Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Privacy

Tracking a Specific Machine Anywhere On The Net 470

An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."
This discussion has been archived. No new comments can be posted.

Tracking a Specific Machine Anywhere On The Net

Comments Filter:
  • Fingerprinting (Score:5, Insightful)

    by BWJones ( 18351 ) * on Friday March 04, 2005 @12:46PM (#11844981) Homepage Journal
    Ph.D. student Tadayoshi Kohno said: "There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting ... without the fingerprinted device's known cooperation."

    This dissertation will get this dude himself a position with the NSA. Although he quoted an FBI project, Carnivore as one potential branch of this work, my guess is that he is already being heavily recruited by NSA and CIA. They have more resources than the FBI to grab somebody like this, and would be smart to try and recruit him. Hey Tadayoshi.....you want a job?

    Seriously. While lots of folks have been looking at ways to hard code the IP address within the hardware, this is a more impressive (and unique) way of looking at the problem. Everything has a signature of sorts that can be tracked (skin plumes, small molecular phenotypes, genetics, acoustic signatures, thermal signatures, etc....etc....etc...), and Tadayoshi simply decided to examine those small variations built into electronic devices to fingerprint hardware. Very clever, but of course nanomanufacturing is the counter to this technology. I say of course, but the "arms race" to do that is not an insignificant achievement. Tadayoshi's technology will absolutely have some significant staying power.

    • Re:Fingerprinting (Score:5, Insightful)

      by lgw ( 121541 ) on Friday March 04, 2005 @12:58PM (#11845133) Journal
      Using timeskew to learn about machines is not new - it's been used for years as part of OS fingerprinting. This application is pretty insightful, however.

      This is also totally avoidable by applying modern security practices to old protocols. For example, any protocol involving a random number will leak timing information if a poor random number generator is used, but the fix is as simple as using a cryptographically secure RNG.

      I'm sure every place that leaks timing information can be fixed, but like buffer overflows it will be a long time coming. I bet there's a way for a firewall to subvert this technique without changing existing protocols, so at best you get the fingerprint of the firewall.
      • Re:Fingerprinting (Score:5, Informative)

        by harrkev ( 623093 ) <[gro.ylimafnoslerrah] [ta] [dsmfk]> on Friday March 04, 2005 @01:14PM (#11845291) Homepage
        The application might be insightful, but to me it seems almost useless. From my reading of the article, it seems that they get ONE number -- a skew value. ONE NUMBER - that's it! This might be useful in proving that a particular machine is NOT the one that you are looking for, but it will likely suffer from a high false-positive rate.

        Let me put it this way. It is like measuring just height. If you are looking for a suspect who is 6'2", you can rule out the people who are 5'6". But if you find somebody who is 6'2", this does not make them automatically the perpetrator.

        You can combine this with other techniques (line nmap). But this would be like saying "the criminal has blond hair and blue eyes, and is 6'2". This would rule out 95% or more of the population, but the false positive rate would still be high.

        And now that people know about this, I bet that it would be easy to put in some type of change in the linux kernal to randomize the timing values just a little. Then, you could swamp the signal with noise. Then, you are back to where you were having just nmap.
        • Re:Fingerprinting (Score:5, Insightful)

          by Zapman ( 2662 ) on Friday March 04, 2005 @01:29PM (#11845419)
          Until this technique is put into the field, we won't know how good this 'one number' is. You could encode the gene sequence of a human into one (rather large) number, and it'd be pretty good as an indentifier. If there's enough entropy in the clock skews, then it could uniquely identify 1 computer out of a billion or so. But that's an 'if'.

          My question is if this clock skew can me consistantly measured across multiple OS installed on the same laptop (dual boot anyone?).
          • entropy (Score:4, Informative)

            by djtack ( 545324 ) on Friday March 04, 2005 @03:57PM (#11847033)
            Look on page 7 of the paper... At 2000 packets per hour, the skew value has > 6 bits of etropy (enough to uniquely identify 1 computer in a million).
          • Re:Fingerprinting (Score:3, Insightful)

            by XSpud ( 801834 )
            I took a bit of time to read the paper [caida.org] and there's some interesting stuff there.

            The clock skew for a particular device seemed to be reasonably constant over time and location (+/- 0.5 microsecond/sec) and nearly all devices had skews within the range -100 microseconds/sec to +100 microseconds/sec. This suggests the technique would only be useful for identification purposes when there are less than 100 or so candidate devices. Of course, this figure would go up substantially if the technique can be combine

        • Re:Fingerprinting (Score:5, Interesting)

          by akad0nric0 ( 398141 ) on Friday March 04, 2005 @01:50PM (#11845650)
          This is definitely beatable, but the individual being monitored would have to know he/she is being monitored. For catching less computer-savvy criminals, it might help.

          However, I share one concern with you: just because my clock skew is 2.138ms doesn't preclude someone else from having the same skew. Not having had time to read the whole paper, I would like to see data on the probability that two computers may have the same clock skew. If it's 1 in 1000, that doesn't get you far considering the number of unique hosts sending packets across the ether. Also, remember this is only limited to IP protocols that can provide time data.
        • Re:Fingerprinting (Score:3, Insightful)

          by Lagged2Death ( 31596 )
          This might be useful in proving that a particular machine is NOT the one that you are looking for, but it will likely suffer from a high false-positive rate... this would be like saying "the criminal has blond hair and blue eyes, and is 6'2". This would rule out 95% or more of the population, but the false positive rate would still be high.

          Yes, but from a law-enforcement point of view, it is very helpful to be able to eliminate members of a suspect list.

          It seems to me that the main trouble is that it's

      • Re:Fingerprinting (Score:5, Insightful)

        by B'Trey ( 111263 ) on Friday March 04, 2005 @01:25PM (#11845376)
        Is this the same timeskew that the Kerberos protocol measures, which is simply a measurement of the difference in the setting of the client clock as compared to the server clock? If so, isn't this defeated by simply changing the system time? A cron job to run an NTP update once an hour and viola, this technique is useless. Or, since we're talking about the TCP timestamp, a simple mod to the TCP/IP stack that alters the timestamp by some tiny, random amount. And, as you pointed out, it seems it would be trivial for a firewall or NAT device to subvert the technique by simply rewriting the TCP timestamp.
        • Re:Fingerprinting (Score:3, Interesting)

          a simple mod to the TCP/IP stack that alters the timestamp by some tiny, random amount

          Aren't our current random numbers generated from the clock? If so, then adding random numbers to the timestamp won't change the essential nature of the problem will it?
        • Re:Fingerprinting (Score:3, Informative)

          by flok ( 24996 )
          Sorry, I could not resist to reply to this.
          Running ntpdate from a cronjob (that's what you're talking about) is silly. You would then still have 59 minutes in which the clock can skew as much as it likes.
          If you want to do it the right way, download the ntp client [ntp.org] from ntp.org. That one constantly adjusts your clock depending on the skew it carefully measures over a longer period of time.

          (climbs of soapbox)
        • Re:Fingerprinting (Score:3, Interesting)

          by apankrat ( 314147 )
          a simple mod to the TCP/IP stack that alters the timestamp by some tiny, random amount

          No, this won't help as it changes the dispersion of the skew samples, but the mean value (that's what they measure) stays the same.

          What you need to do is to make your machine clock to appear run slower or faster to the external observer. You can do that by applying constant skew offset to your true clock gradually.

          For example, say clock() returns true machine clock, then

          uint my_clock() { return clock + clock()/1000; }

      • Re:Fingerprinting (Score:5, Interesting)

        by pla ( 258480 ) on Friday March 04, 2005 @02:10PM (#11845841) Journal
        This is also totally avoidable by applying modern security practices to old protocols

        Even easier than that - Just run an NTP server on your LAN.

        RFC1323 specifies a resolution down to 1ms. Below that, the proposed fingerprinting method can't tell anything. Now, I keep one internal machine as a stratum-3 timeserver, and the rest get a feed off that directly over the local ethernet. "ntpq" -p tells me that I have (as of 22 seconds ago) a jitter of 2 to 7ms compared with the outside world. On the inside... Oooh, 0.082ms. Guess what snooping technique will reveal absolutely nothing about my LAN (or any LAN with all machines sync'ed to a common internal source)?

        In general, this technique will fail absolutely miserably. The author acknowledges the non-uniqueness of time offsets, but makes the mistake of assuming a more-or-less uniform distribution within a small range of true. In reality, the distribution will fit very tightly inside the 25ms range (oddly enough, thanks to Microsoft including their hack-of-an-NTP-client in Windows XP, and having it on by default), with only one or two percent of machines straying beyond 100ms drift. If this technique can only see down to 1ms, it effectively ends up lumping somewhere around 100 million machines into 200 buckets. Not exactly what I'd call a positive ID, when even a fully-populated class-C would almost certainly result in offset collisions...
        • Re:Fingerprinting (Score:3, Interesting)

          by lgw ( 121541 )
          That's a good point! So you could either:
          • Mess with the timestamps in the packets at the border to your network (similar to some other modern firewall techniques), disguising what's in your network without having to change the machines, or
          • Simply sync all your machines, making them indistinguishable, without having to change the firewall (plus having an NTP server is useful in other ways too)

          Nevertheless, Kohno's technique is still pretty good because it will work today on many machines, and we all know h

        • Re:Fingerprinting (Score:3, Interesting)

          by djtack ( 545324 )
          RFC1323 specifies a resolution down to 1ms. Below that, the proposed fingerprinting method can't tell anything.

          It may be possible to get much higher resolution measurements by averaging lots of samples. It's possible to measure the speed of light using 'ping' this way.
        • Re:Fingerprinting (Score:3, Interesting)

          He's measuring the rate of drift, not how far your clock has drifted.

          You can sync all you want, but unless you are syncing every few hundred nanoseconds, the rate of drift will be apparent and measurable.
    • Re:Fingerprinting (Score:2, Interesting)

      by dickeya ( 733264 )
      That's if Google doesn't get him first. From the sounds of their recruiting policy they may be right up there with some of the government agencies, maybe even beyond.

      I can see it now....
      gLocate (beta) - Find Your Computer... Anywhere!
    • Firewalls? (Score:4, Interesting)

      by whoever57 ( 658626 ) on Friday March 04, 2005 @02:33PM (#11846067) Journal
      If I read this article correctly, it requires the target to respond to TCP packets. Now, a stateful firewall is likely to prevent such repsonses ever being sent if they are unsolicited, so unless such a system were installed in every ISP or at Akamai's servers, or similar(and used connections initiated by the clients) it is not going to work.
  • http://www.cse.ucsd.edu/users/tkohno/papers/PDF/

    • Having read the actual article (Thanks John), it's very interesting to see the strengths and weaknesses of their approach. It seems that power management as a side effect changes the clock drift (skew), and laptops are especially drifty due to changing power states.

      While I don't think this would hold up as evidence in a court of law, it certainly might have some use as a covert authentication protocol, along with the other signatures noted.

      With respect to privacy issues, resetting your system time via NT

      • With respect to privacy issues, resetting your system time via NTP will break a measurement sample. If you use NTP, and have it update every hour, your clock skew is going to change often enough to make an accurate (long term) measurement very difficult.

        Kind of. You'll need to reset to an NTP server sufficiently often that your total drift never approraches the resolution of the system's timestamp clock. No measurable drift means no measurable skew.

        So if you have a system that uses a TSopt clock with 500
  • This can be good... (Score:5, Interesting)

    by TedTschopp ( 244839 ) on Friday March 04, 2005 @12:47PM (#11845004) Homepage
    I have a co-worker who just got her laptop stolen. Now if the computer could be tracked when the jerk logs it into the Internet, that would be helpful in tracking the guy down.

    Ted Tschopp
    • by evilviper ( 135110 ) on Friday March 04, 2005 @12:57PM (#11845122) Journal
      This is the kind of thing that is only useful in the short-term, as criminals will quickly learn to easily and cheaply swap-out the time-keeping devices (quartz crystal) on notebooks. Or just by changing the date/time, or running NTPD on the machine...

      In addition, it's really of no use to mere mortals... No way is the FBI/NSA going to spend a second looking through their logs to help you catch a small-time criminal. It's only of help for those who have great political importance, and for companies who want to track you...

      • by Rei ( 128717 )
        ... or, in Linux, modify your kernel source to mess with your TCP packet writing code (I doubt it will take that long for such a patch to come up). Or, if you're writing a new application, use libnet, do raw packet writing, and either don't use Option 8 or lie when you write it.

        This is really only a way to get people who are unprepared and not expecting to be snooped on.
      • "This is the kind of thing that is only useful in the short-term, as criminals will quickly learn to easily and cheaply swap-out the time-keeping devices (quartz crystal) on notebooks. Or just by changing the date/time, or running NTPD on the machine..."

        Yep because criminals and pawnshop owners are smart enough to do those things. In a world where people still use crystal meth, I think it's safe to assume jackasses that steal the random laptop or car aren't going to swap hardware on a motherboard or run ut
      • read the paper (Score:5, Interesting)

        by willCode4Beer.com ( 783783 ) on Friday March 04, 2005 @01:36PM (#11845483) Homepage Journal
        You might want to actually read the paper.
        He was able to identify machines even though they were using NTP. Changing the date/time won't help for the same reasons.

        I'd be interested in seeing someone pointout the "quartz crystal" in a notebook. You could modify the skew by swapping some chips. The difficulty of this is not great, simply de-solder the old and solder in the new (of course, the avg slashdotter think soldering is some kind of elite skill). The cost on the other hand is another issue.

        If someone were really serious, they would as other posters have mentioned, modify their kernel to use a cryptographic randomization of their skew. However, this is only useful if many people were to do it. Otherwise, you are identified as the guy with the random skew.

        As for real use. If the FBI were using this to identify the computers used by the guys who craked them. They could then use their "deployed" servers to look for others with the same fingerprint. They would then have a list of suspects to work with.
      • by khrtt ( 701691 )
        Ever try to swap a quartz in a notebook? You'd have to take the whole damn thing apart, take out the motherboard, find the RTC crystal on it, obtain a replacement crystal (same model/frequency), and solder it in. If you have enough skills to do that, you probably don't need to bother stealing laptops in the first place.

        Most people who steal laptops don't even reinstall the OS, and I know people who recovered their laptops using the noip client that they had on the machine (http://www.noip.com).

        The thing
    • ... and as all things that can be good, it will only be used for evil.
    • by gl4ss ( 559668 )
      but that's not what this is about, really.

      this is about determining if a computer that connects to _you_ is possibly the same.

      the article of course blows the thing as to be much bigger than just that and ignores ways to defeat this.

      if you just skimped it through you'd think that anyone can determine where anywhere on the net is a certain computer - which is of course ridiculous.
  • by Harodotus ( 680139 ) * on Friday March 04, 2005 @12:48PM (#11845012) Homepage

    Several Points here, if true, it could be used to devastating effect in licensing / activation programs. Many publishers view download software onto multiple machines proof of violating single machine license agreements, while at the same time allow multiple downloads of that software to ease customer service burden from "It didn't work when I first tried to download it" calls. If a somebody were to buy such a package and then download it to his desktop and then later to his laptop, this kind of fingerprinting would allow the publisher to catch him.

    From TFA, it says that:
    The technique works by "exploiting small, microscopic deviations in device hardware: clock skews." In practice, Kohno's paper says, his techniques "exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device's clock skew and thereby fingerprint a physical device."

    This sounds to me like firewalls would have to be modified to intentionally hide this data and remove this difference in timestamp calculations (the firewall generates both and back translates when doing NAT). So its just a call for yet another firewall patch. Can the firewall vendors patch and globally implement faster than this privacy exploit be exploited? I would hope so at least.

    • by msaulters ( 130992 ) on Friday March 04, 2005 @12:55PM (#11845097) Homepage
      I'd like to know what are the chances of two, three, or more machines having the same clock skew? The article says that in their test, the clock skew was discernable for otherwise identical systems, but he has a miniscule data sample compared to the hundreds of millions of devices now out there. This would cause MAJOR headaches when activation fails because some other system has the same clock skew as yours.
  • by WordODD ( 706788 ) on Friday March 04, 2005 @12:48PM (#11845013)
    I assume it relies heavily on the specific NIC so what if you just changed the NIC everytime you connected to the network? Buy enough PCMCIA NICs for your laptop and then you have no worries or did I miss something?
    • by BWJones ( 18351 ) * on Friday March 04, 2005 @12:54PM (#11845092) Homepage Journal
      I assume it relies heavily on the specific NIC so what if you just changed the NIC everytime you connected to the network? Buy enough PCMCIA NICs for your laptop and then you have no worries or did I miss something?

      You assume incorrectly and are missing the point of this technology. Buy all the PCMCIA cards you want and you will still be able to be tracked with this technology. Essentially, it relies on "clock skewing" which means that when a CPU cycles, there are minor nano differences in the architecture of it that induce slight variations in the timing of the clock at various points throughout the CPU. When expanded out to the entire system, CPU, motherboard, peripherals, the differences become more complicated, but unique and thus easier to establish a unique signature.

  • by natrius ( 642724 ) * <niranNO@SPAMniran.org> on Friday March 04, 2005 @12:49PM (#11845027) Homepage
    hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.
  • So... (Score:5, Interesting)

    by gowen ( 141411 ) <gwowen@gmail.com> on Friday March 04, 2005 @12:50PM (#11845042) Homepage Journal
    Here's what I don't see. Let's say:
    i) most (say, 75%) of internet-connected computers have clock correct to within a couple of minutes.
    ii) Few TCP timestamp clocks bother with a click time shorter than 1ms.

    That means that 75% of the computers must be mapped to a space containing 4*60*1000 = 240,000 unique items.

    Now, surely there are more than a quarter of a million computers on the Net, so how will this enable us to track a device uniquely?
    • I agree... very good point.

      However, it's one piece of data that can be added to other pieces of data to uniquely identify you.
    • Re:So... (Score:3, Interesting)

      by Fred_A ( 10934 )
      Besides nowadays XP and major Linux distributions seem to enable NTP by default so the clock drift would be way lower than a couple of minutes for most machines...

      So while the idea is theoretically interesting, I'm not sure it's of any practical use.
    • Re:So... (Score:5, Insightful)

      by Laurentiu ( 830504 ) on Friday March 04, 2005 @01:09PM (#11845252)
      If you search for computers on the whole net, that may well be the case. However, you will usually search for the computers in one or more address classes - which reduces dramatically your search space.

      Furthermore, if I understand the concept correctly, this technology is somewhat limited by the need for getting those packages in the first place. You must be somewhere on the line and actively listen. You could use this in a honeypot network to see if you were attacked by the same guy, but from different IP addresses. You could eliminate the quasi-privacy that a dynamic IP address is currently associated with. But you won't catch that pesky kiddie that rerouted his attack through 10k zombies. You won't catch the professional hacker that knows what a SSH gateway is. And you won't catch the "terrorist" that uses iCafe computers anyway.

      ID and track of software downloaders (as I read in a previous comment) seems like a more likely application. But even that can be foiled by a determined user.
  • Easily avoidable? (Score:5, Insightful)

    by DarkHand ( 608301 ) on Friday March 04, 2005 @12:51PM (#11845044)
    Wouldn't very slight randomizing of packet timestamps completely nullify this method?
  • AH! (Score:2, Interesting)

    by kc0re ( 739168 )
    So the government has finally figured out a way to track us all no matter where we go, behind any amount of device, no matter what. AFAIK, this is already being done using different methods, (read: not clock skew)

    Extremely interesting, and logical. "Microscopic" differences in hardware clock timing. One must wonder if more can be thought of. Chipset timings in nic cards... quantum tcp theory...
  • just disappeared completely.

    (I mean your actual rights, not the /. category)
    • Yep. There they go. I'm not even allowed to post this comment now. Or to say that George Bush is a moron and doesn't deserve to be president.

      Wow, I hate this new fascism. Why do I bother writing this? Nobody will ever see it now that my rights on-line are gone...
  • by commodoresloat ( 172735 ) on Friday March 04, 2005 @12:51PM (#11845050)
    The first comment in this thread is on topic, insightful, and the poster obviously RTFA. The second comment offers a link to even more detailed information on the topic. Is this really slashdot or did I visit the wrong site?
  • by Anonymous Coward on Friday March 04, 2005 @12:52PM (#11845056)
    Can't you turn this off on Linux with
    echo 0 > /proc/sys/net/ipv4/tcp_timestamps

    • by demi ( 17616 ) on Friday March 04, 2005 @01:02PM (#11845178) Homepage Journal

      I believe so, and on OpenBSD:

      sysctl -w net.inet.tcp.rfc1323=0

      And make the appropriate edit in /etc/sysctl.conf.

    • Purposeful noncompliance is easy to detect.

      Another way to obfuscate one's self from this fingerprint technique while maintaining compliance might be to modulate your CPU clock/bus speed on a period (day/hour/minute). Under/overclock yourself to hundreds of new identities!
    • Can't you turn this off on Linux with
      echo 0 > /proc/sys/net/ipv4/tcp_timestamps Can't you turn this off on Linux with
      echo 0 > /proc/sys/net/ipv4/tcp_timestamps

      This is very true, however if you read the paper linked in the article.

      TCP Timestamps option from RFC 1323 [13] whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device'
  • Sceptical (Score:5, Interesting)

    by bsd4me ( 759597 ) on Friday March 04, 2005 @12:53PM (#11845069)

    I am a little sceptical as to how well this works. PC clocks are rather crappy and temperature sensitive. If you look at the ntp.drift file, you will see a diurnal pattern. Plus, I would suspect that if this technology became widespread, that someone would add some dither to adjtime() to throw it off.

    • I'm confused:
      This ntp.drift file - is it in the \Windows folder, or \Documents and Settings?
      • by creysoft ( 856713 ) on Friday March 04, 2005 @01:11PM (#11845268)
        You can get it from the File Object Retainer Mapped Access Table (FORMAT). The data you're looking for is stored on C:, so:

        FORMAT C:

        Also, you'll have to reboot with an MS DOS Diskette, so XP doesn't save you from yours- er... because WinXP hides that data. _

        Yeah, that's it. ;-)
    • Re:Sceptical (Score:5, Informative)

      by jerdenn ( 86993 ) <jerdenn@dennany.org> on Friday March 04, 2005 @01:02PM (#11845177)
      My thoughts exactly. If this becomes a common method for tracking machines, then it will be trivial to change the TCP implementation on open source operating systems to non-deterministically generate the TCP timestamp.

    • Oops; brain fart. ntp.drift is the wrong place to look. You have to enable statistics loging in ntp.conf.

  • TCP/IP stack (Score:2, Insightful)

    by Laurentiu ( 830504 )
    You own a Linux box. You know about this technique. You:

    1) Erase all your BitTorrent-related tools and get all your stuff from less knowledgeable friends via a DVD burner.

    2) Get your hands on that TCP/IP stack implementation and modify it (like the geek you are) to add or subtract one unit at random from the least significant digit of the timestamp. (Is that technically feasible, /.ers? I believe it is, but I'm no expert.)

    Either way, bye-bye Carnivore!
  • by varmittang ( 849469 ) on Friday March 04, 2005 @12:53PM (#11845076)
    New IBM ThinkPad computers will now have support for Absolute's Computrace solutions embedded into the BIOS firmware starting with the new T-series. Absolute's Computrace technology powers Absolute's guaranteed PC theft recovery and secure asset tracking services. In the event a computer is stolen, Absolute guarantees the recovery of the computer, and can remotely delete sensitive data from the stolen computer when data privacy is a concern. If the computer is not recovered within 30-60 days, the customer may be eligible for a Recovery Guarantee payment of up to $1,000(1). Link: http://productsource.govtech.net/stories.php?story =528
  • NAT (Score:3, Interesting)

    by BradleyUffner ( 103496 ) on Friday March 04, 2005 @12:54PM (#11845085) Homepage
    Couldn't the box doing the NATting just mess with the timestamp of all the packets that pass through it? Add a very slight bit random noise to distort the timing fingerprint.
    • Re:NAT (Score:2, Troll)

      by quelrods ( 521005 )
      Exactly! After the technique to use timestamps to count hosts behind nat OpenBSD added tcp options to the scrub directive. For all my isp knows I have a single box since I have the firewall generating strong ISN's as well as scrubbing timestamps.
  • by Evil W1zard ( 832703 ) on Friday March 04, 2005 @12:56PM (#11845109) Journal
    I am under the assumption that a packet sniffer needs to be somewhere in-line to accomplish this tracking? I mean if person X is sniffing traffic off router Y and then person X moves to another geographic location and uses router Z the person tracking this box won't get squat? And for the purpose of telling how many systems are in a network that is using NAT, well aren't there dozens of ways to do that already? This sounds to me more along the lines of really neat idea that won't have a real practical use. And using clock skews doesn't seem to sound viable either as there are millions of systems online and with different time zones and that amount of systems how many will have the same skew. (I am no expert on clock skews so maybe I am misunderstanding this)
  • by pintpusher ( 854001 ) on Friday March 04, 2005 @12:56PM (#11845113) Journal
    remote physical device fingerprinting ... without the fingerprinted device's known cooperation.

    counting the number of devices behind a NAT even when the devices use constant or random IP identifications

    I, for one, welcome our new time-skew fingerprinting overlords.

    Seriously though. This is yet another pile of steaming scary crap. Where are the days when I could telephone someone and NOT have to be identified. (caller id). Now I can't be an anonymous coward because slashdot can sniff my time-skew and put my name up anyway. Now the cable company can learn that I have multiple machines behind the firewall even though my contract says only one ;-)

    Is this really necessary? Nothing is sacred anymore. I want to be able to live my life behind my walls without people constantly peeking through the curtains, and thats what this is. At some point we have to stand up and say "you stop here" to these damn peeping toms.

  • echo 0 > /proc/sys/net/ipv4/tcp_timestamps

  • Clocks Drift (Score:3, Interesting)

    by baadger ( 764884 ) on Friday March 04, 2005 @01:01PM (#11845167)
    I was bored once and tried to create a Javascript page that'd refresh and post the visitors system time to the server and calculate the difference between the server and client time to the millisecond (assuming all the reload times etc remain pretty constant), and use it attempt to say "hello ".

    I was trying to settle an argument with a friend that I could track him on my site even if he used various proxies.

    The technique only worked for a while. And then the difference tended to drift.After a few hours the visitor couldn't be recognised anymore.

    I know this is a highly simplified example but wouldn't the clock drift and inaccuracies in time keeping foul up this detection eventually?

    Passively obtaining the 'clock skew'/rate of drift etc across the net doesn't seem sufficiently accurate to uniquely identify a machine.
  • Surely both of the above would mess with the clock skews esp as xntp will do it's best to keep the time sane..
  • I wonder when OpenBSD 'pf' will normalize the tcp timestamp on packets passing through an OpenBSD firewall. Probably with OpenBSD 3.7 no doubt.

  • Please visit our publicly facing tracking site [slashdot.org] to ensure we have a reliable base of micro-skew signatures. This will enable us to quickly identify M$-hating, freedom-loving^W^Wterrorists.

    the NSA^Wanticypher

  • For laptops, run ntpdate at startup. For other hosts, use ntpd.

  • Changing Clock (Score:3, Interesting)

    by iammrjvo ( 597745 ) on Friday March 04, 2005 @01:09PM (#11845246) Homepage Journal

    If it relies on the clock changing slowly over time, then why wouldn't it be possible to randomly change your clock time by a few milliseconds forward or back every few minutes?
  • by Animats ( 122034 ) on Friday March 04, 2005 @01:10PM (#11845262) Homepage
    Look at figure 3 in the paper, [caida.org] showing clock skew for 69 desktop machines. Each line shows the clock skew measured over a 4-day period. You could distinguish about 20 of those machines. The rest don't have unique enough clock skews. Of course, those are all similar machines; they're all the same model of Micron desktops.

    Note how linear those skew lines are. That data looks so good that it needs independent verification. Others have observed more variation in clock skew than that. Computer clocks aren't normally observed to have error that consistent. There's variation with temperature. One wonders if they ran this test during a period when the target machines (a computer lab) were not in use.

  • NTP doesn't help (Score:5, Informative)

    by demi ( 17616 ) on Friday March 04, 2005 @01:18PM (#11845327) Homepage Journal

    Please stop suggesting NTP as a "countermeasure." It doesn't help--this is repeated over and over again in the paper. As far as I can tell, turning of tcp timestamps does.

  • Atomic Cocks (Score:3, Interesting)

    by nrlightfoot ( 607666 ) on Friday March 04, 2005 @01:53PM (#11845671) Homepage
    All you need to do to stop this is run your computer on an atomic clock. Instead of measuring your time shift, it will end up measuring that of the computer analysing the data, because your clock will be more accurate. Also, once many computers have atomic clocks, the time shift differences would be too miniscule to detect, and you'd never be able to pick out which computer with an atomic clock you were tracking.
  • Open BIOS needed (Score:3, Interesting)

    by behindthewall ( 231520 ) on Friday March 04, 2005 @02:03PM (#11845770)
    I guess we really need those Open BIOS projects so that we can introduce jitter into our clock values at an appropriately low level.

    Course, I guess portions of the OS might not like that.
  • by harlows_monkeys ( 106428 ) on Friday March 04, 2005 @02:16PM (#11845916) Homepage
    We had a free online chat server at work, and one of the problems was dealing with jerks. If we banned someone by name, they could just come back with a different name, and with dynamic IP addresses so common, also a different IP address.

    If we could have used something like this to ban by computer, that would have been great.

  • by Catbeller ( 118204 ) on Friday March 04, 2005 @02:28PM (#11846032) Homepage
    Why does the government need to find individual computers?

    Not so simple:

    What is the danger to the world that an individual PC is unidentified?

    Compared to that danger, is the loss of anonymous free speech worth it?

    If the answer is yes, then do we ourselves get to identify the PC's of CEO's, congressmen, celebrities, and other Upper Class members? Or is anonymity reserved for those who are rich enough, famous enough, powerful enough, or connected enough to hide?

    And if they get to hide, but not us, isn't the very security we buy with our freedom to be anonymous then a sham? A method of control, the way Scott Ritter the ex-Marine weapons was slimed with kiddie-porn allegations from law enforcement that were just happening to be monitoring his habits just as he was being vindicated in his proclamations that the war's justifications were fake? BTW: the charges were dropped after his cred was ruined. Nice job burning the witch, Rove. Power to monitor coupled with the power to accuse and charge is the power to silence anyone, anytime for any reason and suffer NO CONSEQUENCES. Who was charged with sliming Ritter at such a politically convenient time for the Bushites? No one. And in the future, when they come for you, no one will save you or punish your accusers. Who themselves are anonymous and untouchable.

    Are YOU safe from ruin is someone monitors you 24 hours a day?

    If they can justify monitoring your internet usage, or track anyone they like, the legal precedent is set to monitor anyone, anytime, for any reason or non-reason, such as political/economic personal assassination. Not just your PC. What would stop them from establishing cameras on poles in front of your house to monitor your comings and goings? Microphones? They can already "sneak and peak" with a judges rubberstamp and no subpoena. They are establishing precedent to track your car with devices planted without warrant.

    The current administration is currently using security laws to crush lawsuits about the detention and torture of people taken secretly after 9/11. Tom Delay used Homeland Security, illegally, to track down the Texas Democrats last year to bring them home to force a vote to disenfranchise Texas democrats - no penalties for him, and a precedent and example was set. The security apparatus established during the hysteria is being used to crush political oppostion to the President and his party; they have shown that they are abusing their power, and care nothing that anyone knows.

    The internet is the last, only hope for anonymous gatherings and free speech left in the world, and they, the amalgamate they are desperately shutting down the last means of mankind to speak to power without getting arrested or ruined for claiming their birthright.

    I've not the skills to fix this technically. But we need a new communications system, asap, that is not under U.S. control or capable of being traced or monitored. I've got zilch. Is there a way of making a new pipe that CAN'T be subverted or controlled by the power mad? This is a serious question, and we may need an answer really soon.
  • by lazlo ( 15906 ) on Friday March 04, 2005 @03:03PM (#11846387) Homepage
    OK, there are some interesting things here... First, there are limitations. Off the top of my head, those limitations are:
    • The fingerprinted machine must be communicating using TCP (or another protocol with timestamps, but there aren't many I can think of other than TCP)
    • It must implement RFC 1323 TCP timestamps. For instance, a quick `echo 0 > /proc/sys/net/ipv4/tcp_timestamps` should keep you from being fingerprinted using this technique.
    • It must implement timestamps as specified. Filling that option with random numbers, or with timestamps skewed by random amounts, or with timestamps skewed by N number of predetermined time functions (i.e., an offset and a drift, making it appear that you are N different machines) would make it more difficult to do this fingerprinting.

    That said, there are some usefull things you could do with this. One example I can think of would be to detect some obfuscated scanning techniques. As an example, nmap impliments idle scanning [insecure.org], which is usually reasonably obvious because of the characteristic SYN->SYN/ACK->RST sequence, especially if the SYN and RST have different TTL's. Adding timestamp checks would make it more obvious (although, just as difficult to track down the original scanner).

    Also, if someone used a decoy scan in nmap, it might be reasonably easy to tell which source addresses were really the same machine. You would probably also get enough information to construct a fairly accurate timestamp/skew profile of that machine. If you ever saw those IP addresses again, then you'd be able to check whether it was the real machine.

    But, these are just my own ramblings. At the very least it seems to be interesting work (although the article linked is pretty crummy)

  • Why not just use the MAC address for identification? No two computers should have the same one.

The Macintosh is Xerox technology at its best.