Hacker News new | ask | show | jobs
by throwmenow_0140 3119 days ago
I think it's not a good idea to change your mac address as your only precaution against tracking. The DNS requests you'll make will reveal which sites you frequent.

I would advise to use a VPN connection. In this case it doesn't matter that you've randomized your mac address in a way which can be clearly identified as random. And even then you can see the VPN server IP in the logs so you should also make precautions and buy your VPN connection anonymously (and even then - you'll never know if you're really anonymous).

Changing your mac address seems to be sufficient (in addition to the VPN usage) to prevent easy tracking through something unique like your real mac address. But I agree that this is just 1-3 lines of code for realistic mac address generation so it should be unproblematic to add.

Edit: If you have fears of being uncovered by random-looking mac addresses without vendor prefixes, changing your mac address will probably not help you. Your threat model is different - maybe APT-level - and you have to do way more than changing your mac address.
2 comments
tinus_hn 3119 days ago
Your adversary probably isn’t the NSA, it’s commercial tracking services. Their business is tracking the general public, they don’t care about one weird person.

Unless avoiding this becomes common practice and then the whole story changes.

link
throwmenow_0140 3118 days ago
Yes, this is also my reasoning.

> Unless avoiding this becomes common practice and then the whole story changes

If that means that everyone starts to use random mac addresses, you still can't identify specific persons based on their randomized mac addresses when they change them every time they reconnect.

link
tinus_hn 3118 days ago
No but it would make more sense to start tracking then based on their other behavior.
link
Tharkun 3119 days ago
If you're paranoid enough to be spoofing your MAC address, surely you're paranoid enough not to rely on shady DNS servers?
link
throwmenow_0140 3118 days ago
You can spoof DNS requests of a victim when you are in the same network as them (the router knows which sites you visit through those DNS requests anyway). It doesn't matter which DNS server the victim uses. As long as they don't use encrypted DNS they expose the websites they visit.

Takes 5 minutes to configure your OpenWRT router to log all DNS requests: https://superuser.com/questions/632898/how-to-log-all-dns-re... Or if you are an attacker without control over that router: search for dns spoofing. I did this several times to demonstrate companies that their public networks can be hijacked.

link