Update: You can probably scratch this whole idea – see the comments for details.

First, a little background on geolocation for those who haven’t heard of this before:

1. Google has been collecting wifi data while doing streetview. One of the things they collect is MAC addresses of wireless networks.
2. Google, using the above MAC addresses and GPS data, is now offering a geolocation service. You just send in the MAC addresses of any wireless networks in range, and Google will helpfully tell you where you are.
3. While a browser is supposed to prompt a user before sending the MAC addresses off to Google, it is certainly possible for anyone to submit any MAC address they know of to Google. Sam Kamkar has a proof of concept for this.

The summary of the above is this: If you have a MAC address, google will tell you where it has seen that MAC address.

Now for the kicker. IPV6 autoconfig, by default, loads the mac address into the last 64 bits of the IP address. (Not directly – technically the bytes FFFE are added to the middle, and 1 bit is flipped, but this is all easily reversed. Suffice it to say obtaining a MAC address from this sort of IP address is trivial). See where this is going yet? If you want to know where an IPv6 address is located in the real world, just traceroute to the device, pull the MAC address from the device immediately prior to your target, and see if Google has a record of it. If your target is behind NAT, you can skip even this simple step. This attack is probably mostly theoretical right now since the vast majority of wireless networks are still IPv4, but if IPv6 ever does take off, this will become a real worry.

Credit where credit is due: I got this idea while watching the video of Samy Kamkar’s presentation entitled “How I met your girlfriend“. Samy goes from end to end, showing how to get a person’s real life location. He only talks about IPv4, so for the last steps he convinces the target to click a link, exploits their home router, and pulls the MAC address from there using the default credentials. I basically take this attack and consider it in the IPv6 world, where none of the technical wizardry is necessary and the attack difficulty is significantly lower.

I’ve been reading up on new Windows 7 security features (more on them perhaps later), but one caught my eye – SmartScreen. It’s a web filter (like the one Firefox has) that checks the websites you visit against a list of known bad websites. If it’s on the list, you get a red nasty warning screen telling you not to visit. What I was thinking about though was the privacy aspect – whenever you visit a new website your browser automatically sends the URL to Microsoft. Not just the domain, but the entire URL. They do of courser have a privacy policy, but nowhere in that policy do they actually say how they will or won’t use the data collected (we can of course, always assume the worst).  They also do other data collection:

From time-to-time, information about your usage of SmartScreen Filter will also be sent to Microsoft such as the time and total number of websites browsed since an address was sent to Microsoft for analysis. Some information about files that you download from the web such as name and file path may also be sent to Microsoft. Some website addresses that are sent to Microsoft may be stored along with additional information including web browser version, operating system version, SmartScreen Filter version, the browser language, and information about whether Compatibility View was enabled for the website.

I don’t know about this one – sounds more like a marketing tool masquerading as a security tool.