Comments:"Errata Security: I conceal my identity the same way Aaron was indicted for"
URL:http://erratasec.blogspot.com/2013/01/i-conceal-my-identity-same-way-aaron.html
To understand what I do, look at the screenshot below, and how evidence of my misbehavior shows up in my home router DHCP table:
The first thing you'll notice is that I have a lot of MacBooks belonging to Martin. Actually, there is only one, but it randomizes its MAC address when it boots. Thus, every time I start it, it adds yet another entry in the DHCP table, appearing as another computer.
And my name isn't "Martin". That's a name I made up.
Notice the MAC address of the cell phone labeled "HTC One X". If you lookup the first three bytes, you'll find that it's not an HTC device but an Apple device. It's my iPhone 5. (Sadly, I don't know how to spoof the MAC address of my iPhone).
On my last flight accross the country, I signed up with GoGo Inflight. I used a fake name, a fake email account (at mailinator.com), and a prepaid anonymous Visa card. My intent wasn't to defraud them -- I already know how to get GoGo Inflight for free using several techniques, such as spoofing the MAC address of another passenger. Because I'm an honest law abiding citizen, I paid for the WiFi -- I just did so while remaining anonymous.
Remember the Stratfor hack from last year? One of the 800,000 accounts dumped on the Internet belongs to me. Only, you don't know it belongs to me because I didn't give my real name or my primary (well known) email address. I have a special email address reserved for accounts just like Stratfor. I also have a separate email account that I solely use for e-commerce, with a name unrelated to my real name, that I use for Amazon, PayPal, and so forth. I rarely give out my "real" email address.
Why do I do all this? That's none of your business! I mean, all this has perfectly rational explanations in terms of cybersecurity, privacy, and anti-spam. You can probably guess most of the reasons. But explaining myself defeats the purpose. I shouldn't have to explain myself to you, to prosecutors, or to a jury. I have a human right to privacy, and guarding that right should not be cause for prosecution.
That's what's scary about the Aaron Swartz indictment. He was indicted for wire-fraud for concealing his "true identity", for doing what I do. But at no time was he asked for his true identity. His true identity was not needed to access the JSTOR documents. JSTOR allowed anybody from the MIT network to access their documents, and MIT allowed anybody to access their network without requiring identity.
Let me repeat that: nobody asked Aaron for his true identity, but he was indicted for wirefraud for concealing his true identity. He was indicted for doing the same things I do every day.
It's around this time that people bring up how Aaron used MAC spoofing to get around blocks put in place by MIT. These people don't understand MAC addresses. MAC addresses are not a machine's true identity. They aren't a means of security or authorization. When somebody blocks your MAC address, it doesn't send the message "you are unauthorized", it's not clear precisely what message it sends. It's like saying if somebody blocks your phone number, then it's wirefraud calling from a different phone. Your phone number is not your true identity, and neither is your MAC address.
MIT's own WiFi access-points spoof MAC addresses. For example, if you netstumble the MIT campus you'll find two access-points with the MAC addresses "00:21:d8:49:98:61" and "00:21:d8:49:98:62". These are actually the same access-point which is spoofing MAC addresses in order to appear as multiple networks ("MIT" and "MIT GUEST"). When Aaron spoofs, it's wire-fraud. When MIT spoofs, it's normal network operation.
Besides taking the "civil liberty" angle, I'm trying to get to the "witchcraft" angle. As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch". People fear magic they don't understand, and distrust those who wield that magic. Things that seem reasonable to technical geeks seem illegal to the non-technical. The non-technical think they understand MAC addresses and address blocking, but they don't. Thus, Aaron's indictment might seem a fair interpretation of the law, but it's a wholly unfair interpretation of technology.
So, anyway, at the bottom of this post is the magic incantation you need to cast over your MacBook in order to randomize your MAC address. I recommend against you using it, though, because this may cause a bunch of villagers to come after you with torches and pitchforks.
Magic Incantation
On Mac OS X, you simply type the command "ifconfig en0 ether 00:11:22:33:44:55" to change the MAC address (until the computer reboots). To get it to change (from the burned in address) on every reboot, you need to put that command in a startup script, under the directory "/Library/StartupItems". It's actually a complicated process.
Somebody has made it easier at the URL https://github.com/feross/SpoofMAC. This uses a Python script to make things a little bit more robust than just running ifconfig, and it has a complete explanation on how to create the script.
I don't like his solution, so I changed the startup script to look like the following:
Update: As usual, other people say things better than I can. In this piece Marcia Hoffman says about MAC address authorization: “That’s not a lock. That’s a speedbump. If you drive around a speedbump instead of over it, is that illegal?”