broadcasts" its id every where I go, too. But
> there are two regular drivers, so who it is can't be certain.

that's why photo radar and red light cameras also take a photo of the
driver.

[paul]

nospam wrote on 17.05.2021 21:14

> an ssid by itself can't unless it's very unique or contains some key
> identifying information, such as full name or street address.

It's hard to tell if you understand the differences between an SSID and the
BSSID being associated with your accurate location on a public database.

Given you probably do not understand that the SSID can often be found in
butterfly hash tables, it bears repeating that your AP SSID is best kept out
of the rainbow tables commonly available on the Internet.
https://www.ethicalhackx.com/wpa-psk-rainbow-tables-download/
https://en.wikipedia.org/wiki/Rainbow_table
https://www.futurelearn.com/info/courses/identity-and-access-management-part-2/0/steps/192492
https://project-rainbowcrack.com/table.htm
https://www.ethicalhacker.net/columns/gates/tutorial-rainbow-tables-and-rainbowcrack/
https://www.geeksforgeeks.org/understanding-rainbow-table-attack/
https://sandilands.info/sgordon/passwords-hashes-and-rainbow-tables
https://freerainbowtables.com/
https://project-rainbowcrack.com/
https://crackstation.net/
etc.

In addition to your apparent lack of knowledge about SSIDs, you also appear
to lack basic knowledge that the AP broadcast BSSID is (essentially) unique.

As are your GPS coordinates associated with your home AP SSID/BSSID pair.

Until you demonstrate basic knowledge your opinions are nearly worthless.

[nospam]

In article <s80n06$13qv$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

>
> > an ssid by itself can't unless it's very unique or contains some key
> > identifying information, such as full name or street address.
>
> It's hard to tell if you understand the differences between an SSID and the
> BSSID being associated with your accurate location on a public database.
>
> Given you probably do not understand that the SSID can often be found in
> butterfly hash tables, it bears repeating that your AP SSID is best kept out
> of the rainbow tables commonly available on the Internet.

as usual, you snipped to alter context.

the issue is how easy it is to identify the location and/or owner of a
particular wifi network or those who use it.

rainbow tables do not do that.

knowing the ssid does not do that either unless it contains the
person's full name or address.

there are a lot of ssids named 'linksys'. where are they? who owns them?



>
> Until I demonstrate basic knowledge, my opinions are nearly worthless.

ftfy

[paul]

nospam wrote on 16.05.2021 23:29

>> The location of home router Wi-Fi access points we are talking about here is
>> your own home which is _easily_ tied to a database of who you are. Period.
>
> no it can't.

You continue to demonstrate not only your complete lack of basic knowledge
but you are mistakenly supremely confident in that complete ignorance of how
public tax records work in the United States.

Period.

Where I live any property can be looked up in public tax records available
on the net simply by going to the tax assessor's office (or tax collector)
web site.

Period.

*That property is directly associated with the owner's name, namely me.*

That you are apparently completely unaware of these basics means, in effect,
that your opinion is based on pure ignorance of the facts - and hence - your
opinion is likely nearly worthless (as a direct result of your ignorance).

Period.

>> The BSSID === you. Period.
>
> nope. it identifies the wifi access point, which is an inanimate object.

You appear to be ignorant that tax records for your home identify the owner.
In my case (and in many other cases) that owner is exactly one person - me.

> there is no registration of wifi access points, so there's no way to
> know who owns it, who has connected to it in the past or who will
> connect to it in the future.

What's shocking is you don't realize the GPS coordinates are of your home.
And that your home can easily be looked up in public tax records on the net.

The only thing not shocking is your supreme confidence of your ignorance.

As a result your opinion is nearly worthless unless you begin to demonstrate
at least a basic knowledge of how easily your name is uniquely associated
with the location of your home which itself is uniquely associated with the
SSID/BSSID/GPS/Db information many phones automatically upload, by default,
to public servers if/when you choose to broadcast your home router AP SSID.

[paul]

nospam wrote on 18.05.2021 18:00

> as usual, you snipped to alter context.

You and Alan Baker are the type of people who complain about "snipping".

As Rudy already explained to people like you who complain about snipping -
it's only your lack of adult comprehensive skills which causes you to
constantly lose your train of thought in any public adult conversation.

In other words, if you complain of snipping in what amounts to a well
documented public conversation - then you lack even the most basic of
adult communication skills and hence your opinion is (almost) worthless.

> the issue is how easy it is to identify the location and/or owner of a

> particular wifi network or those who use it. \

It's trivially easy in my case.

(1) If broadcasted, the SSID/BSSID/GPS/DB is uploaded to public databases.
(2) That GPS location is uniquely tied to me in public tax records online.

That you don't appear to know this extremely basic and very public
information is worrisome as it makes your opinions (almost) worthless.

> rainbow tables do not do that.

That you don't appear to understand choosing a common home AP SSID virtually
guarantees it will be found in the public databases is also worrisome as it
also makes your opinions (nearly) worthless as a result of your ignorance.

> knowing the ssid does not do that either unless it contains the
> person's full name or address.

Again that you appear to be unable to connect the dots between your unique
SSID/BSSID/GPS/DB dataset being online and public tax records is worrisome.

Your lack of basic knowledge indicates your opinion is (nearly) worthless.

> there are a lot of ssids named 'linksys'. where are they? who owns them?

Again, your demonstrated lack of basic knowledge is worrisome because you
don't appear to comprehend that the GPS location associated with that
"linksys" SSID is uniquely tied in very many cases directly to you in public
tax records easily found on the Internet (by law, they're public records!).

What's shocking is your ignorance doesn't seem to affect your confidence.

>> Until I demonstrate basic knowledge, my opinions are nearly worthless.
>
> ftfy

You always turn into an instant child whenever you're confronted with facts.

[paul]

Piet wrote on 15.05.2021 11:14

> The Old Days comprise Android 6/7 too, at least on my S6.

Frank brought up an excellent observation that the "teardrop" quick settings
tile for "Location" apparently does not (currently?) mean GPS is toggled.

Up until Frank mentioned that astute observation, I had always just figured
the swipe-down-from-the-top teardrop tile toggled the GPS radio on and off.

It had not occurred to me otherwise - but when I looked up Frank's
supposition, I found the answers in the public record to be confusingly
missing a more clear answer to what exactly toggles the GPS radio on & off.

If anyone has a clearer answer to what actually toggles the GPS radio, it
would be of interest to many of us.

Frank's supposition is that only an app can toggle the GPS radio on & off.
That may very well be true.

I didn't find a good comprehensive answer to _what_ toggles the GPS radio.

Does anyone here have better information as to what toggles the GPS radio?

[nospam]

In article <s80qma$11ku$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

>
> >> The location of home router Wi-Fi access points we are talking about here is
> >> your own home which is _easily_ tied to a database of who you are. Period.
> >
> > no it can't.
>

> I continue to demonstrate not only my complete lack of basic knowledge
> and complete ignorance of how

> public tax records work in the United States.

ftfy

what you call public tax records are not conveyed or indexed by an
ssid, they are not easily obtained (although not impossible) and do not
identify the occupant(s), with rental properties and businesses being
the two most obvious examples.

[nospam]

In article <s80sf1$1shr$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> (1) If broadcasted, the SSID/BSSID/GPS/DB is uploaded to public databases.

who cares. there's very little someone can do with that information.

> (2) That GPS location is uniquely tied to me in public tax records online.

public records identifies the owner of the property (not the occupants)
and not part of an ssid broadcast.

in the case of businesses and many rental properties, the property
owner is not an individual.

if someone wants to look up your property records, they can do so
without knowing your ssid. all they need is a street address, and in
some cases, money.

if you want to keep yourself out of databases, you're doing it wrong.

> >> Until I demonstrate basic knowledge, my opinions are nearly worthless.
> >
> > ftfy
>

> I always turn into an instant child whenever I'm confronted with facts.

ftfy

[Alan Baker]

On 2021-05-18 8:37 a.m., paul wrote:
> nospam wrote on 17.05.2021 21:14
>
>> an ssid by itself can't unless it's very unique or contains some key
>> identifying information, such as full name or street address.
>
> It's hard to tell if you understand the differences between an SSID and the
> BSSID being associated with your accurate location on a public database.

It isn't that accurate.

[paul]

Joerg Lorenz wrote on 14.05.2021 16:41

> You are spreading fake news.
> You are a Troll.

It's typical this Joerg Lorenz troll has never added value to any topic.
Meanwhile here's a PROGRESS UPDATE on a global solution to the problem set.

Given I'm here not only to solve all the problems but also to leverage those
solutions so that other people can also solve all the problems, here's a
quick update.

I've been testing a few different solutions for a few days.
Most of them work so now it's down to the task of honing those solutions.
https://play.google.com/store/apps/details?id=com.farproc.wifi.statIc
https://play.google.com/store/apps/details?id=com.my.wifiswitch
https://play.google.com/store/apps/details?id=de.j4velin.wifiAutoOff

Some require GPS turned on, others only require a cellular tower, while
still others don't seem to require anything other than default Android.
https://security.stackexchange.com/questions/62124/phones-broadcast-the-ssids-of-all-networks-they-have-ever-connected-to-how-can
https://android.stackexchange.com/questions/66244/wifi-scanning-for-known-networks-that-dont-broadcast-their-ssid?rq=1

For example, the simplest native solution seems to be to set "auto reconnect
turned off" which I think was what Frank had suggested (as I recall anyway).

When you're in range of your AP hidden SSID you tap "Connect to network".
When the phone goes out of range of that hidden SSID it stops trying.

*That's a supremely _simple solution_ which /seems/ to be effective.*

However, I'm installing non-root network pcap tcpdump sniffers to
doublecheck for any undesired requests of the hidden SSID from the phone.
https://play.google.com/store/apps/details?id=com.emanuelef.remote_capture
https://play.google.com/store/apps/details?id=com.evbadroid.wicapdemo
--
I'm having trouble locating this app in a canonical sourceforge package
https://www.apkmonk.com/app/jp.sourceforge.soopy.hidden.ssid.enabler/

[paul]

nospam wrote on 18.05.2021 20:02

>> and complete ignorance of how
>> public tax records work in the United States.
>
> ftfy

This is how it's easy to tell you have utterly no adult education nospam.
You have no adult tools to respond to facts you simply are ignorant of.

I don't claim to be a genius but when I talk to you I cry out for mankind.
Nobody should be as ignorant as you, Joerg, Baker, Speed, Lewis, JR, are.

And yet all of you prove to be shockingly ignorant of the simplest things.

> what you call public tax records are not conveyed or indexed by an
> ssid, they are not easily obtained (although not impossible) and do not
> identify the occupant(s), with rental properties and businesses being
> the two most obvious examples.

This shows your complete ignorance as anyone with _any_ intelligence knows
these public tax records are available with a simple address look up.

It's shocking people as ignorant as you always prove to be exist.
You are supremely confident and yet you prove to be shockingly ignorant.

Worse you have no intent to ever add value to any conversation on Usenet.
Meanwhile I've solved the problem (two ways) which I'll report separately.
--
Note you said the problem can't be solved which proves again your ignorance.

[paul]

*SOLVED*

I don't think I've ever had an Android problem that we didn't solve.
This is no different. Together we solve every problem we ask about.

For years we've been solving every problem we ask about here.

Since I'm a good person I always leverage the solution for others' benefit.
The solution I'm currently using turns out to be amazingly simple.

(1) On my home router I turn off SSID broadcast beacons.
(2) On my Samsung (Android 11) I set Wi-Fi to "Auto reconnect = off"

That's it.
(a) When I leave home the Wi-Fi Internet connection automatically drops
(b) When I arrive back I tap on the Wi-Fi connection to reconnect

It's really that simple.
(A) AFAIK, this prevents the SSID/BSSID/GPS/DB from being uploaded
by phones which are simply badly setup using likely default settings)
(B) And AFAIK, this prevents the phone from asking for it away from home.

i. Please check if you have the same settings on your phone
ii. Please let us know if you have the _same_ settings on your phone
iii. Note this solution works _without_ GPS or cellular being involved!

Note anyone whose intended purpose is to sniff your BSSID _will_ obtain it
at the vicinity of your home (but not from the phone when away from home).

For those who may not have these "Auto reconnect" settings, there are other
methods which also worked but which make use of cellular geofencing, e.g.,
https://github.com/SecUSo/privacy-friendly-wifi-manager
https://play.google.com/store/apps/details?id=org.secuso.privacyfriendlywifimanager
https://f-droid.org/en/packages/org.secuso.privacyfriendlywifimanager/

Note: I assume cellular geofencing is (far) more private than GPS geofencing
(for the obvious reasons) - but if you know more about this - let us know.

If you need me to test that solution for you just let me know.
--
Highly intelligent people like I am are completely different from ignorant
morons like nospam & Joerg Lorenz who aren't helpful because they can't be.

[nospam]

In article <s84f34$oja$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
wrote:

> (1) On my home router I turn off SSID broadcast beacons.
> (2) On my Samsung (Android 11) I set Wi-Fi to "Auto reconnect = off"

...

> (A) AFAIK, this prevents the SSID/BSSID/GPS/DB from being uploaded
> by phones which are simply badly setup using likely default settings)

no it doesn't, as you've repeatedly been told.

> (B) And AFAIK, this prevents the phone from asking for it away from home.

did you check or are you wishcasting?

[paul]

nospam wrote on 20.05.2021 08:33

>> (A) AFAIK, this prevents the SSID/BSSID/GPS/DB from being uploaded
>> by phones which are simply badly setup using likely default settings)
>
> no it doesn't, as you've repeatedly been told.

Look nospam, stop wasting everyone's time with your childish bullshit.
You know absolutely nothing and worse you have no purposeful intentions.

>> (B) And AFAIK, this prevents the phone from asking for it away from home.
>
> did you check or are you wishcasting?

Getting back to the solution instead of your worthless childish taunts...

Bearing in mind we almost never fail to do whatever we want to do,
I have added another simple step to the solution that others can test.

(1) At home I turn off AP SSID broadcast beacons which prevents
badly configured Android phones from uploading the SSID/BSSID/GPS/DB
by default (whether or not the SSID has the "_nomap" postfix).

(2) On my Samsung (Android 11) I set Wi-Fi to "Auto reconnect = off"

(this turns out to work surprisingly well in practice!)

In addition, today I started testing this third related switch:
(3) On the phone set "Switch to mobile data = on" which says
"Switch between Wi-Fi and mobile data automatically based on
your usage patterns and the connection quality of the current
network."

Which allows for...
"Network exceptions: Your phone will remain connected to these
networks, even if the connection is unstable"
(optional list of network exceptions)

I'm testing that third refinement setting which also has an option
"Allow individual apps to switch: Get notifications to switch apps to
mobile data when they can't connect using the current Wi-Fi network."
"Apps selected below will switch to mobile data if they're blocked
or if there's a connection problem on the current Wi-Fi network."
"Allow individual apps to switch"
(optional list of app exceptions)

As always, this solution is posted to be purposefully helpful to everyone
and as such it would be nice if others can test it out and report back
their findings. There are other options I'm also testing (such as
cellular tower geofencing) but at this time we can consider this problem
set solved.

Note this is the ONLY place on the Internet that I know of which even
knows about the intricacies we've discussed here so this is a useful
record for the future as it covers solutions never before proposed.

[Brian Gregory]

On 12/05/2021 05:40, paul wrote:
> kelown wrote on 12.05.2021 03:05
>
>>> Spoofing "some" MAC addresses is indeed trivial but spoofing the one AP
>>> broadcast BSSID that is clearly the main subject of this thread is decidedly
>>> not even close to trivial on most of our typical common home routers.
>>
>> The Kali Linux penetration tester will instantly display all nearby
>> SSIDs whether they're hidden or not.
>
> Let's not lose sight of what the goal is - which is to NOT have Google,
> Kismet, Wigle, Mozilla (etc) servers on the net get our home AP BSSIDs.
>
> The problem is how best to do that - where one method is to hide broadcast.

Then that's it. Problem solved.


> Keep in mind even if you add "_nomap" to your AP broadcast SSID your unique
> BSSID information is _still_ uploaded to those public servers by most phones
> because the phones can still easily "see" the broadcast BSSID information.
>
> However when you turn off the AP broadcast then it's my understanding most
> phones will not automatically upload your AP unique BSSID & GPS location to
> these public servers.
>
> That solves one problem but in reality it morphs to another problem which is
> that your phone is constantly broadcasting all the access points in its
> history. On Android (but not on iOS) you can clear this history on a case by
> case basis but then you have to set up the connection anew each time you
> wish to reconnect.

But you just said you're assuming Google is only looking for access
points in the normal way and not, for instance, seeing the BSSIDs of
hidden SSIDs. If so Google be looking for clients pinging their list of
known access points? That wouldn't tell them anything about where the
access point is anyway, just where that client is.

--
Brian Gregory (in England).

[Brian Gregory]

On 13/05/2021 21:08, nospam wrote:
> In article <s7jenp$1fjp$1...@gioia.aioe.org>, paul <nos...@nospam.invalid>
> wrote:
>
>>
>>> what *does* stop people from accessing a network is using a complex
>>> passphrase that isn't in any of the password dictionaries.
>>
>> In case people are trying to learn something from what nospam says he needs
>> to add that the SSID should _also_ not be something that is common either.
>
> a unique ssid doesn't make much of a difference.
>

Because, presumably, if you can't have a unique SSID you can just add
some more random characters to the pass phrase and achieve the same effect.

[paul]

Brian Gregory wrote on 21.05.2021 02:45

>> The problem is how best to do that - where one method is to hide broadcast.
>
> Then that's it. Problem solved.

I'm not sure why you said that but if you think that one step of disabling
the AP broadcast beacon solves the problem then the problem is too complex
for you to understand.

I suggest you read the thread articles and learn the technical details
because you won't be able to help anyone (least of all yourself) if you
don't understand that the issues are on the Android phone - not the router.

> But you just said you're assuming Google is only looking for access
> points in the normal way and not, for instance, seeing the BSSIDs of
> hidden SSIDs.

As I said above, you have to understand how Android works to understand the
problem set, which means you can't add any value if you haven't read the
thread.

Given you haven't read the thread, I'm going to charitably assume you're not
trolling us, which, if that's the case, then you simply don't yet know how
Android phones work when they connect to hidden SSIDs.

And that's OK.
You just need to learn more about how Android works, that's all.

Rather than repeat the problem set for you here, I simply refer you to the
opening post which described the problem set for you in sufficient detail.

> If so Google be looking for clients pinging their list of
> known access points? That wouldn't tell them anything about where the
> access point is anyway, just where that client is.

Given you don't know how Android works it probably isn't going to be
productive to correct the misconceptions in those two sentences.

My suggestion is you read the opening post which explains the problem set.
Then read the solution post, which explains the current generic solution.