On Sat, 25 Sep 2010 17:04:14 -0700 Mike Perry <mikeperry@xxxxxxxxxx> wrote: > Thus spake coderman (coderman@xxxxxxxxx): > > > however, if an attacker has access to read this locally they've > > already compromised you to a degree that random mac affords no > > protection... > > Is this really true? If you are running a hidden service, on a computer with no network access except through Tor, no -- you might not be hosed just by an attacker being able to run a shell command, but leaking an actual MAC address from an actual NIC might get you tracked down. (An attacker with shell access can read your MAC address on Linux just by running ifconfig, even as an ordinary user.) > One of the things I've wondered about here is > plugins, but since Torbutton disables them for other reasons I haven't > really looked into it. For insance, I know Java can create a socket, > and query the interface properties of that socket to get the interface > IP. Why not mac address? And if not java, can one of flash, > silverlight, pdf-javascript, or others do this? Already we have > location features built in to the browser based on nearby Wifi MACs... > > The Java trick to get the interface IP does not require special privs, > so a randomized MAC would in fact help this scenario, if it were > somehow possible. I don't know whether browser plugins can be used to read a MAC address, but if *they* can run a shell command like ifconfig, yes, you are in real trouble. Robert Ransom
Attachment:
signature.asc
Description: PGP signature