Tracking a Specific Machine Anywhere On The Net 470
An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."
Paper and technical details are here: (Score:5, Informative)
John.
Can't you turn this off on Linux? (Score:5, Informative)
echo 0 >
Ok. (Score:1, Informative)
Gee, that doesn't sound breakable.
What about IBM's laptop anti theft stuff (Score:3, Informative)
Re:Wouldn't it be easier (Score:2, Informative)
MAC ADDRESSESS ARE NOT UNIQUE TO THE INTERNET.
on a single segment local lan, yes you can be fairly sure they are unique (but not indellible)
Mac address are trivial to change, spoof , alter,randomize.
In other words:
mac based security, isn't.
Re:Wouldn't it be easier (Score:1, Informative)
Re:Sceptical (Score:5, Informative)
Re:Can't you turn this off on Linux? (Score:5, Informative)
I believe so, and on OpenBSD:
And make the appropriate edit in /etc/sysctl.conf.
Doesn't work that way (Score:5, Informative)
A) the MAC address is available only on the last segment. Or rather, it's at the ethernet (not IP) level, and it's used to direct packets along a particular segment. It changes all the time as a packet moves through the internet, or even disappears completely if you go through an ATM cloud or some such.
B) Most (or at least many) devices allow you to change the MAC address. There are good reasons for doing this.
Re:for windows user (Score:4, Informative)
It doesn't help. They're not tracking time error or system time but clock skew. Essentially if clock is supposed to tick once every second, they're measuring the deviation of the clock from that ideal.
Re:This can be good... (Score:3, Informative)
This is really only a way to get people who are unprepared and not expecting to be snooped on.
Re:Wouldn't it be easier (Score:2, Informative)
Re:Fingerprinting (Score:5, Informative)
Let me put it this way. It is like measuring just height. If you are looking for a suspect who is 6'2", you can rule out the people who are 5'6". But if you find somebody who is 6'2", this does not make them automatically the perpetrator.
You can combine this with other techniques (line nmap). But this would be like saying "the criminal has blond hair and blue eyes, and is 6'2". This would rule out 95% or more of the population, but the false positive rate would still be high.
And now that people know about this, I bet that it would be easy to put in some type of change in the linux kernal to randomize the timing values just a little. Then, you could swamp the signal with noise. Then, you are back to where you were having just nmap.
NTP doesn't help (Score:5, Informative)
Please stop suggesting NTP as a "countermeasure." It doesn't help--this is repeated over and over again in the paper. As far as I can tell, turning of tcp timestamps does.
Re:This can be good... (Score:3, Informative)
this is about determining if a computer that connects to _you_ is possibly the same.
the article of course blows the thing as to be much bigger than just that and ignores ways to defeat this.
if you just skimped it through you'd think that anyone can determine where anywhere on the net is a certain computer - which is of course ridiculous.
Re:Fingerprinting (Score:5, Informative)
If what the are actually measuring is the variations of the individual clock generators (crystal oscillators), those crystals have accuracies measured in PPM (parts per million). So there is not a lot of variation to measure. And the latencies would likely not be able to measured in sub-nanosecond resolution, which is what you would need in order to determine this sort of thing with the type of accuracy that you are describing.
I would imagine that it is like trying to measure the thickness of a penny with a cheap wooden ruler. Yes, you can get a number out of it. But don't expect 5 digits of resolution.
And don't forget that crystal oscillators also have variations that depend on temperature. So your computer could have one skew spec when idling, and another when you are doing some hard gaming.
Of course, I could be completely wrong about this. The article did not have quite enough details. I am making some somewhat-educated guesses here.
Don't misunderstand me though. This is cool stuff. When combined with a tool like nmap, this would give another data point. But somehow I doubt that this is the super "computer fingerprint that is made out to be. And I doubt that it could be used as evidence in a criminal trial.
How to disable in Windows 98 (Score:1, Informative)
Value Name: Tcp1323Opts
Value Type: String Value
Value Data: 1
Details: The possible settings are 0 - No Windowscaling and Timestamp Options, 1 - Window scaling but no Timestamp options, 3 - Window scaling and Time stamp options. The value is documented in RFC 1323. According to Microsoft, Tcp1323Opts should be a DWORD, rather than a string value, however seems that the documentation is incorrect and a string value is necessary to enable large RWIN support.
http://www.wisenetworks.net/tweaks.html [wisenetworks.net]
Re:Sceptical (Score:3, Informative)
So, the way to accomplish this is by finding a non-reproducable seed value. The Intel PIII has a "hardware random number generator that uses thermal noise" as the seed. Open SSH uses PRNG to create entropy by doing such things watching timing in between keystrokes to generate their seed. So, numbers may indeed be random with an adequately non-reproducible seed.
Re:OpenBSD (Score:2, Informative)
Re:Way around it... (Score:3, Informative)
In pf.conf simply add the following line:
scrub on $ext_if all reassemble tcp
and you are good to go.
Re:Paper and technical details are here: (Score:3, Informative)
Kind of. You'll need to reset to an NTP server sufficiently often that your total drift never approraches the resolution of the system's timestamp clock. No measurable drift means no measurable skew.
So if you have a system that uses a TSopt clock with 500 ms resolution (such as OSX or OpenBSD) on a machine with 50 ppm skew, you'll need to reset to NTP much less than every 10,000 seconds to remain unresolvable. But if you're running a system with a 10 ms resolution (RH 9.0, Debian 3.0, FreeBSD 5.2.1) and your machine has a 100 ppm skew, you'll have to reset to NTP much less than every 100 seconds to remain hidden. (Unless I slipped a decimal point somewhere, anyway.)
The author has some more techniques already lined up, too, so it should make for an interesting arms race as people try to dirupt the predictability of their systems' timings.
Still, it does seem to me that the resolution of this technique is too low to effectively track every machine on the internet. If I were someone the NSA was hunting in particular, though, I'd be changing clock battieries in my laptop daily, or using a GPS card to stay in constant synch.
entropy (Score:4, Informative)
This is incredibly accurate (Score:4, Informative)
The article linked to by slashdot does not fit the technical aptitude of many of the readers. Fortunately, it does link to the actual 15 page paper. The official page link with abstract is here [caida.org]. The full 15-page text is available in PDF. [caida.org]
With regards to your question about accuracy, here is a snippet from the actual paper(PDF)
This is an incredibly accurate and precise method of verrifying if the computer is the same.
Some people have also mentioned NTP subverting this method. Here are a coupole of key quotes about NTP.
Additionally, the method described can be used with the TCP timestamps option which
Paraphrasing, The article says that this technique can be used by websites, Carnivore-like apps, anybody between you and the computer you are communicating with, banner-ad companies and ISPs (think comcast forcing you to not use a NAT).
This is an incredible, and incredibly scary, way to track a physical computer. Doubtless, many security reform
7 bits of identification/entropy (Score:2, Informative)
Comment removed (Score:3, Informative)
Not how it works (Score:2, Informative)
The difference - 599 ticks, is the clock skew. You can set your clock with ntpd 86400 times a day (once a second), and your clock skew will be ~599 ticks. You can set your clock once a week with ntpd, and your clock skew will STILL be ~599 ticks. Clock skew it independant of what time your clock thinks it is.
By clock skew, they mean the difference by which each computer counts time. That is what is being measured.
Re:Skeptical (Score:2, Informative)