Tracking a Specific Machine Anywhere On The Net 470
An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."
Fingerprinting (Score:5, Insightful)
This dissertation will get this dude himself a position with the NSA. Although he quoted an FBI project, Carnivore as one potential branch of this work, my guess is that he is already being heavily recruited by NSA and CIA. They have more resources than the FBI to grab somebody like this, and would be smart to try and recruit him. Hey Tadayoshi.....you want a job?
Seriously. While lots of folks have been looking at ways to hard code the IP address within the hardware, this is a more impressive (and unique) way of looking at the problem. Everything has a signature of sorts that can be tracked (skin plumes, small molecular phenotypes, genetics, acoustic signatures, thermal signatures, etc....etc....etc...), and Tadayoshi simply decided to examine those small variations built into electronic devices to fingerprint hardware. Very clever, but of course nanomanufacturing is the counter to this technology. I say of course, but the "arms race" to do that is not an insignificant achievement. Tadayoshi's technology will absolutely have some significant staying power.
Easily avoidable? (Score:5, Insightful)
TCP/IP stack (Score:2, Insightful)
1) Erase all your BitTorrent-related tools and get all your stuff from less knowledgeable friends via a DVD burner.
2) Get your hands on that TCP/IP stack implementation and modify it (like the geek you are) to add or subtract one unit at random from the least significant digit of the timestamp. (Is that technically feasible,
Either way, bye-bye Carnivore!
Re:How about this though? (Score:5, Insightful)
You assume incorrectly and are missing the point of this technology. Buy all the PCMCIA cards you want and you will still be able to be tracked with this technology. Essentially, it relies on "clock skewing" which means that when a CPU cycles, there are minor nano differences in the architecture of it that induce slight variations in the timing of the clock at various points throughout the CPU. When expanded out to the entire system, CPU, motherboard, peripherals, the differences become more complicated, but unique and thus easier to establish a unique signature.
Re:Dangers with licence activation (Score:5, Insightful)
Re:Easily avoidable? (Score:2, Insightful)
My guess is OpenBSD will have this or a similar countermeasure pretty soon.
yet another smackdown for freedom (Score:3, Insightful)
counting the number of devices behind a NAT even when the devices use constant or random IP identifications
I, for one, welcome our new time-skew fingerprinting overlords.
Seriously though. This is yet another pile of steaming scary crap. Where are the days when I could telephone someone and NOT have to be identified. (caller id). Now I can't be an anonymous coward because slashdot can sniff my time-skew and put my name up anyway. Now the cable company can learn that I have multiple machines behind the firewall even though my contract says only one
Is this really necessary? Nothing is sacred anymore. I want to be able to live my life behind my walls without people constantly peeking through the curtains, and thats what this is. At some point we have to stand up and say "you stop here" to these damn peeping toms.
Re:This can be good... (Score:4, Insightful)
In addition, it's really of no use to mere mortals... No way is the FBI/NSA going to spend a second looking through their logs to help you catch a small-time criminal. It's only of help for those who have great political importance, and for companies who want to track you...
Re:Fingerprinting (Score:5, Insightful)
This is also totally avoidable by applying modern security practices to old protocols. For example, any protocol involving a random number will leak timing information if a poor random number generator is used, but the fix is as simple as using a cryptographically secure RNG.
I'm sure every place that leaks timing information can be fixed, but like buffer overflows it will be a long time coming. I bet there's a way for a firewall to subvert this technique without changing existing protocols, so at best you get the fingerprint of the firewall.
Re:So... (Score:5, Insightful)
Furthermore, if I understand the concept correctly, this technology is somewhat limited by the need for getting those packages in the first place. You must be somewhere on the line and actively listen. You could use this in a honeypot network to see if you were attacked by the same guy, but from different IP addresses. You could eliminate the quasi-privacy that a dynamic IP address is currently associated with. But you won't catch that pesky kiddie that rerouted his attack through 10k zombies. You won't catch the professional hacker that knows what a SSH gateway is. And you won't catch the "terrorist" that uses iCafe computers anyway.
ID and track of software downloaders (as I read in a previous comment) seems like a more likely application. But even that can be foiled by a determined user.
Re:Wouldn't it be easier (Score:2, Insightful)
Re:Paper and technical details are here: (Score:3, Insightful)
While I don't think this would hold up as evidence in a court of law, it certainly might have some use as a covert authentication protocol, along with the other signatures noted.
With respect to privacy issues, resetting your system time via NTP will break a measurement sample. If you use NTP, and have it update every hour, your clock skew is going to change often enough to make an accurate (long term) measurement very difficult.
--Mike--
Re:Fingerprinting (Score:5, Insightful)
Re:Dangers with licence activation (Score:2, Insightful)
So you can't use the fingerprint for security (this computer is the right one) but you can use it for exclusion (this computer is definatly NOT the right one).
Re:Fingerprinting (Score:5, Insightful)
My question is if this clock skew can me consistantly measured across multiple OS installed on the same laptop (dual boot anyone?).
Re:This can be good... (Score:3, Insightful)
Yep because criminals and pawnshop owners are smart enough to do those things. In a world where people still use crystal meth, I think it's safe to assume jackasses that steal the random laptop or car aren't going to swap hardware on a motherboard or run utilities on a machine.
Re:This can be good... (Score:3, Insightful)
Most people who steal laptops don't even reinstall the OS, and I know people who recovered their laptops using the noip client that they had on the machine (http://www.noip.com).
The thing is, to measure clock skew on a suspect machine you need to be able to connect to it, and if you can connect to it, there is no need to additionally confirm that it's your machine.
Re:Fingerprinting (Score:5, Insightful)
Re:Fingerprinting (Score:3, Insightful)
Yes, but from a law-enforcement point of view, it is very helpful to be able to eliminate members of a suspect list.
It seems to me that the main trouble is that it's going to be so easy to defeat, at least for the really dangerous technically savvy criminals. This could get 14-year-old Johnny in trouble for sharing those albums he downloaded, but Mr. I-Stole-500,000-Credit-Card Numbers will shrug this right off.
Re:entropy (Score:2, Insightful)
Re:Skeptical (Score:2, Insightful)
Line voltage sensitive, too. With the way newer processors throttle their speeds around based on temperature and loading, and the way fans change their parameters based on temperature, I have little hope for this technique nailing any new system.
Let's see, what were the authors using in the lab where they tested machine to machine variations?
"All the machines were Micron PCs with 448MHz Pentium II Processors". Right. From this, we get the grand statement shortly afterward "The current results strongly support our claim that modern processors have relatively stable clock skews". Uh, sorry guys, you didn't use a single modern processor for this section; just some obsolete ones that run so cool they don't have any CPU clock or temperature varation. There's not a machine to be found in their entire test that features the kind of design we seen in acutal modern processors.
Re:Fingerprinting (Score:3, Insightful)
The clock skew for a particular device seemed to be reasonably constant over time and location (+/- 0.5 microsecond/sec) and nearly all devices had skews within the range -100 microseconds/sec to +100 microseconds/sec. This suggests the technique would only be useful for identification purposes when there are less than 100 or so candidate devices. Of course, this figure would go up substantially if the technique can be combined with other measurements (e.g. absolute clock time).
When considering applications of the technique, the author states "For forensics, we anticipate that our techniques will be most useful when arguing that a given device was not involved in a recorded event."
A number of posters have mentioned that the technique can be fooled by adding a random number to each timestamp. This won't work due to the way the author estimates clock skews (the slope of actual time plotted against reported system time) - what is needed is an adjustment to each timestamp that is proportional to the system uptime.
And OS did make a difference - RH9 and Win XP on a particular laptop led to clock skews of -58 and -85 respectively.