Who wants a Librem router?

Context: Apple keeps a database of wifi MACs and uses it for precise location. Presumably Google and every other major player in this space does the same. Apple’s database was found to be publicly exposed at one point, resulting in a field day for the security press, but closing that hole did nothing to preserve the privacy of anyone who plans on taking their router with them when they move.

What we need is an OpenWRT-friendly router which has:

1. Old school DIP switches on the back for flipping bits in the MAC address so they will never ever revert to any sort of manufacturing default. MAC addresses are 48 bits; bits 40 and 41 should be zero, so ideally we would have 46 DIP switches. But the more the merrier.

2. A switch to disable all those annoying flashing lights. Mainstream routers often have this already.

3. Reasonable compatibility with modern wifi standards in the gigabit range.

4. Multiple CPUs so we can run fast VPN (without the need for a fan due to high clock rates).

@jonathon.hall Am I dreaming?

Yes.

See also:

It depends what functionality you want i.e. whether you want a router or a “router”. Specifically, a true router does not have or need WiFi. It is just a convenience and cost saving and probably power saving measure that your typical home router plays three unrelated roles: router, Wireless Access Point (WAP), switch.

For me personally, my router acts only in the role of router - with the switch basically not being used and the WAP turned off.

This then ties in with any database of WiFi MACs because that relates only to the WAP piece of the functionality.

If you trust the open source software, I think this could be overkill. All you really need is the opportunity for the software to guarantee to override the non-volatile (permanent) MAC address before anything is transmitted by the WAP. It would need someone more familiar with the low level details of typical WAPs to know whether such a guarantee can exist.

Putting that aside though, I think this raises an ethical issue. If you pick a random MAC address for your WAP and that gets scanned by the borg for incorporation in the database then you are actually stuffing up someone else (the WAP that genuinely has that MAC address permanently assigned). That someone else may want geolocation to work; they may want to be incorporated in the borg and it is not for you to stop them from doing so.

If you are going in this direction then, off the top of my head, I think that what is needed is:

• a MAC address range that is guaranteed not to be assigned to any other device (but which does otherwise work) - this shouldn’t be too difficult i.e. just get an allocation from the allocating body - you may want a fairly small range (big enough to have room for a given premises to have more than one WAP but small enough to create lots of duplicates) e.g. 8 bits used of the typical 24 bits available to a given manufacturer should be about right, with most people numbering starting from 00 up to FF
• persuade surveillance capitalism that when they see a WAP MAC address in this range they will not record the information (would just gum things up with duplicates if they do) - with legal enforcement if they won’t comply voluntarily

This is a practical compromise rather than really trying to fix the underlying problem, which is that surveillance capitalism recorded all this information without consent.

Even this may cause some problems if you have portable clients i.e. the client is used first at one privacy-conscious premises and then later on at a different privacy-conscious premises but the two premises are using an identical MAC address on their WAP.

PS Bear in mind that if your WAP supports multiple SSIDs then it typically has multiple MAC addresses. And if your WAP is dual band (as almost all are these days) then it will have different MAC addresses on each band.

Hence, for example, when I scan for WAPs I get a grand total of 16 WAP MAC addresses = 4 SSIDs/band/WAP x 2 bands x 2 WAPs. So if you have more than one WAP and you intend to override via DIP switches (or override using anything in software), you would need to appreciate this detail.

@FranklyFlawless @irvinewade Thanks for the extensive detail. So now that I have a better grasp of the nuances here, I think the following would fit the bill (and make a very marketable home/office router):

1. Given some (N <= 46) bits of each MAC (LAN, WAN, and wifi) that we can actually change at random.

2. I somehow provide a seed value to the UI. (The UI might be a lightly customized spin of OpenWRT. No massive reengineering required.)

3. The router iterates this seed according to a prepublished algorithm. Maybe the iterator is, say, 256 bits wide. I can therefore verify the result on another machine, proving that nobody in the supply chain knows the next set of MACs I’ll choose.

4. The iteration takes so long (say, something under 10 seconds) that it’s intractable for me to maliciously impersonate someone else by copying their MAC.

5. The final state of the iterator is sliced into N-bit chunks. From these, a new MAC set is generated, one for each port on each type of PHY.

6. If I don’t like the new MAC set shown in the UI, I can iterate again, as many times as I want.

7. At some point I either cancel the operation, or tell the UI to adopt the MAC set, whereupon it burns each MAC into some permananent storage for use on the next boot.

8. I disable all radios, change the SSIDs, shut down router, and move to my new office location.

9. I turn on the router at the new location. The new MAC set becomes effective immediately. I turn the radios back on, which now have new MACs and new SSIDs, as do the LAN and WAN ports.

Some issues to consider:

1. Maybe some particular PHY decides that it needs to broadcast its factory-default MAC before accepting a new one. Soon enough this will be observed and the whole privacy scheme will be subverted. It’s not implausible that this would occur due to someone’s debug mode being enabled on production PHYs, for instance. So someone would need to inspect this before making a BOM commitment.

2. I’m mostly convinced that N is in fact 46, and in any event at least 23. For proof, connect to a wifi with any modern Android. Record the MAC address. Now disconnect and reconnect (with MAC randomization enabled). It seems to choose “any old” MAC address, but for bits 40 and 41. If Android can do it on a phone, I see no legal or ethical reason why Purism can’t do it on a router.

3. No amount of assurances from surveillance capitalism would help. Even if they’re honest, it’s an easy bet that all the powers-that-be are doing the same thing. It’s on us for being dumb enough to walk around with persistent MACs.

I’ll pause here for feedback.

The difference is that no permanent database is made of client MAC addresses.

(Technically, a phone can temporarily operate as a hotspot and thereby become a WAP. I don’t know whether it is possible for surveillance capitalism to distinguish a hotspot from a regular WAP. I don’t know what MAC address randomisation options are available when operating as a hotspot.)

Indeed. Your portable client devices should be configured to use MAC address randomisation except when on your home WLAN (or, in some scenarios, just always use MAC address randomisation). At least, that’s the way I have mine set (randomise except when on home WLAN).

Typically though public access is granted to the database. If they are legally obliged not to record certain WAPs, or they claim that they are voluntarily not recording certain WAPs, but they are doing so anyway, then sooner or later they are going to get caught.

It is possible of course that these certain WAPs are recorded but then are suppressed from public access. And governments might have their own databases that do not grant public access (but that’s not surveillance capitalism, that’s just surveillance ).

Right. That’s fair. If you set the L bit (41) - local - in your WAP’s random MAC address then you will never conflict with someone who is just using the permanent MAC address (assigned globally, L bit clear).

The G bit (40) - group i.e. multicast - will be clear.

Perhaps we can assume that if the L bit is set then duplicates are possible, records should not be made, and if records are made then too bad if duplicates mess things up.

So it seems as if we are talking about two almost diametrically-opposed strategies for dealing with surveillance i.e. as random as possible and changing often v. very limited choice so as to create so many duplicates that surveillance is close to worthless.

General comment: So far everything you have said is talking about a WAP, not a router. For me personally, if Librem network equipment came into existence, I would be more interested in a router than a WAP.

First of all, I have nothing against a router in the classical sense for those who want to do packet filtering, capture, or inspection (even more marketable!). I just want it to come with WAPs.

“The difference is that no permanent database is made of client MAC addresses.” Got it. But does that necessarily imply that it’s somehow a treaty violation to make a WAP with a randomized MAC?

“so many duplicates that surveillance is close to worthless” Sadly this is only true if the database doesn’t have timestamps. It’s really easy to see when a light blinks out over “here” and turns back on over “there” a few hours later, even if literally everyone is using the same MAC set. (And that strategy also says “Hi, I’m a Librem device run by a person who might be of interest to you!”) But truth be told, the status quo is “sitting duck” so even a universal constant MAC set would be an improvement. (Just take a week’s vacation offline between “here” and “there”.)

Have we gotten any closer to consensus on this, or some idea of an MVP? What am I advocating in the design that’s unacceptable to you? Or is it just not answering what you want in a router?

Side note: I would prefer that surveillance capitalism publish all my MACs so I could assess my footprint in real time and take appropriate CI measures. I’m probably not alone in this desire, on this forum, although I realize such a policy would be a nonstarter with most of the public. The worst thing is to be unaware of one’s exposed flanks.

No.

You provided claims, but did not back any of it up:

Correct.

Treaty violation? Since when did Big Tech care about that.

We are in agreement that, providing that the L bit is set, all bets are off, go your hardest, generate any random MAC address you like. You have 46 bits to play with.

I do think that you would need to check into what information (SSID, WAP MAC address, or both) clients pay attention to.

For example, on the computer I am sitting on at the moment, it doesn’t seem to store any WAP MAC addresses permanently but you can list some of the MAC addresses for WAPs that it has seen (with nmcli). By contrast, my Librem 5 actually stores these MAC addresses permanently. But does it cause a problem if those MAC addresses are “wrong”?

More importantly, since both of the above are running Linux, you would want to investigate behaviour of iOS and Android clients. There isn’t much point having a super-private WAP if it only works well with Linux clients.

I think you would also need to investigate hotspot behaviour of commonly available phones i.e. to see whether it keeps the same MAC address and, if not, whether it uses a MAC address with the L bit set.

We are probably concerned about different threat models. I am concerned about the collection and operation of geolocation databases using WAPs that was done by e.g. Google / Mozilla without consent. Timestamps only make sense if the entire world is being re-scanned frequently enough to pick up WAPs moving around and/or changing MAC address.

Can you confirm that any of these databases does actually contain a timestamp? If so, consequently, can you confirm how frequently they are being updated?

My preferred solution for this would be making it illegal for surveillance capitalism to create such a database entry without consent (which in practical terms could mean making it illegal to create such a database).

For sure not. I don’t want a WAP inside my router. It would just be a (small) waste of money. I would just turn the WAP component off (which means that the WAP component’s functionality, no matter how good, would be irrelevant to me).

Blockquote
You provided claims, but did not back any of it up

Here you go:

see whether it keeps the same MAC address and, if not, whether it uses a MAC address with the L bit set

Well my Android as a client doesn’t set 40 or 41. Not sure what it does when behaving as a hotspot WAP. Maybe someone who happens to have 5G enabled at the moment can test and report back? I assume that “About Phone” will show you the hotspot MAC, but not sure.

I’m also not sure why it would matter whether or not your device remembers previous MACs or SSIDs, provided that it doesn’t try to connect to them when not in range. The problem is that these get observed, by your phone, or someone else’s, or a “pidgeon” sitting in a tree, and they end up in a database with timestamp and GPS.

There isn’t much point having a super-private WAP if it only works well with Linux clients.

I think your concern here is that some client device might assume that SSID and MAC imply one another, so if only the latter changed due to randomization, then it would no longer connect and cause the user a debugging hassle. But that can’t be true because think of how many SSIDs have different corresponding MACs in different locations, e.g. restaurant chains.

Timestamps only make sense if the entire world is being re-scanned frequently enough to pick up WAPs moving around and/or changing MAC address.

Assuredly the scanning is fast enough to see WAPs moving if they have constant MAC address, simply because just knowing the start and end of the journey is usually good enough. The article linked above presents of the IRL ramifications. But randomized WAP MACs would defeat this if they move on the order of a Km before powering back on with a new MAC.

Can you confirm that any of these databases does actually contain a timestamp? If so, consequently, can you confirm how frequently they are being updated?

I don’t know anything outside of what the article states, but it’s hard to believe that nobody is doing this with timestamps, or effective timestamps buried in proximate metadata, e.g. audit logs.

My preferred solution for this would be making it illegal for surveillance capitalism to create such a database entry without consent

Definitely not opposed to this but governments wouldn’t be susceptible to any such law, presumably.

For sure not. I don’t want a WAP inside my router. It would just be a (small) waste of money. I would just turn the WAP component off (which means that the WAP component’s functionality, no matter how good, would be irrelevant to me).

Well if that’s an issue then the WAP could be sold as an upgrade plugin module, along with antennas, right? Not opposed to that.

Older spyphones do. (I think this is mostly resolved these days.)

Or that the client device requires both to match. So neither implying the other at all. And, yes, the concern is then that it won’t connect and will therefore prompt the user for a PSK for a “new” network.

Or that the client requires the SSID to match and the PSK to work but doesn’t care about the MAC address. So this scenario would be fine.

Or that the client expects the MAC address to match but the only effect of not matching is to slow down the association process.

I’m not saying that this is a problem, only that if this is a central part of your idea for a more private WAP then you need to investigate whether it is a problem.

I would assume so. Hence it matters whether your threat model is surveillance capitalism, governments or both.

(I wouldn’t mind if the antenna sockets are present even if I buy the option without the WiFi module.)

I’m a little surprised by that. I thought Android did set the L bit when you specify MAC randomisation.

(As I have MAC randomisation disabled for my home network, I can’t easily test this with my spyphone right now.)

However it’s a bit more complicated because a client should have three possible MAC addresses:

• the permanent address (you are free never to use this or use this only at home / with trusted networks or use it always if you really want)
• the address that it uses when attempting to locate a WAP for association with
• the address that it uses when associated with a WAP (that is not a trusted network)

And, yes, I just raised the possibility that the MAC address behaviour of a phone is different when acting as a hotspot (although that is not relevant to a “router” where the WiFi card would always be in AP mode).

Then there’s all the complication of a WAP that has mesh / repeater functionality i.e. the WAP can end up operating in a hybrid of AP and client mode.

Or that the client device requires both to match.

This is actually what I meant. So SSID and MAC are expected to imply one another based on previous experience. If they don’t then it’s treated as a new network. I suspect that is, in fact, the way stuff works. It’s easily tested by having 2 identical routers with the same SSID. Then see if you always connect to the same admin panel regardless of which one has more bars. So like move one router far away, then swap positions, repeatedly, and see if the MAC you connect to is always the same, or not.

I’m not saying that this is a problem, only that if this is a central part of your idea for a more private WAP then you need to investigate whether it is a problem.

Personally, I just want a manually randomizeable MAC on the WAP, so I don’t actually care if some phone considers the same SSID to be lots of different networks; I can just delete the dups from the saved network list. Moreover the problem is that research wouldn’t be meaningful because some device could respond differently tomorrow. I guess the manual would just have to say that randomization can cause potential problems due to SSID duplication.

the address that it uses when attempting to locate a WAP for association with

Wait, are you saying that there are routers out there which use a different MAC for connection handshaking and actual data traffic? (I’m no expert but this sounds insane.) How is that anything more than another opportunity for fingerprinting, unless we randomize both? Or you’re just speculating that some device might behave like this? (Even so, very insightful speculation.)

Then there’s all the complication of a WAP that has mesh / repeater functionality i.e. the WAP can end up operating in a hybrid of AP and client mode.

I think this is fine so long as randomization only happens when manually triggered. You iterate, you lose the connection. At worst you end up with the SSID duplication issue.

No. I was referring only to the client. And clients are expected to do that (three different MAC addresses, if you configure for the most aggressive randomisation).

I don’t think that WAPs do this.

I would assume that a person who ports his WAP around town isn’t actually using mesh / repeater. That could get interesting i.e. whether you intend to port a mesh of WAPs around town. Maybe you do? But surely there is a limit of practicality there?

My home network does not use mesh / repeater functionality at all so I don’t know how it works in detail / I don’t know whether randomising the MAC address would cause a problem e.g. does a MAC address get configured in to one unit so that it knows which other unit it should be communicating with? or do they self-organise? (and if so how secure is that and does it introduce new problems?)

No. I was referring only to the client. And clients are expected to do that (three different MAC addresses, if you configure for the most aggressive randomisation).

Wow! Can you elaborate? One to handshake, one for data transmission after handshaking, and one for…? Makes me wonder what “MAC randomization” even means on Android/iOS then. What are the odds that someone did a half-baked job? I assume that L5 got this right but I know nothing.

whether you intend to port a mesh of WAPs around town

Not my use case but it’s actually quite feasible if one wanted to do so: just have all of them select new MAC sets and SSIDs before antennas are enabled or WAN is plugged in.

how secure is that and does it introduce new problems?

Repeaters are MITM attacks in a box: they know your WPA2/3 key, so in principle they could just use the very same WAP to upload it to an attacker, not to mention all of your traffic. If it’s made by a different company than the router, then overall odds of penetration obviously compound. Would be a great way to siphon data because nobody thinks of them as intelligent electronics. In other words, you just convinced me to never install another repeater again (nevermind the fact that they’re also pretty much garbage from a QoS standpoint).

You’ve raised some very sophisticated and perilous issues above. Impressive lateral thinking. This should all be debated by the dev team if there’s interest in a router. But frankly existing routers suck so much from a security standpoint that Purism would have a pretty easy time coming up with a superior offering.

Should one of us set up a poll? Like whether one is interested, and what price one would be willing to pay for, say, the nominal 4 LANs, a WAN port, and (optional) 5/2.4 WAPs at gigabit speeds? And maybe “would you pay $X per optional addon Purism repeater”?

Refer post 11 above.

One for discovery of WAPs. One for all communication with trusted WAPs. One for all communication with untrusted WAPs. (The second of those would likely be using the permanent MAC address. The other two would be randomised. Typically you would choose a set of trusted WAPs and all other WAPs would be considered to be untrusted.)

I believe that this has been discussed before so best to review existing discussion.

For the record, a router for me is:

• one LAN port (ethernet) - connects to my main switch (backbone of the LAN, managed) - but, yes, OK the additional cost for 3 unused LAN ports is not much
• one WAN port - but WAN means different things to different people - so then there is the question as to whether WAN means a plugin module for the required technology or it means a single ethernet port and the customer has to supply a standalone device for the actual WAN, preferably one that is able to operate in some kind of bridged mode (OR if the former then maybe one of the unused LAN ports can be designated as a WAN port)

plus, yes, you want

• an optional plugin WiFi module

One for discovery of WAPs. One for all communication with trusted WAPs. One for all communication with untrusted WAPs.

So if I understand you correctly, then there are only 2 MACs involved in any given wifi connection: one for discovery and one for data transfer? But then sometimes a given client will refuse to connect to an unknown MAC, so the router must offer the option to randomize either both, or neither (separately on 2.4 and 5 GHz)? (Customers would just need to remember to manually randomize their trusted macs in the course of a physical relocation, but otherwise they would stay constant.)

I think trying to designate an unused LAN as a WAN is going to be rather cumbersome. But you have a point that 4 LANs is overkill these days. (One could always just attach a commodity router/switch for expansion.) Portability (i.e. small size) of the router matters a lot because customers will want to have MAC randomization everywhere they travel. So how about this for the poll:

1. Suppose the base config is one Ethernet WAN plus one Ethernet LAN running an OpenWRT spin, with provable but non-targettable MAC randomization. What would you pay relative to the price of a name-brand router with similar (say gigabit bandwidth, ~2 GHz dual core ARM) capability? Same price? $25 more? $50? $75? $100?

2. What would you pay for a set of screw-in antennas and a wifi module (2.4+5 GHz) with configureable randomization of discovery and data MACs per each frequency? $0 (don’t want it)? $25? $50? $75? $100?

3. What would you pay for a separate repeater for bonding to external 2.4/5 wifi? $0 (don’t want it)? $25? $50? $75? $100?

4. Just to get some idea: would you rather pay a market-priced premium for 10Gbs WAN/LAN, or just have the standard gigabit?

Any tweaks to this?

Yes (if talking about the client), except that
a) the two MAC addresses can be the same, and
b) discovery by the client is optional.

I suspect that if the WAP uses MAC randomisation then discovery by the client won’t work (although I guess it depends on the implementation details). So from the perspective of the WAP either its MAC address is randomised or it isn’t.

You may be getting down into details without establishing whether there is any interest in a router at all (where for the purposes of this discussion “router” means a typical home internet appliance offering the potential for routing, WAP and a, say, 4-port switch.

For me, if we were getting down into details, I would be asking what routing and other internet gateway functionality is offered.

There’s also 2.5 Gbit/sec LAN.

My existing triple-WAN router can do that. There isn’t choice about which LAN port is used as WAN - it’s always the same LAN port if that functionality is in use at all - so that specific LAN port is clearly marked as dual role. There is only choice as to whether a LAN port is instead used as an ethernet WAN port. So you have the choice between n-1 ethernet LAN ports with 1 ethernet WAN port and n ethernet LAN ports.

It’s not a big deal for me either way. I have another triple-WAN router that instead has n ethernet LAN ports and offers a range of WAN ports including a, usually unused, ethernet WAN port. So there are n+1 ethernet ports but one of them is usually doing nothing.

The first approach may allow slightly improved compactness (one fewer ethernet ports), which you said was important.

But then in your portable scenario it isn’t clear to me how you are getting on the internet - and hence what type of WAN is most useful to you.

discovery by the client is optional.

How exactly is the client supposed to transfer data to a router if it hasn’t discovered the router to begin with? You mean like the user just says “here’s the router’s MAC so you don’t need the SSID”?

I suspect that if the WAP uses MAC randomisation then discovery by the client won’t work

Well one could just forget the SSID and start over, right? Granted, if one forget to do that before enabling wifi on the client, then the client might see the SSID and just automatically start talking to its previous MAC, which would then, in effect, leak the prior physical location of that SSID. But at least this is better than the status quo. There probably needs to be a section of the manual which discusses what the router does, and does not, actually afford by way of privacy.

For me, if we were getting down into details, I would be asking what routing and other internet gateway functionality is offered.

Not my area of expertise, so I’d be happy to add questions in this vein if you want to suggest any.

There’s also 2.5 Gbit/sec LAN.

How did I not know this? OK I can just expand the question.

So you have the choice between n-1 ethernet LAN ports with 1 ethernet WAN port and n ethernet LAN ports.

I think most of us would want a dedicated WAN port but I won’t complain if LAN-only is a valid configuration. And yeah, compactness trumps everything but privacy.

what type of WAN is most useful to you

Home/office would generally involve plugging into some sort of modem (fiber, coax, etc) via Ethernet. Travel case would generally involve an air bridge (Ethernet to Purism repeater, then wifi to hotel WAP). The repeater would probably plug into a USB port on the router purely for power acquisition. (Just punch a hole in the firewall for the stupid hotel signin webpage, e.g. 172.16.0.1, which is a whole other security can-of-worms in itself.)

There is a difference between “discovery” and “association”.

“Association” is the process of a 4-way handshake where the client and the WAP mutually authenticate (and hence it involves the client knowing the pre-shared key aka passphrase). Association is a pre-requisite for using the WAP to transfer any actual data.

“Discovery” is the process of knowing that the WAP is there at all. There are two ways. “Active” and “Passive”. (Those are not official terms.) “Passive” is the safer way. Every WAP broadcasts a beacon frame every X milliseconds and the beacon frame says “I’m here” and the beacon frame gives the SSID and other useful information (such as what type of security is in use on the SSID). So the client just waits to hear the beacon frame. “Active” involves the client sending a message to the WAP in the hope that the WAP is there and will answer. For that purpose, the client would use a destination MAC address of the WAP that it had previously noted. “Active” is generally frowned upon, since it leaks information but at a minimum if doing this then a randomised source MAC address should be used specifically for this purpose (and then change to a different source MAC address before attempting association - where the choice of source MAC address depends on the discovered SSID).

In that case, what benefit does the router provide? I’m not saying that it can’t provide a benefit, just asking you to elaborate. My point is that if the client device just associates directly to the hotel WiFi and the client uses MAC address randomisation then that isn’t much different. In either case, at a bare minimum, you should only use secure protocols (since the hotel provides an untrusted network, but no more so than the internet as a whole, in general) and in either case you may want to use a VPN.

OK, I can see that the router could provide a more robust firewall than the client by itself does.

I occasionally encounter hotel rooms that give ethernet directly (but I guess even then the hotel room also offers WiFi).

and then change to a different source MAC address before attempting association

OK so if you’re using active discovery (because the SSID is presumably not broadcast, i.e. hidden), then why would it be advantageous for the client to switch to a new randomized MAC for association purposes? Like if you’re at the supermarket and your wifi is bleeting out pings at your home hidden SSID, then those pings always have the same (albeit randomized) client MAC stuck on them. If I follow the pings earmarked by that MAC, then I know where you live, as well as where you shop. So you’re already geocompromised in that sense. Trying to compensate for that via a newly randomized MAC (for association) is too little too late. Or what am I missing here? (Just trying to see if we can simplify the minimum viable product.)

OK, I can see that the router could provide a more robust firewall than the client by itself does.

Yes and it’s also more convenient than having to set up N VPNs for N devices every time you enter your room. Not only that, though: VPNs are perniciously racey, if you know what I mean. The firewall killswitches fail all the time, even in some namebrand VPNs. It’s just appalling, as though someone never learned about locking semaphores in uni. The thing is, empirically, rotuers are simply less poorly designed than device-local VPNs. And let’s not even talk about DNS leaks, DNS cache poisoning, DNS cache tier inconsistencies, etc. Device network stacks are just crap upon crap. At least a router can be power-cycled, which usually causes it to forget various badness (including memory-resident exploits, for that matter).

So basically, a pocket-sized router with a repeater module would be awesome. You would just need to remember to factory-reset the repeater between different hotels, so you don’t walk into your new room at the Hyatt and start broadcasting Hilton_Wifi_Ext as soon as you power it on. In a perfect design, you’d be able to use a barebones HTTP(not S) proxy within the router administation UI itself in order to sign into the hotel login. That way you wouldn’t need to expose your real OS fingerprint to the hotel’s LAN. (“Hello hotel hotspot login! My machine name is “Leaky Laptop” and I’m running Leaky Linux 6.1. I’ll be switching over to VPN in a moment, but make a note of all that so you can track me everywhere I use this repeater in the future!”)