VPN in Mexico

Why? hardware address is only useful to the first routing device, then your home router is going to replace your spoofed mac address with its real one on the next segment...
Suppose you downloaded or streamed something illegal in your country, and then the request is traced back to your router (which is possible even using the TOR network), there would be no way to prove that is was actually your computer that made the request.

Edit: you could say "someone guessed my WiFi password and used it to stream that". It's all about plausible deniability.
 
Last edited:
Thanks, I had pretty well decided that NordVPN was the better of the two but wanted to assure that there was not something about using it in Mexico that would make PrivateVPN more desireable.

I appreciate your reply.
 
Suppose you downloaded or streamed something illegal in your country, and then the request is traced back to your router (which is possible even using the TOR network), there would be no way to prove that is was actually your computer that made the request.

Edit: you could say "someone guessed my WiFi password and used it to stream that". It's all about plausible deniability.
sooooo...
you have to think about the way in which the TCP IP switching works.

your computer wants to make a request to 8.8.8.8, it'll look at its routing table and see that needs to go via 192.168.1.1, then it'll check the arp cache, or arp for that address, it then sends a packet to the next hop, your router will NAT the packet to its external address, the IP address stays with the packet, (usually the non-RFC1918 NAT addres of your router) but the mac part of the envelope changes to the hardware address that it relevant in that network segment, the source address stays with the packet, (or Nat'd source address.) the to/from hardware addresses (MACs) change with each transmission/re transmission.

(there is a really good CBT nugget with a guy named Jeremy that goes through this really well.)

MAC spoofing isn't useful outside of your network segment, WORSE if you have a machine booting from a live CD, no persistent storage and a random MAC generated each time, it becomes impossible to have an additional layer of security provided by MAC filtering on your network stopping rogue clients... (yes, it is questionable how much benefit that it, but more than not having it is a useful answer there.)

Anyway, after your packet is NAT'd there is no address of the machine is came from with the packet.
the only history there is the NAT table on the device that does the translation, and that will timeout and be lost eventually.

(that's why "my network was hacked" is a plausible defense.)
it's also why if you find yourself in a situation where you're in the sort of serious trouble where you're likely to rely on this your computer is also likely to be confiscated to look for information (cookies, cache etc.)

For MAC spoofing to be a really useful thing, you're looking at using public networks, where you have no idea what traffic logs they may keep, or you have no idea what listening devices there are!
(consider of the first three octets in the MAC are vendor ID, the next three are device specific. - there are 255 times LESS MAC addresses than there are IP addresses in IPv4.) -though that is per vendor obviously!


TOR, is pretty reliable "safe" transmission, those who claim that governments operate TOR nodes ARE (of course) correct.
the US navy invented onion routing, they do run nodes!

but almost all cases of TOR users getting caught relate to sloppy habits, (there is a defcon talk on how the guy from Silk road got caught.)

in all cases it seems to come down to, some sort of browser flaw that gives away location, doing everything (including Facebook) from TOR (when they see your criminal and named Facebook traffic coming from the same nodes etc, it doesn't take a genius to connect them. being hyper regular in the time and place that you go to, (silk road guy was in the same starbucks at the same place each day!)

In some ways, that's why you are going to be "less" secure rather than "more" secure using Tails as a "daily" OS/Browser combination, (assuming that you still want to do online banking/Facebook/other "named services" as well as dodgy porn browsing!

Another way people are caught out, often seems to be, just not realizing the VPN service isn't running when you start browsing, not noticing the tunnel disconnects ETC and exposing your real IP fo a bit.



I guess what i'm saying is,
Tails is good, but it's not exactly a one size fits all solution.
when you load TOR browser there is (or used to be?) a link to an article that explains why using TOR for everything isn't great.
VPNs are becoming more and more popular, but, you don't know what logs they keep, AND you have the consistent traffic problem, xyz illegal activity is always occurring when Xuser is connected... cops aren't dumb.
Also, VPNs are intrinsically slow in nature, because you essentially do some xibit level stuff, and put a full IP stack, into an encrypted packet, (and OSI model dictates that encryption happen at presentation layer. your VPN program is the application layer.) AND then you start again (from level 3) with addresses etc being pushed from the top into the VPN application at layer 7! (so you end up with a regular TCP IP stack, with a TCP IP stack inside it.
TOR is an absolute pain in the arse to use securely AND browse modern website, because they will use plugins like java and flash.. all of which may report your real location.
 
Soooo... I'm not a big networking guy, so I missed most of the technical terms. Side question: doesn't the TCP/IP protocol suite use only 4 layers (application, transport, network and link)? I've heard of some proprietary protocols using 7.

Anyways, I agree with the last part. Tails does not hide the fact that you are using Tails or TOR, which is why using it all day is stupid AF, not to mention using the TOR network will give you about 15KBps download speeds, maybe a bit more.

Also there are some scary simple methods to find you. For example, by simply measuring the data coming out of the server and the data getting to your computer. TOR even warns you not to run the browser full screen because your resolution can be used to detect your computer.

By the way, if you are in a restrictive country, your ISP could be forced to provide gateways that log a lot without you even knowing, where MAC address spoofing could come in handy.

Network security isn't really the point here, so blocking and allowing different MAC addresses shouldn't be a concern or even be on your wishlist.

Kind of a disorganized post but I'm on the run.
 
So now I'm able to elaborate a bit more. I'm gonna skip the actual numbers, because I don't know them.

The information would go this way:

From the Application layer you produce it and encrypt it, then the Transport layer splits it into packets and hands it to the Network layer through port 443, which will send it to the AP (via the Link layer), then the AP would check the address and realize it's an external address and send it to the router. The router then checks with the DNS server (I'm not sure how TOR handles name resolution. Maybe it encrypts the traffic?), Then sends it to the next computer acting as the hop. In the middle of your router and the first hop, the Network and Link layer would decide how to route each packet, until it gets to the hop. At this point the MAC address would change many times, even before reaching the hop. Then...

Then the hop puts together the information, decrypts one "layer" and repeats the process, without re-encrypting the information.

I am a bit confused now though, because I'm not really sure if spoofing is that important. Your gateway isn't logging everything each address is sending anyways, and you router's address is not spoofed, so it could still be traced to your home.

As you said, it's probably a lot more useful when you are on "public" networks, but it could still be useful in your own home, if it ever gets traced back to your router.
 
Soooo... I'm not a big networking guy, so I missed most of the technical terms. Side question: doesn't the TCP/IP protocol suite use only 4 layers (application, transport, network and link)? I've heard of some proprietary protocols using 7.

I'm going to say, sort of, the OSI model has the following layers
1, Physical - stuff like the cables and plugs you;re using.
2, Data link - This is where the MAC address is used.
3, Network - This is where the IP address is used.
4, Transport - This is the tramimission protocol layer (think UDP or TCP)
5, Session - This layer keeps track of the sessions between devices.
6, Presentation layer - This is where encryption happens, this is where the data really comes out of the stack, for example https traffic is decrypted here, HTML is presented here.
7, Application Layer, - the data from the previous layer is presented to the user...

you can't have layer2 where devices talk to each other without layer 1 (the physical connection,
no layer 7 without 6, no 6 with out 5 etc... each depends on the last...


so sort of... the transmission protocol is decided at layer 4, so, yes, by the time it gets there it is technically TCP/IP... but it's is not useful at that point. you still want layer 5 to manage the session. at layer 4 you have your address and port, but there is no socke until layer 5, and no data until layer 6, whatever is putting the data in is at layer 7.


By the way, if you are in a restrictive country, your ISP could be forced to provide gateways that log a lot without you even knowing, where MAC address spoofing could come in handy.
I had not thought of that!

Whilst there are laws where I live that (I think ) *should* prevent that,

most law like that are based around "personal data" Its questionable whether a MAC address would be personal information, or covered under data protection laws, the same for the sites you visit.
 
So now I'm able to elaborate a bit more. I'm gonna skip the actual numbers, because I don't know them.

The information would go this way:

From the Application layer you produce it and encrypt it, then the Transport layer splits it into packets and hands it to the Network layer through port 443, which will send it to the AP (via the Link layer), then the AP would check the address and realize it's an external address and send it to the router. The router then checks with the DNS server (I'm not sure how TOR handles name resolution. Maybe it encrypts the traffic?), Then sends it to the next computer acting as the hop. In the middle of your router and the first hop, the Network and Link layer would decide how to route each packet, until it gets to the hop. At this point the MAC address would change many times, even before reaching the hop. Then...

Then the hop puts together the information, decrypts one "layer" and repeats the process, without re-encrypting the information.

I am a bit confused now though, because I'm not really sure if spoofing is that important. Your gateway isn't logging everything each address is sending anyways, and you router's address is not spoofed, so it could still be traced to your home.

As you said, it's probably a lot more useful when you are on "public" networks, but it could still be useful in your own home, if it ever gets traced back to your router.

Access points work more like hubs or switches than routers, they aren't taking the packet in and looking at the address and making routing decisions based on the IP address, the WAP will make switching decisions based on the hardware address. (or just blindly spit out any/everything.
hubs work at layer 1, the electrical layer, the just take everything into one port and spit it out all the other ports.

switches work at layer 2, providing segmentation, the switching that they do is base done on the MAC address, - that's why they keep an ARP table, they know what physical device is connected to what port, so when a packet comes into interface 1, destined for device, aa:bb:cc:dd:ee:ff it's going to know where that device is (which port to spit the data out of by checking the MAC address table.

Routers work at layer 3 to know where the next hops (gateway devices that you need to route through) are.


(This will unfortunately be really long.) -but i'll not mention VPN, TOR, or WAPs,

your Application (web browser) (L7) generates data (get /indx.html)
goes down the stack and is encrypted (L6)
and put into a socket to manage the connection (L5)
it then has a port number assigned, and transport protocol defined (L4)
then the source IP is defined (L3) and routing decisions are made...

next, your packet from your machine 192.168.1.3 needs to get to device 1.2.3.4 (server) your routing table says that you cannot connect directly, but you have a default route that says all non-connected networks go via that address.)

so now we know that we want to reach 1.2.3.4, but are going to send that to 192.168.1.1 (which will accept and forward the packet.

(down to layer 2)
So, your computer now wants to send a message to your router...
so it sends an ARP packet saying "who has 192.168.1.1, tell 11:11:11:11:11:11" your router replies, "tell 192.168.1.3, 22:22:22:22:22:22 has 192.168.1.1"

so now it send the packet to that hardware address. 22:22:22:22:22:22 with a destination address of 1.2.3.4

and it send that via a cable (layer 1) or a radio wave (Also layer 1)

so now the router 192.168.1.1 receives to following "message"

to: 22:22:22:22:22:22
to: 1.2.3.4
from: 11;11;11;11:11:11
from 192.168.1.3
data: xzy

the router says well I AM 22:22:22:22:22:22 but I am not 1.2.3.4 so I know to route this.

now the router applies NAT to the source address, changing it to 10.11.12.14 and attempts to forward to the destination, (all this stuff involves IP so happens at L3)

the router checks its route table, and it says, I have no direct connection to 1.2.3.4 so I need to forward to my default gateway (The ISP device) 10.11.12.14

so the same thing happens again. is will check it's ARP cache to determine the interface to send out of. if it can't find it, it'll send ARP packect saying

who has 10.11.12.14, tell 33:33:33:33:33 (the external interface hardware address)

the ISP will reply, tell 33:33;33;33;33 that 44;44:44:44:44;44 has 10.11.12.14.

And so on.

so by the time you get to the ISP (still nowhere near the destination) the hardware/MAC address has been dropped and replaced from the frame, because it is only useful for communication on the network segment.

repeat for less than 30 hops and the server receives a packet, doesn't ignore it because it is for its hardware address (L2), looks at the IP (L3) and knows it is for it. sees the protocol and port (L4) so attaches the socket, (L5) which takes the data and decrypts it (L6) and then passes it to the server application (L7)

(which then send the response back down through the stack, on the network to the gateway, Nat's back to its external address, over the network to your router, which sees the response from the address, associated it with an entry in the NAT table, knows it is for your computer, sends to your IP based on the cached hardware address MAC associated with the IP, then your PC receives it, sees the port, passes to the open socket, un-encrypts it, passes it back to the application and you see...

"404 page not found" - all that work to realize that you spelled index wrong may paragraphs ago!


(for the sake of completeness, you might find that you home router doesn't ARP at all, instead it has a route statement that send all traffic to a next hop via a specific interface rather than figuring out the interface to use via an ARPing process...)

Either way, hardware addresses are only useful in the network segment that you are on. - This means, if you are in your own home using a cable, then (short of some sort of literal wire tap!) MAC spoofing is not really useful.

if you are using wireless and transmitting your adapters MAC address, and you're worried about the use of things like air crack, and promiscuous packet sniffing on air (from law people inside WIFI range.) then a fake MAC may be useful. (but lets face it, if the police have you pinned down so much that they rent the next door house just to sniff your WIFI traffic, they are probably just looking for the bits that neaten the charges. you're still pretty boned.

If you're doing nefarious "stuff" in starbucks or some other network you don't trust, or don't know who runs. it's definitely something you should consider.

If you plan to use time restricted public WIFI, that tracks devices via MAC address it's definitely something you want to do...

If you want to mess about with planning officials who decided that a good way to track people is to track the detecting network beacon mac address sent by phones, see if there are available networks, to allow them to anonymously track specified people through a city it's definitely something that you should do.
(and anyone using Iphones with IOS 8 or above, your phone will already spoof your mac address whilst sending beacons to detect available networks, because they like messing with town planners too, (and are privacy minded!)
 
Ohhh ok. The important thing I was missing is the role of MAC addresses and ARP.

Yeah, I guess MAC address spoofing isn't that useful when you are home, except in the rather unlikely situations we mentioned. It is nice to know that even if the authorities got all the way to your house and everything is logged, you can still claim to be innocent and maybe get away with it. Unless you are an actual criminal, but there is always a downside to everything.

I'm not sure how the law treats MAC addresses here, but I don't think my ISP gives a sh* about them. I was thinking some other countries, especially Eastern ones, which usually don't give a f* about "freedom". Maybe US ISPs also log it to try to stop criminal activities and such, like terrorism maybe (like terrorists will be using Facebook and WhatsApp).

By the way, are you sure there are 7 layers? I'm guessing you are referring to this model, but it was my understanding that this one was used for The Internet, which has only 4.
 
Goodness gracious, I knew I was ignorant about VPN.....but I didn't know just HOW IGNORANT I was.
 
Back
Top Bottom