Since becoming a moderator, I’ve been removing RouterOS software ID numbers, serial numbers, and MAC addresses on user privacy grounds. Since they don’t help us answer any questions, there is no justification for allowing this personally-identifying information to remain in the forum archives for malefactors to dig up.
The question came up in another thread, where it constituted threadjacking, so in order to both disentangle things and to give this topic a proper airing, I’ve moved the other posts to appear as replies to this one.
My initial reply that sparked all this was:
I remove MAC addresses when moderating posts for two reasons:
It leaks info about brands and possibly even models of equipment on the network via the OUI portion of the address. If this is relevant, the poster will include the info in the prose. If not, then it’s no one else’s business.
It’s PII, allowing a snooper to link multiple appearances of that unique identifier together, useful in profile-building. I refuse to help the snoopers, on principle.
As I hinted, there are (rare) cases when knowing device’s MAC address comes handy. But its usefulness is exclusive to devices in same L2 network. I’m pretty sure your devices are nowhere near mine, so knowing your device’s MAC address is useless to me.
IP address is different, it’s universally usable (and present) … so one should protect (and defend) their public IP addresses.
You’re ignoring the OUI information leakage. I’ve seen people all but list the tech-toy content of their homes via static DHCP assignment lists, for example. Unless that information helps us solve the problem, it’s either bragging or foolish, neither of which justify keeping the info in the forum archives where any malefactor can later find it.
As for the PII/profiling aspect of things, the malefactor may already be “in the house,” so to speak. A vignette: “I, Mr. L33T H4X0R have now gained unauthorized access to this network but have yet to work out how to attack their corporate router. But oho, ARP tells me its MAC address, and lookee here, a Google search turns it up, complete with a dump of the router’s configuration. That should prove helpful.”
If we’re going to ask people to drop their pants in public, we should at least pixelate the presentation, doncha think?
one should protect (and defend) their public IP addresses.
Yes, particularly when it’s right there in the configuration with a dstnat rule that says, “Here’s where you may find my s00per-secret VPN endpoint; have at it, boys!”
And implicitly, I also agree that hiding RFC1918 addresses is fairly silly, except insofar as it helps in my hacker vignette above. For a simple home network, there is no information leakage since the attacker is already inside the house, in my scenario. But, if the configuration maps out the VLAN ID to IP mapping scheme, that’s an information leakage that might cost someone, someday.
@tangent: just two sentences, then I’ll cease to discuss the matter as it’s clearly up to everybody’s taste: Paranoia won’t save you, appropriate defensive actions will. Security through obscurity has a very limited effectiveness.
Ah, another sentence: it’s fine for you to redact whatever information you deem as sensitive, it’s fine to warn other users about it, but you really should not redact that in other users’ posts (I’m not saying you did, just a thought), it’s up to them to decide what they want to hide and what not.
it’s up to them to decide what they want to hide and what not.
You’re assuming more forethought than is warranted.
A good many people who post RouterOS configuration files here are in something of a panic and are responding to a request for a configuration to help them solve the problem that has them in that panic. They aren’t thinking clearly. They want their pain to stop. To expect them to sanitize everything in that state of mind ignores human nature. Only because our motives are pure in asking for that information is asking for it anything but a social engineering attack.
Atop this, the people most likely to need help with their RouterOS configurations are those least able to understand the implications of what they’re posting.
Following the same principle, it should be forbidden on the forum to use fake IP addresses and DNS names,
outside of those specified by the appropriate RFCs,
otherwise putting random IP addresses and DNS names risks generating random DDoS
just because someone thinks that the addresses really belong to that user without a firewall or without a password…
Another classic case of leak, are the passwords, tokens, and more in the script section that “hide-sensitive” does not hide…
As long as it doesnt get in the way of solving an issue, any security approach by mod is a good idea.
Some are hard and fast like keys, public WANIP info etc…
Not sure if software ID is of any value?
The problem is that someone are trying to use a tool, that was not created for that thing,
as a tool to receive assistance from complete strangers, releasing completely confidential information at the mercy of the whole world…
If it’s not enabled by default in widespread versions of RouterOS, you can count on people not doing it. A huge part of the problem I’m trying to address with these redactions is that people don’t examine their configuration before they post it, and they don’t read good advice on how to post a configuration.
I repeat: people posting configurations often aren’t thinking clearly. Any solution that depends on them to do that is going to fail. If they were thinking clearly, reading all the things they ought to and understanding it all, then they wouldn’t likely be posting in the first place, yes?
…except as a unique identifier that can link posts from two different sources. It's not PII, strictly speaking, but it's worth squishing even before you realize the only ones it's helpful to in answering problems is MikroTik themselves, and as they have repeatedly stated, they don't generally monitor the forum for support requests.
You should not sanitize the software ID on posts to their bug tracker, but that isn't open to public view.
I fully agree that generally it is good to sanitize as much information as possible. The problem is as already mentioned: many people post things wile in stress and lack some part of knowledge. Those are likely to sanitize too much or in wrong way making posted config incomplete or misleading. From point if view of a person, trying to help (to reduce stress level ) these posts waste my time. There is no hard line limiting obviously exploitable information from obviously safe information. Whole experienced user, such as @tangent, can judge where to draw that line in a particular case, I don’t think it’s possible to do that generally for Joe Average to follow.
No argument there. I believe it was you who long ago convinced me that partial configurations often waste time, being a subclass of the spoon-feeding problem. This is a separate principle from that covered by this thread’s topic, though, which I summarize as, “Why should we trust you to know what to leave out when you plainly don’t know what to put in?”
Rationale: it’s not their responsibility, and it will do no harm to other forum members if sensitive info is left. It’s posters’ responsibility to check and decide what to post to protect him/herself.
However: clear guidelines should be written in both the forum guidelines and above/below the message textfield when writing a new message/answer stating that it’s poster’s responsibility to check and remove any sensitive information + provide a link to a forum post explaining what is “sensitive” and why + state clearly that no redaction will be done by the forum moderators to hide sensitive info.
Suggestion: write a phpBB extension which is able to automatically redact a configuration file based on a set of rules. No human intervention, choice is left to users to use it or not. Mikrotik could do it or could participate in writing it by financing this task.
But what in case poster is not knowledgeable enough to know what can hurt him if it’s posted online ? for e.g Public IP or something ? It’s possible that something like this happens…
The answer to your question is in the “however” part of the post you’re quoting and truncating.
Edit: If people don’t read the posts until the end point or do not read the disclaimers it’s their responsibility.
Well … forum owners, admins and moderators can do only so much against users’ lack of knowledge (and stupidity). I’d say that warning in forum guidelines (and regulations) would be necessary, warning by forum mod or fellow user about sensitive data is welcome, but at the end of the day it’s up to each user to do something about it. I have slightly less paranoid opinion about what kind of data is sensitive than @tangent has so I’ll probably sometimes post some data which @tangent would not. But it’s up to me to bear the consequences (I’ve dealt with some intrusions so far, so I’m not a complete virgin in this regard … and I’ll deal with it again if that happens).
There are many forums on the internet which aim to help users with their problems (I’m sure every body around here knows many more than I do) and I’d bet that not many forums bother about sensitivity of data posted by users.
) these posts waste my time. There is no hard line limiting obviously exploitable information from obviously safe information. Whole experienced user, such as 