Spoofing - Pros and Cons

pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
I seem to have begun a discussion that has take over another topic. My apologies to the OP.

I asserted that spoofing was wrong in principal and challenged people to provide a counterexample. Several people have suggested times when spoofing is appropriate, but I remain unconvinced. I can see many situations where concealing one's identity or location might be appropriate, but lying about identity or location is another thing entirely, particularly when the lying takes the form of identifying oneself as another person or entity.

If the moderators could move the offending posts from the original topic to this one, perhaps it can be discussed.
--Pete
Bon Vivant and Raconteur
VioletChepilCiaranRobinHronosSageb1

Comments

  • VioletChepilVioletChepil London, UKMember Posts: 2,474 admin
    Ok, I'll see about that functionality but I do know that @Romulus and @SimoneSpinozzi have some good and interesting views on this! 

    Community Manager at Fing

    Stratt3000
  • RomulusRomulus Member, Beta Tester Posts: 34 ✭✭✭
    So are we talking about spoofing GPS location or ones network identity (IP, MAC Address)?
    I can't think of any legitimate reason for spoofing network identity other than the use case where some ISP's tie a modem to an account. Such that when replacing with your own device some devices can mimic MAC Address making the switch out seamless.

    Regarding the original discussion the legitimate use case I have for spoofing GPS is to allow a tablet device to take the GPS location of a running PC based flight simulator to depict it's position on something like Google maps or one of the pieces of software that real pilots use in the cockpit in the context of the simulator. I would agree that the majority of use cases for GPS spoofing for for less legitimate means.
    VioletChepilCiaran
  • VioletChepilVioletChepil London, UKMember Posts: 2,474 admin
    I know @kltaylor has some thoughts on this too! 

    Community Manager at Fing

  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    Romulus said:
    So are we talking about spoofing GPS location or ones network identity (IP, MAC Address)?
    I can't think of any legitimate reason for spoofing network identity other than the use case where some ISP's tie a modem to an account. Such that when replacing with your own device some devices can mimic MAC Address making the switch out seamless.

    Regarding the original discussion the legitimate use case I have for spoofing GPS is to allow a tablet device to take the GPS location of a running PC based flight simulator to depict it's position on something like Google maps or one of the pieces of software that real pilots use in the cockpit in the context of the simulator. I would agree that the majority of use cases for GPS spoofing for for less legitimate means.
    I created this topic to discuss spoofing in all forms (which is why it is here in GDW&W rather than Security), not just GPS location. Anything from the original GPS spoofing to hacking the phone system or misrepresenting an internet address. My assertion was that spoofing (as opposed to concealing for privacy or political safety reasons) was essentially a Bad Thing*, and asked for counterexamples.

    My hazy (maybe as a MS-DOS program or very early Windows?) recollection of MS Flight Simulator was that it could be directly instructed to begin its simulation at any location within its world map (rather than take its location from an internal GPS - in fact, my MSFS recollection may predate the existence of GPS.) Perhaps your flight simulator isn't even MS or is much newer. 

    =============== 
    * See 1066 and All That by Sellar and Yeatrman (1930)
    --Pete
    Bon Vivant and Raconteur
    VioletChepilRobin
  • PeterPPeterP Member, Beta Tester Posts: 21 ✭✭
    One form of spoofing that needs to be illegal is phone caller id spoofing.  It is clearly responsible for the explosion of spam & fraudulent robo-calls that we are inundated with daily. Not only should it be illegal, but all telcos should be required to prevent it as the technology now exists to detect and block it. 
    VioletChepilpwmeekGummyKing
  • SimoneSpinozziSimoneSpinozzi Member, Beta Tester Posts: 77 ✭✭✭
    Spoofing is needed for the victims.

    Plain and simple.

    In an utopian world where everybody behaves properly and nobody risks their life because they have made their identity known... then yes... all forms of spoofing will be made illegal.

    Unfortunately i have personally witnessed people reduced to wretches or personally risking their lives... due to other people knowing how to trace them.

    Think of all the harrassment victims. Just to name something stupid. In 2013 a PR made a stupid joke like she always did, just before boarding a plane. Anybody knowing her or following her for more than 1 tweet knew she was not serious and was faking racism. Unfortunately the tweet became viral. People judged her by that single tweet and became enraged disproportionately. By the time her plane landed she had lost her job and became a sensation, it took more than 1 year of hiding before she could show herself again. Do you think she could stay completely cut off from the entire world during that year? or that she today can still go around and show her face using her real name?

    That is one case where she arguably made a bad choice. But what about all the parents of the shooting victims that constantly get mobbed on account that they are "faking it"? There are literal swarms of people going around searching for a reason to be indignated and they exchange addresses and other info about the person of the day.

    Then there are the harrassment victims of relatives. People who have to hide from their own family because of what they sustain every single day. Or people who had a bad breakup with a dangerous spouse/partner. 

    Or people who work in the army and don't want their fitbit to show to everyone where the secret base that they work inside of is located, people in war zones who legitimally fear that somebody could track them by snooping the helpful monthly google reports of "where you have been"... etc. etc. etc.

    Or people with helicopter bosses where even a 10 minute delay once a month is grounds for being fired.

    Ever heard of the (really idiotic) practice of "swatting opponents"? It's used in video games. People geolocate their opponents and literally call the police on them, usually telling the police that they are holding illegal stuff in their hard drives. Plans for bombs, pornographic material with minors... anything that will get them in jail, turn everybody on them, have their own lawyers question them if they "really did it" and confiscate their costly hardware for about a year or two while they parse each and every single document , file and everything in their PC searching for a hidden file or a hidden folder.

    Think about all the people who are famous and do not want to be traced back because they have tons of people "offering" them a better job or more stuff like that.

    Or the "stupid" kinds of spoofing where people just want to cheat at games that geolocate. 

    Basically there are tons of legitimate reasons for spofing, and most of them rely on the fact that people will try and find who you are and punish you. So hiding your phone number, your identity, your position, your... anything and everything... could be a matter of life and death.

    Unfortunately it can be exploited by people who are the guilty ones...

    The problem is... you can't really know and filter people when offering this kind of service.

    Because that is the whole point.

    Victims do not want even more attention on them and/or leaving even more "footprints" for trying to hide themselves.

    Think what happened if you did not know that the person whom you are buying a service from to hide... is the person whom you want to hide from.

    You have never truly experienced paranoia nearing madness levels... until you have lost a lot because of the ill will of people whom you did not suspect would put such ill will towards you.
    Brad72769VioletChepilCiaran
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    edited October 18
    PeterP said:
    One form of spoofing that needs to be illegal is phone caller id spoofing.  It is clearly responsible for the explosion of spam & fraudulent robo-calls that we are inundated with daily. Not only should it be illegal, but all telcos should be required to prevent it as the technology now exists to detect and block it. 
    One line of defense available to iPhone users is the ability to send any caller not in your Contacts List straight to voicemail. This has quieted my iPhone by 90% since I implemented it in the latest IOS upgrade (13) - and I haven't missed a single call that I wanted to receive. Now if only my landline provider would offer such a service.

    I need to find out whether a caller not in Contacts can "break through" by calling again within a short time as happens with Do Not Disturb or Busy Driving.
    --Pete
    Bon Vivant and Raconteur
    VioletChepil
  • MarcMarc Member, Beta Tester Posts: 485 ✭✭✭✭✭

    You are correct in that ms flight sim app could begin at any airport or location in its database and end anywhere. Though there is a huge world of add on hardware like gauges, displays etc that perhaps the hardware required a spoofed address?

    Thats Daphnee, she's a good dog...
    VioletChepilCiaran
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    edited October 19
    Spoofing is needed for the victims.<snip>
    If I read this correctly, every single example is a case where concealment is needed, not spoofing. I didn't see a single case where it was necessary to provide a FALSE form of information.

    "I won't tell you where I am or who I am," is not the same thing as, "I am somewhere else or I am someone else." Concealment is privacy. Spoofing is lying. You need a very good reason to lie, and I haven't heard one yet (with the possible exception of a flight simulator that is so poorly designed that you can't directly input the desired starting location).
    --Pete
    Bon Vivant and Raconteur
    VioletChepil
  • AldereteAlderete Member, Beta Tester Posts: 13 ✭✭
    edited October 19
    The term "spoofing" as used here is far too general to come to any conclusions about whether it's good or bad. You'll have to be more specific, or it's just barroom philosophical discussion of no consequence.

    The last time I had to do something specific that might be called spoofing was when I was staying at a resort, and wanted to connect my Apple TV to the TV screen in the suite. The resort's Wi-Fi had a capture page that required interaction and acknowledgement for any device connecting to it. Which the Apple TV couldn't do.

    So I set my laptop to use the hardware MAC address of the Apple TV, and connected to the Wi-Fi with that address. Acknowledged and connected via the capture page. And then disconnected the laptop, and connected the Apple TV, which worked for the rest of our stay.

    Was that "lying", as one person here put it? I say no. Harmful? I say no. Necessary? Well, you could argue that I could have watched Netflix on my iPad, but if we set aside Maslow's hierarchy for a minute, it certainly was necessary if I was going to get the Apple TV to work for the two weeks we were in the suite.

    Hardware address spoofing, which is what most people mean by the term, is not good or bad, lying or truth. It's just a technique. It's your intent that matters, what you plan to do with the configuration. The resort wasn't charging by device, and didn’t have a limit on the number of devices. They just needed someone to check a box and click a button to agree to their terms. (Lawyers.) Something the Apple TV couldn't do back then. Absolutely nothing wrong with using spoofing to give the technical system what it needed.

    (Note: there are better solutions today. Apple's devices handle capture pages more gracefully, and the new class of travel router renders the issue moot a different way. I'm on my third generation of those. Point is, at the time, it was the only solution I had available, and there was nothing wrong with using it.)
    VioletChepildmg15
  • SimoneSpinozziSimoneSpinozzi Member, Beta Tester Posts: 77 ✭✭✭
    edited October 20
    pwmeek said:
    Spoofing is needed for the victims.<snip>
    If I read this correctly, every single example is a case where concealment is needed, not spoofing. I didn't see a single case where it was necessary to provide a FALSE form of information.

    "I won't tell you where I am or who I am," is not the same thing as, "I am somewhere else or I am someone else." Concealment is privacy. Spoofing is lying. You need a very good reason to lie, and I haven't heard one yet (with the possible exception of a flight simulator that is so poorly designed that you can't directly input the desired starting location).
    You can evidently move with liberty from one town to another leaving your entire life behind.

    Some people cannot.

    Therefore allowing themselves to be "found" where they are not and forcing their pursuers to go through good old physical investigation is a simpler option. Many of the pursuers i have mentioned are "swarms" or people tho take offense/revenge over idiocies and will be present personally only once and where they think they will find that person, they will not go through extensive physical pursuit. A large swat is self-interested, and therefore unwilling to go through finding the object of their revenge.

    We are not talking about "concealment" because concealment has already been broken. People know you, who you are, what you do.

    We are talking about people who need to redirect the anger of idiots where they can do less harm.

    Take the "fitness app in the army" comment. Set your fitness app in a place where you think there are IEDs. If an explosion happens, you just found out that the enemy is making "bots" that trace your fitness app and will explode on proximity, and that you have a security risk. Spoiler: it happened and was "solved" that way.

    Take a person sought out by other people with harmful intent. Set their GPS and phone to redirect into a police station and the idiots will flock there, where the police has already been warned. Spoiler: it happened and was "solved" that way.

    Take people harassed by relatives. Set your GPS and your phone to redirect to another town (spoiler: google maps will auto-lock onto streets exactly for this purpose instead of showing the exact precise location) and buy yourself the services of a "filter" (in some cases you can totally set your phone to just send all calls you block or that are not in your contacts to a voicemail), put a fake name on your doorbell. Aaaand there is a 75% chance you will get left alone without even having to buy a new apartment. Spoiler: it happened and was "solved" that way.

    Are you harassed online? Buy yourself a VPN service and change nickname, and you can live again. People will not find who you are by comparing IP addresses anymore. Spoiler: it happened and was "solved" that way.

    You don't always need total concealment. Misdirection is usually much simpler and cheaper.
    VioletChepil
  • RomulusRomulus Member, Beta Tester Posts: 34 ✭✭✭
    pwmeek said:
    My hazy (maybe as a MS-DOS program or very early Windows?) recollection of MS Flight Simulator was that it could be directly instructed to begin its simulation at any location within its world map (rather than take its location from an internal GPS - in fact, my MSFS recollection may predate the existence of GPS.) Perhaps your flight simulator isn't even MS or is much newer. 

    =============== 
    * See 1066 and All That by Sellar and Yeatrman (1930)
    You aren't understanding the valid use case that I have.

    The flight simulator generates it's own GPS position. I simply wish to use that position within other applications that have no knowledge of flight simulators.

    So with Google maps running on a tablet separate from the PC running the flight simulation I can track the progress of the aircraft . The PC is simply transmitting it's GPS position as the aircraft moves. As well as more generalized applications there are specialized ones made for real world pilots that will also work in the context of a simulation when fed the simulated aircraft's position.

    The flight sim software I am using is X-Plane 11 and is in fact very modern. Here are a couple of sample screen shots from a recent flight from Reno to Pheonix in the US.


    VioletChepilCiaran
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    In my field, we have a problem with VoIP phones spoofing their location when dialing 9-1-1. It can be unintentional (owner/subscriber forgot to update location information), or malicious (swatting, bomb threats, etc)
    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
    VioletChepil
  • waynerwayner Member, Beta Tester Posts: 19
    One legitimate reason for spoofing is allowing you to move profiles, points, etc from one location to another.  Let's say you grow up in the USA and you become part of a gaming community at home.  You then move to the UK and want to still be able to play the same games at the same level that you had in the past.  That may not be possible with some types of games services - I think this used to be the case with an Xbox and may still be the case..
    Another (to me) legitimate form of spoofing would be to get around government censorship.  If someone in China wants to read about what is happening in Tibet, Hong Kong, Xinjiang, then I think they should be allowed to use spoofing to access such info.
    Ciaran
  • eJonyeJony Member, Beta Tester Posts: 29 ✭✭
    @pwmeek,
    Do you have a Fingbox?
    Have you ever "paused the internet" for a device from the Fing app? Generally speaking that functionality is enabled using "spoofing."

    I consider this a perfectly acceptable form of spoofing.

    Are you expressing a concern with Fing? 
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    Let me be clear: Acting or communicating while identifying yourself as a different person or entity is what I (and I think most people) consider to be spoofing. Rerouting packets to prevent a device on your own network from accessing the internet does not fit that definition for me.
    --Pete
    Bon Vivant and Raconteur
  • eJonyeJony Member, Beta Tester Posts: 29 ✭✭
    @pwmeek,
    The fingbox identifies itself as a different entity. That's how it "pauses" internet. Unless you are the router, you can't "pause" internet unless you spoof the router.

  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    Identifying one device on your own network to another device on your own network...

    Did I have to specify Identifying yourself to another person or entity to make yourself appear to be a different person or entity to deceive a conscious person as to your true identity?

    You're quibbling; you cannot believe from the contents of this entire topic that I had any other definition in mind.
    --Pete
    Bon Vivant and Raconteur
  • eJonyeJony Member, Beta Tester Posts: 29 ✭✭
    edited December 6
    @pwmeek,
    I respect you, and take you on your written words. You asked for an example of when it is acceptable, and I've provided it. It seems to me you accept that as an example of acceptable spoofing. So that's step one.

    Now if you are asking for examples of acceptable spoofing outside your own network, I think it is acceptable and I would actually encourage you randomize MAC addresses (spoofing) prior to authentication to a wireless network, especially for public WiFi. Apple and Google are both implementing this in the network stack of their devices. There are many threads in this community about this (the benefits and drawbacks - although the drawbacks appear to be in circumstances where the functionality wasn't properly implemented).

    I use Google Voice to spoof my phone number so people know it is actually me, when I call from different phone numbers (so regardless of what phone I'm using it always looks like I'm the one who is calling). I use the same iPhone functionality to send phone number not in contacts directly to voicemail so when I call people I want them to know it is me.

    Fundamentlaly, I don't think you can assert that there is anything wrong with spoofing "in principle." To me, that is similar to arguing that there are problems with guns "in principle." But I admire your curiosity looking for acceptable situations and am sincerely curious what you think of the randomized MAC address and Google Voice examples.
    Alderetepwmeek
  • AldereteAlderete Member, Beta Tester Posts: 13 ✭✭
    I'll write it again. As used here, the term "spoofing" is simply too general to come to any absolute agreement about.
    It seems to me that what @pwmeek objects to isn't spoofing, it's deception. It's probably reasonable to say that deceiving others is usually wrong, and deceiving other people for the purposes of your own enrichment is pretty much always wrong.
    Spoofing might be a technique you use to deceive others, but spoofing by itself is neutral, simply a technique.
    pwmeekMarc
  • pwmeekpwmeek Member, Beta Tester Posts: 96 ✭✭✭
    I can accept @Alderete 's definition and sub-clarification as deception. I suspect that the IT community has co-opted this word, diluting its meaning until its use is likely to provoke disagreement.
    @eJony , I can see that there are places where a broadly expanded use of 'spoofing' (such as using it to game a system and actually enlighten another person as to your true identity where the system conceals it) is more than acceptable; it might even be laudable.
    My intent as the OP was to discuss spoofing by its traditional definition as hoaxing or deception. I certainly didn't want a flame war (or even the mildly raised hackles we have seen).
    I can see where there are situations where deceiving a system (as opposed to other people) is a useful and perhaps even an elegant way to work around the limitations of a system.
    --Pete
    Bon Vivant and Raconteur
    Marc
  • CiaranCiaran Administrator Posts: 220 admin
    Very interesting read here in relation to 'Spoofing', thank you all. Generally when I think of 'spoofing' I do think of a user/entity representing themselves as another entity (which automatically implies something sinister/deceptive). However, of course it is not limited to this, some really good examples of other application of 'spoofing' as a technique for positive reasons.  Great discussion folks.
    pwmeek
  • Sageb1Sageb1 Member Posts: 3

    Android 10 actually allows you to spoof your MAC address.

Sign In or Register to comment.