Tracking a Specific Machine Anywhere On The Net 470
An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."
This can be good... (Score:5, Interesting)
Ted Tschopp
Dangers with licence activation (Score:5, Interesting)
Several Points here, if true, it could be used to devastating effect in licensing / activation programs. Many publishers view download software onto multiple machines proof of violating single machine license agreements, while at the same time allow multiple downloads of that software to ease customer service burden from "It didn't work when I first tried to download it" calls. If a somebody were to buy such a package and then download it to his desktop and then later to his laptop, this kind of fingerprinting would allow the publisher to catch him.
From TFA, it says that:This sounds to me like firewalls would have to be modified to intentionally hide this data and remove this difference in timestamp calculations (the firewall generates both and back translates when doing NAT). So its just a call for yet another firewall patch. Can the firewall vendors patch and globally implement faster than this privacy exploit be exploited? I would hope so at least.
So... (Score:5, Interesting)
i) most (say, 75%) of internet-connected computers have clock correct to within a couple of minutes.
ii) Few TCP timestamp clocks bother with a click time shorter than 1ms.
That means that 75% of the computers must be mapped to a space containing 4*60*1000 = 240,000 unique items.
Now, surely there are more than a quarter of a million computers on the Net, so how will this enable us to track a device uniquely?
AH! (Score:2, Interesting)
Extremely interesting, and logical. "Microscopic" differences in hardware clock timing. One must wonder if more can be thought of. Chipset timings in nic cards... quantum tcp theory...
for windows user (Score:1, Interesting)
Use either the service built-in one in w2k+, else I recommend Atomic TimeSync [analogx.com], check also their other freeware, some are pretty neat!
PS: no, I do not work for them!
Sceptical (Score:5, Interesting)
I am a little sceptical as to how well this works. PC clocks are rather crappy and temperature sensitive. If you look at the ntp.drift file, you will see a diurnal pattern. Plus, I would suspect that if this technology became widespread, that someone would add some dither to adjtime() to throw it off.
NAT (Score:3, Interesting)
What are you using to track? (Score:4, Interesting)
Re:So... (Score:3, Interesting)
So while the idea is theoretically interesting, I'm not sure it's of any practical use.
Re:This can be good... (Score:0, Interesting)
Clocks Drift (Score:3, Interesting)
I was trying to settle an argument with a friend that I could track him on my site even if he used various proxies.
The technique only worked for a while. And then the difference tended to drift.After a few hours the visitor couldn't be recognised anymore.
I know this is a highly simplified example but wouldn't the clock drift and inaccuracies in time keeping foul up this detection eventually?
Passively obtaining the 'clock skew'/rate of drift etc across the net doesn't seem sufficiently accurate to uniquely identify a machine.
Re:Fingerprinting (Score:2, Interesting)
I can see it now....
gLocate (beta) - Find Your Computer... Anywhere!
Changing Clock (Score:3, Interesting)
If it relies on the clock changing slowly over time, then why wouldn't it be possible to randomly change your clock time by a few milliseconds forward or back every few minutes?
Only distinguishes between 1 machine in 30 or so. (Score:3, Interesting)
Note how linear those skew lines are. That data looks so good that it needs independent verification. Others have observed more variation in clock skew than that. Computer clocks aren't normally observed to have error that consistent. There's variation with temperature. One wonders if they ran this test during a period when the target machines (a computer lab) were not in use.
Re:Wouldn't it be easier (Score:1, Interesting)
Re:Can't you turn this off on Linux? (Score:3, Interesting)
Another way to obfuscate one's self from this fingerprint technique while maintaining compliance might be to modulate your CPU clock/bus speed on a period (day/hour/minute). Under/overclock yourself to hundreds of new identities!
read the paper (Score:5, Interesting)
He was able to identify machines even though they were using NTP. Changing the date/time won't help for the same reasons.
I'd be interested in seeing someone pointout the "quartz crystal" in a notebook. You could modify the skew by swapping some chips. The difficulty of this is not great, simply de-solder the old and solder in the new (of course, the avg slashdotter think soldering is some kind of elite skill). The cost on the other hand is another issue.
If someone were really serious, they would as other posters have mentioned, modify their kernel to use a cryptographic randomization of their skew. However, this is only useful if many people were to do it. Otherwise, you are identified as the guy with the random skew.
As for real use. If the FBI were using this to identify the computers used by the guys who craked them. They could then use their "deployed" servers to look for others with the same fingerprint. They would then have a list of suspects to work with.
Re:Fingerprinting (Score:5, Interesting)
However, I share one concern with you: just because my clock skew is 2.138ms doesn't preclude someone else from having the same skew. Not having had time to read the whole paper, I would like to see data on the probability that two computers may have the same clock skew. If it's 1 in 1000, that doesn't get you far considering the number of unique hosts sending packets across the ether. Also, remember this is only limited to IP protocols that can provide time data.
Atomic Cocks (Score:3, Interesting)
Re:Can't you turn this off on Linux? (Score:3, Interesting)
echo 0 >
echo 0 >
This is very true, however if you read the paper linked in the article.
TCP Timestamps option from RFC 1323 [13] whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device's clock skew and thereby fingerprint a physical device. We stress that one can use our TCP timestamps-based method even when the fingerprintee's system is maintained via NTP [19]. While most modern operating systems enable the TCP timestamps option by default, Windows 2000 and XP machines do not. Therefore, we developed a trick, which involves an intentional violation of RFC 1323 on the part of a semi-passive or active adversary, to convince Microsoft Windows 2000 and XP machines to use the TCP timestamps option in Windows-iniated flows.
I wonder if the same or similar exploit can be done under OSes.
Open BIOS needed (Score:3, Interesting)
Course, I guess portions of the OS might not like that.
Re:Fingerprinting (Score:5, Interesting)
Re:Fingerprinting (Score:5, Interesting)
Even easier than that - Just run an NTP server on your LAN.
RFC1323 specifies a resolution down to 1ms. Below that, the proposed fingerprinting method can't tell anything. Now, I keep one internal machine as a stratum-3 timeserver, and the rest get a feed off that directly over the local ethernet. "ntpq" -p tells me that I have (as of 22 seconds ago) a jitter of 2 to 7ms compared with the outside world. On the inside... Oooh, 0.082ms. Guess what snooping technique will reveal absolutely nothing about my LAN (or any LAN with all machines sync'ed to a common internal source)?
In general, this technique will fail absolutely miserably. The author acknowledges the non-uniqueness of time offsets, but makes the mistake of assuming a more-or-less uniform distribution within a small range of true. In reality, the distribution will fit very tightly inside the 25ms range (oddly enough, thanks to Microsoft including their hack-of-an-NTP-client in Windows XP, and having it on by default), with only one or two percent of machines straying beyond 100ms drift. If this technique can only see down to 1ms, it effectively ends up lumping somewhere around 100 million machines into 200 buckets. Not exactly what I'd call a positive ID, when even a fully-populated class-C would almost certainly result in offset collisions...
Re:Fingerprinting (Score:4, Interesting)
I know changing mine changed the rate of error on the clock.
Re:Fingerprinting (Score:3, Interesting)
Aren't our current random numbers generated from the clock? If so, then adding random numbers to the timestamp won't change the essential nature of the problem will it?
this could help free services (Score:3, Interesting)
If we could have used something like this to ban by computer, that would have been great.
Re:Fingerprinting (Score:2, Interesting)
the problem started when between peer and you 2 NATs, 8 routers and 2 or 3 Ethernet switches.
The only value you can count on is timestamp of the packets in the QoS protocols, RTP, TCP, etc. but this is logical stuff and can be fighted very easy using human driven random generator, prompting you from time to time to "move your mouse inside this window" or some kinetic driven things - small USB plug collecting all movements of yours (i think the last is patented).
i agree with your doubts regarding reliability of this technology.
Simple question: Why? (Score:4, Interesting)
Not so simple:
What is the danger to the world that an individual PC is unidentified?
Compared to that danger, is the loss of anonymous free speech worth it?
If the answer is yes, then do we ourselves get to identify the PC's of CEO's, congressmen, celebrities, and other Upper Class members? Or is anonymity reserved for those who are rich enough, famous enough, powerful enough, or connected enough to hide?
And if they get to hide, but not us, isn't the very security we buy with our freedom to be anonymous then a sham? A method of control, the way Scott Ritter the ex-Marine weapons was slimed with kiddie-porn allegations from law enforcement that were just happening to be monitoring his habits just as he was being vindicated in his proclamations that the war's justifications were fake? BTW: the charges were dropped after his cred was ruined. Nice job burning the witch, Rove. Power to monitor coupled with the power to accuse and charge is the power to silence anyone, anytime for any reason and suffer NO CONSEQUENCES. Who was charged with sliming Ritter at such a politically convenient time for the Bushites? No one. And in the future, when they come for you, no one will save you or punish your accusers. Who themselves are anonymous and untouchable.
Are YOU safe from ruin is someone monitors you 24 hours a day?
If they can justify monitoring your internet usage, or track anyone they like, the legal precedent is set to monitor anyone, anytime, for any reason or non-reason, such as political/economic personal assassination. Not just your PC. What would stop them from establishing cameras on poles in front of your house to monitor your comings and goings? Microphones? They can already "sneak and peak" with a judges rubberstamp and no subpoena. They are establishing precedent to track your car with devices planted without warrant.
The current administration is currently using security laws to crush lawsuits about the detention and torture of people taken secretly after 9/11. Tom Delay used Homeland Security, illegally, to track down the Texas Democrats last year to bring them home to force a vote to disenfranchise Texas democrats - no penalties for him, and a precedent and example was set. The security apparatus established during the hysteria is being used to crush political oppostion to the President and his party; they have shown that they are abusing their power, and care nothing that anyone knows.
The internet is the last, only hope for anonymous gatherings and free speech left in the world, and they, the amalgamate they are desperately shutting down the last means of mankind to speak to power without getting arrested or ruined for claiming their birthright.
I've not the skills to fix this technically. But we need a new communications system, asap, that is not under U.S. control or capable of being traced or monitored. I've got zilch. Is there a way of making a new pipe that CAN'T be subverted or controlled by the power mad? This is a serious question, and we may need an answer really soon.
Firewalls? (Score:4, Interesting)
Re:Fingerprinting (Score:3, Interesting)
2) Right, and older techniques to do different sorts of fingerprinting measure timestamp skew by looking at random number output instead. My point was: for any exploit there is a fix, if you care enough.
3) You mean it *is not* blocked by firewalls today. *Cannot* be blocked is nonsense. A firewall (or even a clever NAT box) can just alter the RFC 1323 TCP timestamps in the passing packets to disguise the source. It's easier than many of the tricks stateful firewalls use today.
Re:Fingerprinting (Score:3, Interesting)
I see some interesting uses, and limitations (Score:4, Interesting)
That said, there are some usefull things you could do with this. One example I can think of would be to detect some obfuscated scanning techniques. As an example, nmap impliments idle scanning [insecure.org], which is usually reasonably obvious because of the characteristic SYN->SYN/ACK->RST sequence, especially if the SYN and RST have different TTL's. Adding timestamp checks would make it more obvious (although, just as difficult to track down the original scanner).
Also, if someone used a decoy scan in nmap, it might be reasonably easy to tell which source addresses were really the same machine. You would probably also get enough information to construct a fairly accurate timestamp/skew profile of that machine. If you ever saw those IP addresses again, then you'd be able to check whether it was the real machine.
But, these are just my own ramblings. At the very least it seems to be interesting work (although the article linked is pretty crummy)
Re:Fingerprinting (Score:3, Interesting)
It may be possible to get much higher resolution measurements by averaging lots of samples. It's possible to measure the speed of light using 'ping' this way.
Re:Fingerprinting (Score:3, Interesting)
Damn, just used my last mod point.
This was exactly what I was wondering. Wouldn't a simple battery swap every now and then mangle the reliability of the drift data? What about the effects of power line conditions, electromagnetic interference, etc.?
If anyone can answer, I'm genuinely curious.
Re:Fingerprinting (Score:3, Interesting)
You can sync all you want, but unless you are syncing every few hundred nanoseconds, the rate of drift will be apparent and measurable.
Re:Fingerprinting (Score:1, Interesting)
The TCP timestamps would carry exactly the same information. If you know what clock spreading chip a motherboard uses, and what the fan control algorithms for the system BIOS are, you could probably even figure out what type of motherboard is being used.
Re:Fingerprinting (Score:3, Interesting)
No, this won't help as it changes the dispersion of the skew samples, but the mean value (that's what they measure) stays the same.
What you need to do is to make your machine clock to appear run slower or faster to the external observer. You can do that by applying constant skew offset to your true clock gradually.
For example, say clock() returns true machine clock, then will make it appear to be running
PS I guess it would still be possible to identify machines that skew their clock skew, but analyzing how they skew the skew, but I generously donate this idea to a post-grad community
Re:Can't you turn this off on Linux? (Score:1, Interesting)