Share good ideas and conversation.   Login, Join Us, or Take a Tour!
comment by user-inactivated
user-inactivated  ·  1864 days ago  ·  link  ·    ·  parent  ·  post: Tin-Can is working and we are testing it.

can wifi be used normally while running tincan, or does it switch the wlan device into ad-hoc mode and completely block other connections?

could a malicious client grab your mac address or something identifiable?




insomniasexx  ·  1864 days ago  ·  link  ·  

I don't really understand this but this is the answer I got from the dev (copy and pasted from text)

Just answer master tin-can will be switched to adhoc and the slave tincan will connect to that. Adhoc APN changes everytime and has a unique password for security reasons. Only tincan can connect to this network, if anyone install a packetsniffer on their phone and become the master they can get the mac address of clients but thats normal and thats how networks work. Getting mac address of another person doesnt create any immediate threats

user-inactivated  ·  1864 days ago  ·  link  ·  

for the use-case that TinCan is intended for, it would be prudent to consider mac sniffing a threat. if a state-level adversary can collect your mac addr, they could track you in a way similar to what grocery stores do already, noting your presence or absence at subsequent events, or even spot you somewhere else.

we know that police already set up wifi sniffers at protests, and there's no reason to expect that practice to decrease, so you should probably have TinCan spoof a random mac addr on boot if not every time a new master is chosen.

mk  ·  1864 days ago  ·  link  ·  

AFAIK there is no way to determine if you are the originator or propagator unless someone physically has your phone, and your username remains. I'll verify this and get back. Thus, your address should only be linked to TC propagation but not a specific username.

Btw it's a use case, but not the only one. :)

insomniasexx  ·  1863 days ago  ·  link  ·  

This is correct. The phones store and push all messages on the phone. The message is the username, time code, and the message. There is no way to tell which message came from which phone.

mk  ·  1864 days ago  ·  link  ·  

I think if you have a sensitive account, the best measure is to broadcast messages in private to carrier phones. A username can be overwritten at anytime, but wifi is always a point of vulnerability. The username is generated in a manner not linked to the phone.