On 2025-12-05 04:08, Marian wrote:
How to test if your access point BSSID is in the highly insecure Apple WPS >> database and, if it is in Apples insecure WPS database, what else is there. >>
If you'd like me to test if your access point BSSID is in the Apple WPS
database, then simply respond with that BSSID & I'll run the Windows
scripts I just wrote based on research published recently of the flaws in
Apple's methods (some of that research is listed in the signature below).
Note that your BSSID should not be in Apple's database if you've opted out >> by appending "_nomap" to your access point SSID (e.g., "my.ssid_nomap").
None of my access point BSSIDs are in the Apple database, but I have the
optout keywords _optout_nomap appended to all of them, but once I confirm
the process works, I'll be glad to write a tutorial so others can do it
too.
Let me know which BSSIDs you wish me to look up for you in Apple's WPS.
Or, if you want to do it without involving Arlen:
<https://wavedigger.networksurvey.app/?tab=bssid>
I checked mine...
(And I've been using the same router for more than 5 years)
...and surprise, surprise: it's not in there!
On 2025-12-05 04:08, Marian wrote:
How to test if your access point BSSID is in the highly insecure Apple
WPS
database and, if it is in Apples insecure WPS database, what else is
there.
If you'd like me to test if your access point BSSID is in the Apple WPS
database, then simply respond with that BSSID & I'll run the Windows
scripts I just wrote based on research published recently of the flaws in
Apple's methods (some of that research is listed in the signature below).
Note that your BSSID should not be in Apple's database if you've opted
out
by appending "_nomap" to your access point SSID (e.g., "my.ssid_nomap").
None of my access point BSSIDs are in the Apple database, but I have the
optout keywords _optout_nomap appended to all of them, but once I confirm
the process works, I'll be glad to write a tutorial so others can do it
too.
Let me know which BSSIDs you wish me to look up for you in Apple's WPS.
Or, if you want to do it without involving Arlen:
<https://wavedigger.networksurvey.app/?tab=bssid>
I checked mine...
(And I've been using the same router for more than 5 years)
...and surprise, surprise: it's not in there!
On 2025-12-05 20:11, Alan wrote:
On 2025-12-05 04:08, Marian wrote:
How to test if your access point BSSID is in the highly insecure Apple
WPS
database and, if it is in Apples insecure WPS database, what else is
there.
If you'd like me to test if your access point BSSID is in the Apple WPS
database, then simply respond with that BSSID & I'll run the Windows
scripts I just wrote based on research published recently of the flaws in >>> Apple's methods (some of that research is listed in the signature below). >>>
Note that your BSSID should not be in Apple's database if you've opted
out
by appending "_nomap" to your access point SSID (e.g., "my.ssid_nomap"). >>>
None of my access point BSSIDs are in the Apple database, but I have the >>> optout keywords _optout_nomap appended to all of them, but once I confirm >>> the process works, I'll be glad to write a tutorial so others can do it
too.
Let me know which BSSIDs you wish me to look up for you in Apple's WPS.
Or, if you want to do it without involving Arlen:
<https://wavedigger.networksurvey.app/?tab=bssid>
I checked mine...
(And I've been using the same router for more than 5 years)
...and surprise, surprise: it's not in there!
Mine is.
On 2025-12-05, Alan <nuh-uh@nope.com> wrote:
On 2025-12-05 04:08, Marian wrote:
S.Let me know which BSSIDs you wish me to look up for you in Apple's WP
Or, if you want to do it without involving Arlen:
<https://wavedigger.networksurvey.app/?tab=bssid>
I checked mine...
(And I've been using the same router for more than 5 years)
...and surprise, surprise: it's not in there!
Yup. Same here. Another nothing burger from little Arlen.
It's classic for the Apple trolls to claim everything they can't understand is a "weak lie" as Jolly Roger just did, but the fact remains that my BSSID is in Apple's database (and the SSID is hidden & has "_nomap" appended).
On 2025-12-06 01:16, Marian wrote:
It's classic for the Apple trolls to claim everything they can't
understand
is a "weak lie" as Jolly Roger just did, but the fact remains that my
BSSID
is in Apple's database (and the SSID is hidden & has "_nomap" appended).
So all your efforts to hide yourself are for nothing. You are listed.
You might as well not bother to hide! :-D
Linux:
1. Open a terminal
2. Type: sudo iwlist scan
3. Find your SSID in the output
4. Look for "Address:" lines
5. Copy the MAC address (format: AA:BB:CC:DD:EE:FF)
It may be that by hiding my SSID broadcast, I prevented Apple from recognizing
that the _nomap was appended to the SSID, for example.
On 2025-12-06 01:16, Marian wrote:
It's classic for the Apple trolls to claim everything they can't understand is a "weak lie" as Jolly Roger just did, but the fact remains that my BSSID is in Apple's database (and the SSID is hidden & has "_nomap" appended).
So all your efforts to hide yourself are for nothing. You are listed.
You might as well not bother to hide! :-D
J. P. Gilliver wrote:
Can you get any idea of what's in the database, or can you only check it
for a specific given one? (I. e. does it accept wildcards or anything
similar?)
I ask as it'd be interesting to know if it _does_ contain any _nomap
ones, but you can't find that out if you have to specify them exactly.
(Though you could make up a few to try, but that wouldn't be conclusive
unless you succeed.)
Hi John,
Thanks for asking as we can all work together on this privacy project.
It's worse than I thought. I checked the Apple database for my own BSSID of an access point that has had "_nomap" on it for years, and it was in the Apple database!. The real GPS location. It was horrid. I almost fainted.
All we need to do that is a BSSID of an AP that isn't in your own home (because I understand nobody wanting their own home to be geolocated).
But that's the whole point.
If it's that easy for anyone to look up where we live based only on our BSSID, then there's something horrid going on, don't you think?
Carlos E.R. <robin_listas@es.invalid> wrote:
On 2025-12-06 01:16, Marian wrote:
It's classic for the Apple trolls to claim everything they can't understand >>> is a "weak lie" as Jolly Roger just did, but the fact remains that my BSSID >>> is in Apple's database (and the SSID is hidden & has "_nomap" appended).
So all your efforts to hide yourself are for nothing. You are listed.
You might as well not bother to hide! :-D
Mine isn't listed and I did nothing to hide.
As has been said before, trying to hide makes one suspect, because
*other* factors stand out.
Carlos E.R. wrote:
It's classic for the Apple trolls to claim everything they can't understand >>> is a "weak lie" as Jolly Roger just did, but the fact remains that my BSSID >>> is in Apple's database (and the SSID is hidden & has "_nomap" appended).
So all your efforts to hide yourself are for nothing. You are listed.
You might as well not bother to hide! :-D
Hi Chris,
Alas... it's shockingly disturbing, so I'm very happy that I had checked!
While the statement is horrifyingly correct that Apple has my BSSID in their WPS database even though I have appended "_nomap" to the SSID (and it's hidden)...
and even though Apple says they respect the opt-out directive...
I don't own the mentality of Sklaven.
I am already documenting everything so that, if I need to, I can present the i
nformation to someone in the legal profession who can stop this.
But at this point, I have to take Apple at its word.
So I'm going to need to delve deeper to dig for "some kind of mistake".
It may be that by hiding my SSID broadcast, I prevented Apple from recognizing
that the _nomap was appended to the SSID, for example.
Wouldn't that be ironic!
Since I'm a well-educated scientist and engineer
Chris wrote:
You're replying to Carlos.
Thanks for pointing out that I often confuse Carlos with you for some odd reason, which I apologize for. As I've explained many times, I wrote my own newsreader long ago so that I could pop up the edits in vi (later gVim).
So I don't see anything in the header unless I take pains to look.
However, the "attribute" line shows up, so I can see some identifiers.
"A fool and his money are soon parted."
I agree, and, you'll note, that in the last three decades of using
computers, the only apps/programs I've ever need to pay for are:
a. The company paid for MS Office (which I'm still using)
b. The company paid for Adobe Acrobat writer (which I'm still using)
c. Every year I buy at Costco on sale in December their TurbuTax
That's it. Even all my phones have been free lately.
All I had to do was pay the sales tax on them.
I even get many tens of thousands of dollars of Amazon items for free.
<https://amazon.com/vine/about>
Many people calculate that the Amazon Vine members are two in a million.
Amazon gives me tens of thousands of dollars of "stuff" for free
(although the deal is that they require me to write reviews for them).
Of course, I have to pay income taxes on the MSRP of everything I get from Amazon so while there are no price limits per se, that limits what I get.
In summary, I get much of what other people pay for, for free.
As you stated, if you're intelligent, everything turns out to be free.
Never make the mistake to think that I'm anything like you are.
Wouldn't that be ironic!
"Hoisted by your own petard." Tragic.
Well, never make the mistake of ever thinking I'm anything like you.
I care deeply that other people get the benefit of all that I learn.
In this case, I'm determined to find out the answer and then make sure
people on the Internet LEARN the answer that I work hard to find out.
You spend all your time
trying to protect your privacy and fail at the simplest level.
Apple advertised that they would respect the _nomap suffix as an extremely clear and very obvious indication that we wished to not be in their db.
That Apple put my BSSID in their database is an indication of their lack of moral rectitude.
[1] we literally can't, because a MAC only links a property. There's no
other info inherent in that.
To claim we have no right to privacy is wrong;
the real issue is that our
rights are being undermined by systems designed without meaningful consent.
Marian wrote:
I wasn't going to check Google's database, but I just started writing the
scripts to check Google's database to see if it was only in Apple's
database. Anyone on the planet can query Apple's database.
But to query Google's database, I need to generate a Google Geolocation API >> account
You might remember I gave you a little curl-based script for that many
years ago, it needs two WiFi MACs and works better if you tell it their relative strengths ... yes it needs an APIKEY
There isn't, as far as I can see, an obligation to *remove* a MAC fromthe
WPS db if they *never see* the nomap request.
J. P. Gilliver wrote:
I checked mine by name, and got
(!)
Invalid BSSID format. Expected 12 hexadecimal digits (e.g.,
AA:BB:CC:DD:EE:FF)
(Probably what the B means?)
Hi John,
You said you checked yours "by name", where the query that was suggested seems to be using the BSSID (which is in the format of "AA:BB:CC:DD:EE:FF")
<https://wavedigger.networksurvey.app/?tab=bssid>
Try entering your BSSID (i.e., your MAC address of the access point),
which, on Windows, you can get using netsh using the syntax below:
netsh wlan show networks mode=bssid
There are some WPS databases, as I noted in my prior post, which can take
an SSID input, apparently, if that's what you really want to query on.
<https://wifidb.net/wifidb/opt/search.php>
I haven't tried searching just for an SSID (since a BSSID is unique) and
when I just tested it with an SSID, the gateway timed out, so maybe there isn't an SSID-only lookup, but that would be useful for those of us who
want to stay out of the rainbow hash tables (& butterfly hash tables).
Chris wrote:
However, the "attribute" line shows up, so I can see some identifiers.
Not true. Your replies always have the person's name. See above where is
says "> Chris wrote". That's in the *body* of your reply so you can see it.
That's exactly what I said.
Me: I see the attribute (i.e., Chris wrote).
You: Not true
Me: Yes true.
J. P. Gilliver wrote:
This is the first I've heard of a "nomap request".
All the major players publish that they respect the "_nomap" request, where we've been discussing the _nomap keyword on these newsgroups since, oh, at least a decade or more.
I think this is a clear case for a class action lawsuit; but I'll give
Apple all the information and I will require that Apple explain HOW my
BSSID got into their WPS database, since that will let me know if it's just me or everyone who tries to opt out of Apple's insecure WPS database.
On 2025/12/6 20:51:53, Chris wrote:
[]
There isn't, as far as I can see, an obligation to *remove* a MAC from the >> WPS db if they *never see* the nomap request.
[]
I'm only watching this from the sidelines, as a (not-very-interested) observer.
This is the first I've heard of a "nomap request".
I'd been assuming Arlen/Marian's addition of "_nomap" to his (B?)SSID
_was_ the "request", and was (by its nature) continuous.
J. P. Gilliver <G6JPG@255soft.uk> wrote:
On 2025/12/6 20:51:53, Chris wrote:
[]
There isn't, as far as I can see, an obligation to *remove* a MAC from the >>> WPS db if they *never see* the nomap request.
[]
I'm only watching this from the sidelines, as a (not-very-interested)
observer.
This is the first I've heard of a "nomap request".
I'd been assuming Arlen/Marian's addition of "_nomap" to his (B?)SSID
_was_ the "request", and was (by its nature) continuous.
Correct. It is the request.
On 2025-12-05 20:11, Alan wrote:
On 2025-12-05 04:08, Marian wrote:
How to test if your access point BSSID is in the highly
insecure Apple WPS database and, if it is in Apples insecure WPS
database, what else is there.
If you'd like me to test if your access point BSSID is in the
Apple WPS database, then simply respond with that BSSID & I'll
run the Windows scripts I just wrote based on research published
recently of the flaws in Apple's methods (some of that research
is listed in the signature below).
Note that your BSSID should not be in Apple's database if you've
opted out
by appending "_nomap" to your access point SSID (e.g., "my.ssid_nomap"). >>>
None of my access point BSSIDs are in the Apple database, but I
have the optout keywords _optout_nomap appended to all of them,
but once I confirm the process works, I'll be glad to write a
tutorial so others can do it too.
Let me know which BSSIDs you wish me to look up for you in Apple's WPS.
Or, if you want to do it without involving Arlen:
<https://wavedigger.networksurvey.app/?tab=bssid>
I checked mine...
(And I've been using the same router for more than 5 years)
...and surprise, surprise: it's not in there!
Mine is.
Carlos E.R. wrote:
It may be that by hiding my SSID broadcast, I prevented Apple from recognizing
that the _nomap was appended to the SSID, for example.
Maybe.
Hi Carlos,
I thank you for making me think about it, where the fact remains that we
need to explain why a hidden SSID with "_nomap" is in the Apple WPS db.
The BSSID is always in the broadcast packet but that the SSID field is
"null" (or blank).
Since the broadcast happens ten times a second, there's no doubt Apple products (of which I own many) are seeing the "BSSID", and, since these
Apple devices are in my own home, they're seeing the "SSID in the clear" whenever a PC or mobile device handshakes with the access point.
So, clearly, Apple *knows* that the SSID is hidden, and, Apple likely even knows the SSID, but Apple may have chosen to ignore these obvious facts.
Hence, I take this loss of my privacy by Apple very seriously.
What I need to do, moving forward, is gather more data points.
What would be useful to know is if it's only me or if it's everyone.
Marian <marianjones@helpfulpeople.com> wrote:
Donald changing his nym non-randomly to avoid killfiles noted. This was
never about privacy.
You spend all your time
trying to protect your privacy and fail at the simplest level.
Apple advertised that they would respect the _nomap suffix as an extremely >> clear and very obvious indication that we wished to not be in their db.
That Apple put my BSSID in their database is an indication of their lack of >> moral rectitude.
Firstly, the _nomap is on your user-defined SSID. Secondly, what is
collected is the BSSID/MAC which in most cases cannot be edited.
You can choose to hide your SSID. So if you've hidden your SSID the nomap option is superfluous as it won't show up anyway.
There isn't, as far as I can see, an obligation to *remove* a MAC from the WPS db if they *never see* the nomap request.
Chris wrote:
All we need to do that is a BSSID of an AP that isn't in your own home
(because I understand nobody wanting their own home to be geolocated).
There are maps which "geolocate" everyone's home.
Since access points with "_nomap" are clearly in the Apple WPS database,
this raises serious privacy concerns because the system can be abused to track homes and individuals globally (as reported by researchers).
For you to claim all security researchers are wrong is classic.
I, for one, trust the security professionals (and I read their papers).
<https://www.cs.umd.edu/~dml/papers/wifi-surveillance-sp24.pdf>
"In this work, we show that Apple's WPS implementation
can easily be abused to create a serious privacy threat
on a global scale."
If it's that easy for anyone to look up where we live based only on our
BSSID, then there's something horrid going on, don't you think?
The only horrid[2] thing is how inept you are.
Well, it's a good thing you Apple trolls are the only people claiming I'm "inept", especially given I happen to be well informed on privacy issues.
I think the main reason you love to claim that I'm "inept" is because you
are desperate to defend Apple's actions to the death, no matter what.
Keeping your unique BSSID/GPS/SSID/dBm/timestamp/etc metadata out of the Apple WPS database simply by adding "_nomap" should be one of those things.
For anyone to claim we have no right to privacy is to deny a fundamental human freedom. Privacy is not a luxury; it is a cornerstone of autonomy and dignity.
J. P. Gilliver wrote:
I'll tackle Google later. Right now I demand that Apple explain to my satisfaction why my access point is in their database when I opted out.
There are some WPS databases, as I noted in my prior post, which can take
an SSID input, apparently, if that's what you really want to query on.
<https://wifidb.net/wifidb/opt/search.php>
On 2025/12/7 11:5:16, Chris wrote:
J. P. Gilliver <G6JPG@255soft.uk> wrote:In that case, I can't see how they could claim not to have seen it; if
On 2025/12/6 20:51:53, Chris wrote:
[]
There isn't, as far as I can see, an obligation to *remove* a MAC from the >>>> WPS db if they *never see* the nomap request.
[]
I'm only watching this from the sidelines, as a (not-very-interested)
observer.
This is the first I've heard of a "nomap request".
I'd been assuming Arlen/Marian's addition of "_nomap" to his (B?)SSID
_was_ the "request", and was (by its nature) continuous.
Correct. It is the request.
the SSID was in their system before it had the _nomap added, then surely _with_ the _nomap added, it is a new SSID; the same if they'd _not_ had
it, and thus added it as a new one anyway. In both cases, at the point
they added it, they would see it.
Carlos E.R. wrote:
Marian wrote:
ÿ <https://wifidb.net/wifidb/opt/search.php>
Doesn't find mine.
Nor mine, by SSID name (not hidden or _nomap suffix)
I wouldn't really expect anyone to have wardriven around here with a
laptop running Vistumbler, but you never know ...
Carlos E.R. <robin_listas@es.invalid> wrote:
On 2025-12-06 01:16, Marian wrote:
It's classic for the Apple trolls to claim everything they can't understand is a "weak lie" as Jolly Roger just did, but the fact
remains that my BSSID is in Apple's database (and the SSID is
hidden & has "_nomap" appended).
So all your efforts to hide yourself are for nothing. You are listed.
You might as well not bother to hide! :-D
Mine isn't listed and I did nothing to hide.
As has been said before, trying to hide makes one suspect, because
*other* factors stand out.
Carlos E.R. wrote:
Sorry, I can't help with that. But yes, Apple should take the hint
that if the SSID is hidden, they should not list the associated BSSID
either.
If you have a free unused/old router or access point, you could set it
up with a hidden _nomap SSID, and without connecting any of your
phones to it, wait to see if the BSSID appears listed after a month or
two. It would be interesting to check every day with a script, to see
how fast they update.
Andy Burns wrote:
Ask some friends who use iPhones to come round for a coffee, the more
devices hoovering up data the better?ÿ They may only add BSSIDs to the
DB if they've seen them via multiple devices.
I appreciate the input from both Carlos & Andy in that both of you seem to understand the problem set, which is I didn't consent to be tracked.
a. I hid my SSID (which is a clear non-consent active action), and, b. I added _nomap to all my SSIDs (which is another active non consent).
And yet, I'm in the Apple WPS database down to the middle of the house. (Wavedigger maps are accurate to 8 digits pinpointing the exact home!)
The fact is that I have plenty of Apple devices in the home, maybe even
more than Android devices, so I don't need to bring in more iPhones. :)
We're all smart people so we can see that "something" is wrong. But what?
It could be Apple (e.g., a bug).
Or, it could be me (as Andy has intimated in a prior post).
I've met with my neighbor who is a VP at Apple who knows me extremely well
so he takes my claims seriously, so we'll find out soon if it's a bug.
Or, it could be "something that I did"; but what?
I'm thinking that I need to look more deeply at how repeaters and bridges pass BSSIDs. I'm not really all that familiar with how BSSIDs propagate.
I'll dig a bit to see if maybe a repeater/bridge threw me under the bus.
Carlos E.R. wrote:
ÿÿ As has been said before, trying to hide makes one suspect, because
*other* factors stand out.
I am curious, though, about why some people are listed and some are
not. What's the criteria? Maybe just chance. A passerby having the
proper non intentional software working properly, I'd guess.
I will disagree with anyone who makes an illogical statement such as that which Frank made above, but I'll help answer any valid question such as
what Carlos asked.
Regarding Frank's assessment that hiding the SSID and putting _nomap on the SSID "makes one suspect"... Suggesting that opting out makes you 'suspect' flips the logic. In a system where consent is assumed unless you opt out, taking the opt-out step is the rational, privacy-protective choice.
3. A data broker can infer that the Johnsons moved across the country.
ÿÿ Advertisers could target them with "new homeowner" services ads.
ÿÿ A stalker or abusive ex could quickly discover their new address
The BSSID is persistent across locations.
That persistence means your router acts like a digital homing beacon.
It follows you wherever you go.
Now run that kind of tracking on millions of BSSIDs en masse, which is what security researched showed the insecure Apple WPS database can be used for.
As for Carlos' question of why some people are in the highly insecure Apple WPS database, A router's BSSID is only logged if an Apple device (like an iPhone, iPad, or Mac) scans it and reports it back to Apple's servers. If
no device running Apple's WPS software has ever passed near your router, it won't be listed.
In my case, I have plenty of Apple mobile devices inside my home.
So they threw me under the bus even if nobody else did it for Apple.
The paper by Erik Rye & Dave Levin tracked BSSIDs over a year, where they mention that Apple doesn't seem to be scrubbing old BSSIDs out of the db.
"we were able to track BSSIDs longitudinally over the course of a year"
Frank Slootweg wrote:
On December 6, I wrote:
Carlos E.R. <robin_listas@es.invalid> wrote:
Notice something interesting:
a. When you search using the URL, you get only six decimal places
b. When you search using python, you get up to eight decimal places
Here is a redacted set of images showing the decimal place issue: <https://i.postimg.cc/C5Pcb6RQ/decimal.jpg>
Maybe those last two decimal places are why Frank sees an inaccuracy in location that is absolutely absent from my results, although everyone knows
I live in the boonies so even as much as 10 meters off is still exactly me.
UPDATE: I just checked my actual numbers. 6 decimal places: ~11 cm resolution.
8 decimal places: ~1 mm resolution.
The specific difference between them is only about 4cm.
What's really different is if you live in the boonies, the BSSID is you.
If you're in the city, the BSSID might be you and people close to you.
Note: It also matters how "close to your BSSID" the Apple devices are.
In my case, they're right here, next to me, so they're close to the router.
Carlos E.R. wrote:
You would have to prove that your house BSSID being listed is a breach
of your fundamental right to privacy, because an AP is not directly
linked to your person.
The simplistic argument that 'MAC addresses are not "directly" linked' ignores the fact that when aggregated at scale, they become a powerful tracking tool. A single MAC address is just a hardware identifier; but a database of millions of them tied to GPS coordinates is essentially a map
of people's movements and residences.
Imagine this scenario:
1. A company collects BSSIDs (MACs) from Wi-Fi routers in a city. 2.
Over time, they build a database: ÿ a. MAC A -> seen at 123 Elm Street
in 2022 ÿ b. MAC A -> seen at 456 Oak Avenue in 2023
3. From this, they infer the household at 123 Elm Street likely
ÿ moved to 456 Oak Avenue.
Now scale that up: Track migration patterns of entire neighborhoods. Correlate MACs with census data, property records, or advertising IDs.
What was just public information becomes a de facto surveillance system, without meaningful consent from the people being tracked.
On 2025-12-08 14:50, Marian wrote:[...]
Imagine this scenario:
1. A company collects BSSIDs (MACs) from Wi-Fi routers in a city. 2.
Over time, they build a database: ? a. MAC A -> seen at 123 Elm Street
in 2022 ? b. MAC A -> seen at 456 Oak Avenue in 2023
3. From this, they infer the household at 123 Elm Street likely
? moved to 456 Oak Avenue.
Now scale that up: Track migration patterns of entire neighborhoods. Correlate MACs with census data, property records, or advertising IDs.
What was just public information becomes a de facto surveillance system, without meaningful consent from the people being tracked.
Yes, this is true.
Carlos E.R. <robin_listas@es.invalid> wrote:
On 2025-12-08 14:50, Marian wrote:[...]
Imagine this scenario:
1. A company collects BSSIDs (MACs) from Wi-Fi routers in a city. 2.
Over time, they build a database: ÿ a. MAC A -> seen at 123 Elm Street
in 2022 ÿ b. MAC A -> seen at 456 Oak Avenue in 2023
3. From this, they infer the household at 123 Elm Street likely
ÿ moved to 456 Oak Avenue.
Now scale that up: Track migration patterns of entire neighborhoods.
Correlate MACs with census data, property records, or advertising IDs.
What was just public information becomes a de facto surveillance system, >>> without meaningful consent from the people being tracked.
Yes, this is true.
No, it's not. As you said, it's not people, but households and, as
others have said, it's not even households, but *devices* (Access
Points).
The *Access Point* has moved and that could be for all kinds of
reasons. The AP might be re-used by someone else. The household may have
been split up (someone(s) moved out), so the household did not move.
Etc., etc..
Devices are not people, at least not yet.
Chris wrote:
Devices are not people, at least not yet.
Correct.
If I had a pill in my pocket, you'd say it's a pill. It's not a cure. It's
a pill. You can't see that if it's penicillin, it can cure you of strep throat.
You and Frank never were accepted into a college for a reason, Chris.
You don't own the IQ to understand a pill in my pocket is more than just a pill.
To you (and Frank), all pills are the same.
Who is that strange?
Only you are when making absurd defenses for Apple decisions.
Nobody on the planet who is a security professional agrees with you two.
Nobody.
If they did, you'd find them.
And you can't.
Because your assessment that penicillin can't cure step throat because it's "just a pill" is absurd.
Note: The "pill" is the analogy for the "bssid", which is more powerful
than the item appears to be to people who don't understand what it does.
Frank Slootweg wrote:
The Access Point has moved and that could be for all kinds of
reasons.
Some access points are inside trains/buses/planes/ships/cars
Carlos E.R. wrote:
Regarding Frank's assessment that hiding the SSID and putting _nomap
on the
SSID "makes one suspect"... Suggesting that opting out makes you
'suspect'
flips the logic. In a system where consent is assumed unless you opt
out,
taking the opt-out step is the rational, privacy-protective choice.
Yes, but it also signals "I have something to hide!". It makes you
"interesting".
I never disagree with any sensibly valid point of view, so people never
waste their time when they bring up a counterpoint with me, as I do understand what your're saying but we have to look at the scale of consent.
There must be millions upon millions of people who do not consent to tracking, even as there must be billions who consent to tracking their AP.
Carlos E.R. <robin_listas@es.invalid> wrote:
On 2025-12-08 14:50, Marian wrote:[...]
Imagine this scenario:
1. A company collects BSSIDs (MACs) from Wi-Fi routers in a city. 2.
Over time, they build a database: ÿ a. MAC A -> seen at 123 Elm Street
in 2022 ÿ b. MAC A -> seen at 456 Oak Avenue in 2023
3. From this, they infer the household at 123 Elm Street likely
ÿ moved to 456 Oak Avenue.
Now scale that up: Track migration patterns of entire neighborhoods.
Correlate MACs with census data, property records, or advertising IDs.
What was just public information becomes a de facto surveillance system, >>> without meaningful consent from the people being tracked.
Yes, this is true.
No, it's not. As you said, it's not people, but households and, as
others have said, it's not even households, but *devices* (Access
Points).
The *Access Point* has moved and that could be for all kinds of
reasons. The AP might be re-used by someone else. The household may have
been split up (someone(s) moved out), so the household did not move.
Etc., etc..
Devices are not people, at least not yet.
On 2025-12-10 03:54, Marian wrote:
Carlos E.R. wrote:
Regarding Frank's assessment that hiding the SSID and putting _nomap
on the
SSID "makes one suspect"... Suggesting that opting out makes you
'suspect'
flips the logic. In a system where consent is assumed unless you opt
out,
taking the opt-out step is the rational, privacy-protective choice.
Yes, but it also signals "I have something to hide!". It makes you
"interesting".
I never disagree with any sensibly valid point of view, so people never
waste their time when they bring up a counterpoint with me, as I do
understand what your're saying but we have to look at the scale of consent. >>
There must be millions upon millions of people who do not consent to
tracking, even as there must be billions who consent to tracking their AP.
Huh, no. Maybe 80% of users do not even know they have that option.
Their ISP gives them a router, they just plug it in, done.
Only geeks and technical people know.
Carlos E.R. <robin_listas@es.invalid> wrote:
On 2025-12-10 03:54, Marian wrote:
Carlos E.R. wrote:Huh, no. Maybe 80% of users do not even know they have that option.
Regarding Frank's assessment that hiding the SSID and putting _nomap >>>>> on the
SSID "makes one suspect"... Suggesting that opting out makes you
'suspect'
flips the logic. In a system where consent is assumed unless you opt >>>>> out,
taking the opt-out step is the rational, privacy-protective choice.
Yes, but it also signals "I have something to hide!". It makes you
"interesting".
I never disagree with any sensibly valid point of view, so people never
waste their time when they bring up a counterpoint with me, as I do
understand what your're saying but we have to look at the scale of consent. >>>
There must be millions upon millions of people who do not consent to
tracking, even as there must be billions who consent to tracking their AP. >>
Their ISP gives them a router, they just plug it in, done.
Only geeks and technical people know.
I agree, although I'd say the number is nearer 99%. I have never ever seen
a "_nomap" SSID and I have been aware of it for easily over 5 years.
And when querying wifi networks almost none are changed from the ISP
default.
Carlos E.R. wrote:
And when querying wifi networks almost none are changed from the ISP
default.
Around my house I see three customized of mine, one random (computer
generated long random string), 3 "TP-Link..." one "ARRIS". So
everybody else except the random one is using factory defaults. Or
provider defaults.
Using WiFi Analizer (Android) upstairs I see a few more, also
generated by the ISP.
Hi Carlos,
If you want, you can give me a BSSID of one of the homes near you, and
thanks to Chris who asked me to do it, I can output the nearest 400
BSSID:GPS pairs in that area.
If desired, I can "snowball" it even further, to get the nearest 400 to the outside ring, which will instantly extend to thousands within seconds.
If you're OK with that, I'll post those thousands so that Chris (and others who may not have understood what the researchers reported) will see that.
All I need to do is run the now-modified Apple BSSID locator code: <https://github.com/darkosancanin/apple_bssid_locator>
where the main change I made to the apple_bssid_locator.py was
FROM: apple_wloc.return_single_result = 1 (which means return only one)
TO:ÿÿ apple_wloc.return_single_result = 0 (which means unlimited returns)
In practice, "unlimited" really means Apple throttles returns at 400.
All this I learned from reading the research that was posted about this.
With the changes I documented, anyone in the world can reproduce what the security researchers said could be done, which I thank Chris for making me
do it (because it took about a half hour for me to figure out that change).
Now when I run this command using the modified apple_bssid_locator.py code python apple_bssid_locator.py 11:22:33:AA:BB:CC --all
I get up to 400 BSSID:GPS pairs per query.
If ANYONE wants to give me a BSSID of their neighbor, just post it.
I will run the query for them and report the results here for all to see.
As the researchers stated, it's trivial to "snowball" that query with automation to the point in two weeks the researchers had billions of GPS:BSSID pairs, which then they could use to track "households".
It's so easy to do, it's scary.
Just have someone give me a BSSID and I'll prove it to all right now.
Andy Burns wrote:
Nor mine, by SSID name (not hidden or _nomap suffix)
I wouldn't really expect anyone to have wardriven around here with a
laptop running Vistumbler, but you never know ...
Hi Andy,
In the United States, it's a public record where everyone who owns a home lives, so there's a 1:1 relationship between them and their router.
Cybernews: *Anyone can tap into your WiFi location data to track you* explains how Apple's WPS can be exploited for mass surveillance. <https://cybernews.com/privacy/apple-beams-wifi-location-data-privacy- risk/>
The researchers already showed anyone in the world is already able to use Apple's WPS db to track Loretta Anne Jameson's AP which is currently
located at 4302 Josey Circle, Shreveport, LA 71109.
When she moves, I'll let you know where she moves her router to.
Likewise with any of her neighbors.
Ronda and Alfred Beel, 4310 Josey Cir, Unit #2-A
Benjamin and Eric Choyica 1/4 and, 4318 Josey Cir, Unit #2-A
Jeffrey Devin, 4306 Josey Cir, Unit #2-A
Flora Ann Jackson Gellion, 4338 Josey Cir, Unit #2-A
Lonzie D. Groniger, 4321 Josey Cir, Unit #2-A
Lutrisher Walton Hill, 4329 Josey Cir, Unit #2-A
Melvin Hawthorn, Jr. 1/2 and, 4823 Josey Cir, Unit #2-A
Mary E. Gebbs Hendy, 4816 Josey Cir, Unit #2-A
Shane Jameson Sr., 4330 Josey Cir, Unit #2-A
Rosemary Ellerbee Jones, 4317 Josey Cir, Unit #2-A
Charles Nesh, 4824 Josey Cir, Unit #2-A
James and Dollie Henson Smythe, 4314 Josey Cir, Unit #2-A
Sherryn Marie Smythe, 4820 Josey Cir, Unit #2-A
Terrince Steedman, 4326 Josey Cir, Unit #2-A
Pamela Tomas, 4828 Josey Cir, Unit #2-A
Trivia Yashica Watken, 4827 Josey Cir, Unit #2-A
etc.
Anyone can do this for any home in the United States.
Which is why this is so dangerous to privacy.
On 2025-12-28 16:14, Marian wrote:
Andy Burns wrote:
Nor mine, by SSID name (not hidden or _nomap suffix)
I wouldn't really expect anyone to have wardriven around here with a
laptop running Vistumbler, but you never know ...
Hi Andy,
In the United States, it's a public record where everyone who owns a home
lives, so there's a 1:1 relationship between them and their router.
Only assuming the accuracy of the database...
...which isn't accurate...
...because devices that AREN'T in the supposed location of an AP are reporting that one is NEAR their actual location.
Tyrone wrote:
it makes Apple "look bad".
What Apple does is what "makes Apple look bad", not me.
What's important is that Apple's WPS database implementation is
insecure. That's not opinion. That's fact which was described in the research.
Google's WPS database access is nothing like Apple's WPS database access. Anyone in the world can access Apple's entire WPS db without restriction.
All I did was reproduce what the researchers said was easily possible.
And it was.
What the researchers didn't note, and which I learned, and I'm likely only one out of millions who knows this, was not only does Apple not respect
their own published privacy policy on opting out, but they have no
intention of respecting their published privacy opt-out policy.
This is not opinion.
This is fact.
Only one out of millions of people know what I just said above.
We know it because we're extremely intelligent and well informed.
Bear in mind if Google or Mozilla did what Apple did, I would be on their case too, because what Apple is doing is the antithesis of what Apple
"says" it does.
It's legally, morally & ethically reprehensible what Apple is doing.
If Google or Mozilla did what Apple does, I'd say the same of them.
But they didn't.
Only Apple does this.
Tyrone wrote:
it makes Apple "look bad".
What Apple does is what "makes Apple look bad", not me.
What's important is that Apple's WPS database implementation is
insecure. That's not opinion. That's fact which was described in the research.
Google's WPS database access is nothing like Apple's WPS database access. Anyone in the world can access Apple's entire WPS db without restriction.
All I did was reproduce what the researchers said was easily possible.
And it was.
What the researchers didn't note, and which I learned, and I'm likely only one out of millions who knows this, was not only does Apple not respect
their own published privacy policy on opting out, but they have no
intention of respecting their published privacy opt-out policy.
This is not opinion.
This is fact.
Only one out of millions of people know what I just said above.
We know it because we're extremely intelligent and well informed.
| Sysop: | Jacob Catayoc |
|---|---|
| Location: | Pasay City, Metro Manila, Philippines |
| Users: | 5 |
| Nodes: | 4 (0 / 4) |
| Uptime: | 20:52:02 |
| Calls: | 117 |
| Calls today: | 117 |
| Files: | 367 |
| D/L today: |
559 files (257M bytes) |
| Messages: | 70,875 |
| Posted today: | 26 |
