Slashdot Mirror
Tracking a Specific Machine Anywhere On The Net
An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."
Ph.D. student Tadayoshi Kohno said: "There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting ... without the fingerprinted device's known cooperation."
This dissertation will get this dude himself a position with the NSA. Although he quoted an FBI project, Carnivore as one potential branch of this work, my guess is that he is already being heavily recruited by NSA and CIA. They have more resources than the FBI to grab somebody like this, and would be smart to try and recruit him. Hey Tadayoshi.....you want a job?
Seriously. While lots of folks have been looking at ways to hard code the IP address within the hardware, this is a more impressive (and unique) way of looking at the problem. Everything has a signature of sorts that can be tracked (skin plumes, small molecular phenotypes, genetics, acoustic signatures, thermal signatures, etc....etc....etc...), and Tadayoshi simply decided to examine those small variations built into electronic devices to fingerprint hardware. Very clever, but of course nanomanufacturing is the counter to this technology. I say of course, but the "arms race" to do that is not an insignificant achievement. Tadayoshi's technology will absolutely have some significant staying power.
Visit Jonesblog and say hello.
http://www.cse.ucsd.edu/users/tkohno/papers/PDF/
John.
I have a co-worker who just got her laptop stolen. Now if the computer could be tracked when the jerk logs it into the Internet, that would be helpful in tracking the guy down.
Ted Tschopp
Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
Several Points here, if true, it could be used to devastating effect in licensing / activation programs. Many publishers view download software onto multiple machines proof of violating single machine license agreements, while at the same time allow multiple downloads of that software to ease customer service burden from "It didn't work when I first tried to download it" calls. If a somebody were to buy such a package and then download it to his desktop and then later to his laptop, this kind of fingerprinting would allow the publisher to catch him.
From TFA, it says that:This sounds to me like firewalls would have to be modified to intentionally hide this data and remove this difference in timestamp calculations (the firewall generates both and back translates when doing NAT). So its just a call for yet another firewall patch. Can the firewall vendors patch and globally implement faster than this privacy exploit be exploited? I would hope so at least.
Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.
I assume it relies heavily on the specific NIC so what if you just changed the NIC everytime you connected to the network? Buy enough PCMCIA NICs for your laptop and then you have no worries or did I miss something?
Please do not let scientific accuracy interfere with the intended humourous/interesting/insightful value of this comment
unanonymousing, or identifiying?
Knock, knock, neo...
They know where you are.
Get out while you still can.
You can't talk about Wikipedia's flaws on Wikipedia
hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.
Wouldn't it be easier to just look at the MAC address on the NIC. It is completely unique and the internet is just a gigantic network.
Here's what I don't see. Let's say:
i) most (say, 75%) of internet-connected computers have clock correct to within a couple of minutes.
ii) Few TCP timestamp clocks bother with a click time shorter than 1ms.
That means that 75% of the computers must be mapped to a space containing 4*60*1000 = 240,000 unique items.
Now, surely there are more than a quarter of a million computers on the Net, so how will this enable us to track a device uniquely?
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Wouldn't very slight randomizing of packet timestamps completely nullify this method?
So the government has finally figured out a way to track us all no matter where we go, behind any amount of device, no matter what. AFAIK, this is already being done using different methods, (read: not clock skew)
Extremely interesting, and logical. "Microscopic" differences in hardware clock timing. One must wonder if more can be thought of. Chipset timings in nic cards... quantum tcp theory...
just disappeared completely.
/. category)
(I mean your actual rights, not the
The first comment in this thread is on topic, insightful, and the poster obviously RTFA. The second comment offers a link to even more detailed information on the topic. Is this really slashdot or did I visit the wrong site?
use a simple, free, NTP client and tell it to resync your clock every hour or so, and you are safe :)
Use either the service built-in one in w2k+, else I recommend Atomic TimeSync, check also their other freeware, some are pretty neat!
PS: no, I do not work for them!
John Doe lawsuits if this comes into play, eh?
- I got my free iPod and a free Nintendo DS....why not
Can't you turn this off on Linux with /proc/sys/net/ipv4/tcp_timestamps
echo 0 >
> exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet.
Gee, that doesn't sound breakable.
How bout using this technology as a way to keep track of inventory. As a matter of fact, most companies who make similar technology will only deal with customers interested in spending alot of $$'s on it.
I am a little sceptical as to how well this works. PC clocks are rather crappy and temperature sensitive. If you look at the ntp.drift file, you will see a diurnal pattern. Plus, I would suspect that if this technology became widespread, that someone would add some dither to adjtime() to throw it off.
(S(SKK)(SKK))(S(SKK)(SKK))
You own a Linux box. You know about this technique. You:
/.ers? I believe it is, but I'm no expert.)
1) Erase all your BitTorrent-related tools and get all your stuff from less knowledgeable friends via a DVD burner.
2) Get your hands on that TCP/IP stack implementation and modify it (like the geek you are) to add or subtract one unit at random from the least significant digit of the timestamp. (Is that technically feasible,
Either way, bye-bye Carnivore!
Just
It's easy to compensate for clock skew, either by measuring it and adjusting for it as can be done in Linux, or by using a time server.
New IBM ThinkPad computers will now have support for Absolute's Computrace solutions embedded into the BIOS firmware starting with the new T-series. Absolute's Computrace technology powers Absolute's guaranteed PC theft recovery and secure asset tracking services. In the event a computer is stolen, Absolute guarantees the recovery of the computer, and can remotely delete sensitive data from the stolen computer when data privacy is a concern. If the computer is not recovered within 30-60 days, the customer may be eligible for a Recovery Guarantee payment of up to $1,000(1). Link: http://productsource.govtech.net/stories.php?story =528
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
What's the name of that organization again? These guys are clearly the notorious terrorists and axis of evil!
This doesn't mention that all the timing and stack styles could probably be modified to change the way they communicate and mask these fingerprints... I don't know how it's done, but that seems moderately important. Really, it seems like this could be more of a bonus to people looking for the clueless. It's not the spammer-hunting tool for the new millenia that I'd love to see developed and used.
My little site.
Couldn't the box doing the NATting just mess with the timestamp of all the packets that pass through it? Add a very slight bit random noise to distort the timing fingerprint.
I am very happy about these developments.
This will make society much better.
I am sure law enforcement will use this to better protect us.
Read my sig.
Gentlemen, time to synchronize your clock skews.
"Piter, too, is dead."
Although the research is most certainly interesting, the notion of timestamp-based fingerprinting is not necessarily new.
Zalewski's "Silence on the Wire" appears to cover this very technique in chapter 9, for example.
...use the computer that's in front of me in order to go online so that I can find the computer that's in front of me.
Anakin Simpson: If you're not with me, then you're my enemy--ooh, donuts!
I am under the assumption that a packet sniffer needs to be somewhere in-line to accomplish this tracking? I mean if person X is sniffing traffic off router Y and then person X moves to another geographic location and uses router Z the person tracking this box won't get squat? And for the purpose of telling how many systems are in a network that is using NAT, well aren't there dozens of ways to do that already? This sounds to me more along the lines of really neat idea that won't have a real practical use. And using clock skews doesn't seem to sound viable either as there are millions of systems online and with different time zones and that amount of systems how many will have the same skew. (I am no expert on clock skews so maybe I am misunderstanding this)
News Reporters Make Tasty Polar Bear Treats!
remote physical device fingerprinting ... without the fingerprinted device's known cooperation.
;-)
counting the number of devices behind a NAT even when the devices use constant or random IP identifications
I, for one, welcome our new time-skew fingerprinting overlords.
Seriously though. This is yet another pile of steaming scary crap. Where are the days when I could telephone someone and NOT have to be identified. (caller id). Now I can't be an anonymous coward because slashdot can sniff my time-skew and put my name up anyway. Now the cable company can learn that I have multiple machines behind the firewall even though my contract says only one
Is this really necessary? Nothing is sacred anymore. I want to be able to live my life behind my walls without people constantly peeking through the curtains, and thats what this is. At some point we have to stand up and say "you stop here" to these damn peeping toms.
man, I feel like mold.
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
Can You Say Linux? I Knew That You Could.
I was bored once and tried to create a Javascript page that'd refresh and post the visitors system time to the server and calculate the difference between the server and client time to the millisecond (assuming all the reload times etc remain pretty constant), and use it attempt to say "hello ".
I was trying to settle an argument with a friend that I could track him on my site even if he used various proxies.
The technique only worked for a while. And then the difference tended to drift.After a few hours the visitor couldn't be recognised anymore.
I know this is a highly simplified example but wouldn't the clock drift and inaccuracies in time keeping foul up this detection eventually?
Passively obtaining the 'clock skew'/rate of drift etc across the net doesn't seem sufficiently accurate to uniquely identify a machine.
Surely both of the above would mess with the clock skews esp as xntp will do it's best to keep the time sane..
I wonder when OpenBSD 'pf' will normalize the tcp timestamp on packets passing through an OpenBSD firewall. Probably with OpenBSD 3.7 no doubt.
Oolite: Elite-like game. For Mac, Linux and Windows
Please visit our publicly facing tracking site to ensure we have a reliable base of micro-skew signatures. This will enable us to quickly identify M$-hating, freedom-loving^W^Wterrorists.
the NSA^Wanticypher
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
A) the MAC address is available only on the last segment. Or rather, it's at the ethernet (not IP) level, and it's used to direct packets along a particular segment. It changes all the time as a packet moves through the internet, or even disappears completely if you go through an ATM cloud or some such.
B) Most (or at least many) devices allow you to change the MAC address. There are good reasons for doing this.
For laptops, run ntpdate at startup. For other hosts, use ntpd.
That's "Mr. Soulless Automaton" to you, Bub.
This evil organazation prepares innocent young females to grow up hating men. Yeah sure, they might seem all nice, with their annual cookie drive, but make no mistake, all you are doing is funding their evil scheme, while eagerly eating their wretched and enticing poison.
RESIST THE COOKIES!!!!!!!!!!
Lets start a pool as to when pf has a countermeasure.
My entry is two days from now.
This is very good for those who are interested in protecting their own assets by using offensive techniques - this removes some of the uncertainty of who you are actually retaliating against. www.activedefense.org
If it relies on the clock changing slowly over time, then why wouldn't it be possible to randomly change your clock time by a few milliseconds forward or back every few minutes?
Ha, ha! Nobody ever says Italy.
Note how linear those skew lines are. That data looks so good that it needs independent verification. Others have observed more variation in clock skew than that. Computer clocks aren't normally observed to have error that consistent. There's variation with temperature. One wonders if they ran this test during a period when the target machines (a computer lab) were not in use.
...I have timestamping (RFC 1323) turned off on my NIC? I know for a fact that I do. Is there still some timestamping going that can be tracked? If nothing else is going on there is no problem. Also it is easy to turn off timestamping if it is running...at least for someone with a little knowledge of NICs.
Remember when Intel announced processor identification? They were slaughtered! They ended up shipping P3's with this feature turned off.
Now accepting PayPal donations!
Oops; brain fart. ntp.drift is the wrong place to look. You have to enable statistics loging in ntp.conf.
(S(SKK)(SKK))(S(SKK)(SKK))
It's funny how all of the replies to the question missed the primary point that MAC is a link-level address and is only used on your link.
demi
That's all fine, but how are these timings read remotely with any degree of accuracy? I have not RTFA but I don't see how that is possible. Network cards, hubs, firewalls, routers, entropy, and scheduling differences and interrupts will jitter the data so much that it should be nearly impossible to recover. Not to mention that a website or sniffer (especially passively) will have trouble talking to my computer's peripherals to measure their timings.
Couldn't someone right a program to periodically make small changes to the time on the machine? I realize you wouldn't want to do this on a production server because of UUID's, but then again anonymity isn't needed there.
yeah, I've been "stealing" cable internet for over a year now. I even sent them an e-mail telling them I haven't recieved a bill. Their response? silence. I'm beginning to wonder...
i'd say his simply job hunting. with my limited exp in the field, i say the only thing he can tell from NAT at most is abunch of header info most significatly mac and time of travel.
mac is used to identify the NIC while time of travel can tell you approx where the machine is and the clock speed.
mac can be spoofed, time of travel can vary on days of the month, hardware change... anything!!!!
computers are all built with the abiliity for one to upgrade/downgrade it. I think to accomplish what he wants to do, he would need some type of enforeced standard that is somehow embedded with every machine and that's impossible to do.
Please stop suggesting NTP as a "countermeasure." It doesn't help--this is repeated over and over again in the paper. As far as I can tell, turning of tcp timestamps does.
demi
with pf: scrub reassemble tcp
I am at work and don't have time to read the tech paper on it at the moment. Are they using the clock generator on the NIC or the CPU clock time, or the mobo clock generator. If it is the NIC or CPU's clock, those can be alterted by swapping out hardware. If it is the mobo clock, then you are stuck w/ just one, unless you like soldering.
...I'd be thinking "Wow! No more unreliable tracking cookies! Now my ads will always be targeted to individuals!"
Don't shoot me...
As a web developer, I was thinking more along the lines of "Yay! No more session cookies!"
Also, depending on how the host clock keeps time, wouldn't this be subject to local fluctuations in power? This wouldn't show up in their LAN test, but if those machines are moved to another location with different conditions, wouldn't it?
Fred
"A fool and his freedom are soon parted"
-RMS
They cant tell the time scew in that resolution, because to estimate it, they would have to guess the ping time with that accuracy.
And even if they have a large sample set, it would still be more like 3-5ms, and moving over time... what is shift in the backbone saturation, what is clock skew?
Plus like other people said: xp has atomic clock synchronisation on per default (mine has), so im one of the 50million machines that has an clock error of 5 or 10 seconds...
now 5ms accuracy would give us 2000-5000 slots, for 50million machines... not unique
Even for my internet provider (the pool of dynamic ips mine is from) it would still be secure enough, even without just faking the data
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
This could be useful for websites wishing to get another means of counting unique visitors to a website. Today there are 2 ways and both are error prone. The first is cookies. The server hands the client a cookie and depends on the client to cooperate and give it back. The problem is that clients are increasingly not cooperating through routine use of things like cookie scrubbers. The second way is through representative sampling from a cooperative and statistically significant sample population. Stats gather from the sample are used to predict real visitor numbers. This is how rating services like Nielsen Net Ratings work.
Clock skew finger printing has the potential to out perform both methods that are in common use today.
According to TFA this works by measuring the clock skew rate over a significant period (over a month is the example they give), so using something like NTP to keep your clock from deviating would completely screw it up.
I rarely criticize things I don't care about.
the first comment will be on topic, insightful, and the the poster obviuosly RTFA tomorrow, and the next day as well.
.....the RSA is using the time-stamp feature to determine how fast and how often people download porn
And I've been trying to throw away my P3 with a bad battery. The damn thing never keeps time right.
Seriously though, you could easily subvert this with a speedhack that randomized your current clockrate. Cheaters in MMORPGS have been doing this for a long time.
Still, who really cares if someone knows that I ssh'd/ssl'd to this machine here at this time. They still can't see what I'm doing unless they break the crypto/MIM.
2. What about multi-processors? If you're cranking from processor A one day, but the next day processor B is the one doing the talking,won't they have different skews? And if the thing is multi-threaded or multi-cored, one could get the skews changing erratically depending on which processor is "speaking" for that particular section of data.
Then there will be the guy who builds data skew randomisers, or the internet data equivalent of a video Time Base Corrector in his garage and sells them on that internet thingie for $200... (Actually I think a digital TBC would be a great idea, in general...)
I think the author of that paper is onto something, but that something is very historic for this moment. From what I can gather, a few basic changes in machinery could obviate his plans.
Interesting ideas, though!
RS
Shoes for Industry. Shoes for the Dead.
My note book for example can change its clock speed dynamicly depending on the load, so wouldnt this throw this kind of tracking off as the clock skew is never the same. Even my desktop a64 can do this.
This is fine and dandy as long as it is not elCAIDA behind all this.
I stole this
Can someone give a laymans version of how this works?
I have always wondered how things like this, and the nmap fingerprinting work.
Also, would they work on a machine that uses a more sensible NAT like say openbsd's which mangles everything and rebuilds packets.
Or how about a machine that doesnt even connect to the net directly, and everything gets proxied?
Just wonderin'
To simply see where the Herbal Viagra and Penis Enlargement Creme is being sent too?
It wouldn't be particularly hard to add a random skew to your timestamp data.
My first idea would be just adding a random number, but if the number were truly random then over a long enough interval the skew would remain the same.
Maybe you need some sort of slowly moving skew vector so that your timestamp clock really does skew but in a fashion which is random.
You can run a program like macmakeup to change your mac to whatever the hell you want, which makes tracking by mac pointless if the target has any clue. You could do this every single time you log on to the internet (or random intervals, etc) to throw off tracking of your usage, along with changing what browser you "seem" to be using, responses to your OS type, and the way your system responds to pings, port scans, etc to appear to be just about anything.
:P
Also, given that this new technique listed in the article seems to deal with response times, you just modify your response times with something else - an extra clock cycle here, 13 clock cycles there... And this technique is pretty useless. It's kinda a rehash of the idea of "fingerprinting" by the unique timing involved in how a user types, and anyone dealing with computer forensics will spot it right away. But hey, it's good enough to get him a reasearch grant, probably. How about giving me one to foil it now?
And lastly (and more importantly) once you acquire the data needed to indentify a system by this new method (basicly by conversing with it over the net, etc) what's to say I don't get a machine that can respond much faster, and spoof who I am because now I'm responding JUST like said system.... "Your bank account transfer has been accepted, Mr Gates..."
I don't know what definition of "clock skew" he is using but to say you can measure clock skew by looking at time stamps generated from a single point makes no sense at all. Clock skew is the mean time difference between *two* clocks of the same frequency (or related by a rational multiplier). The skew of any clock measured against itself at the same point in a clock tree is always zero.
It seems likely to me that he is measuring the differences in clock frequency from a reference frequency. This is not clock skew. Call it "clock frequency variance" or something to that effect.
But, I wanted socialized health insurance!
You might want to actually read the paper.
He was able to identify machines even though they were using NTP. Changing the date/time won't help for the same reasons.
I'd be interested in seeing someone pointout the "quartz crystal" in a notebook. You could modify the skew by swapping some chips. The difficulty of this is not great, simply de-solder the old and solder in the new (of course, the avg slashdotter think soldering is some kind of elite skill). The cost on the other hand is another issue.
If someone were really serious, they would as other posters have mentioned, modify their kernel to use a cryptographic randomization of their skew. However, this is only useful if many people were to do it. Otherwise, you are identified as the guy with the random skew.
As for real use. If the FBI were using this to identify the computers used by the guys who craked them. They could then use their "deployed" servers to look for others with the same fingerprint. They would then have a list of suspects to work with.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Just to set the record straight. The clock skew referred to in the article would be the amount of time the clock WILL lose or gain over a given period of time. you could receive say 1 packet a second for 30 seconds from one machine, and judge the amount of time lost or gained, and come up w/ an avg percentage of time lost or gained. So, say a machine loses 3ms every 5 seconds. You could then match that number to a list of machines you have already fingerprinted.
Alot of people seem to think it is referring to the amount of time the clock is actually off from the current time, which really has no bearing on this. The only way ntp would effect this is if it updated the machine time while you were in the middle of processing packets from the machine. Obviously, you'd be able to see this happen in the packets and then start over.
What about mobile CPUs that keeps changing frequency according to system load?
My guess is that the clock skew would change as well.
If you turn it off, you're even more noticeable. =)
... but no one else does ... "
"Hey, this one guy has NO timestamps
I realize it wouldn't ONLY be you, but in a small subset (internet cafe, or whatnot), it could be an even bigger red flag. Hell, they might use that to say, "watch this stream carefully, he cares that we're watching him."
If done, then a firewall patch would allow everyone behind the firewall to get free activation. Of course, corporations don't pirate software from each other ;)
Proxy servers are another reason not to use this for activation. None of the original machines TCP info is used on a proxied request, as these function much differently than a firewall or NAT.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Every couple of hours my machine syncs its clock with the Windows domain controller. When it does, the skew would change. Some people have their machines set to do the same with an internet time service. Wouldn't anyone utilizing a time daemon of some sort only be traceable for a short time? So the whole, "as the machine moves aroundt the internet" wouldn't apply?
Please post simple 'From TFA' and 'Link posts' anonymously. Helps with the mod system.
From the I Didn't Understand The Article department: Nmap and checkos have enabled investigating timestamps for years (at least 1998 IIRC?). So, how is this different? I'm guessing it's to do with the "passive" nature of the detection, the fingerprinter has to be either a man-in-the-middle ISP/NSA or else the terminator of the connection? Would a firewall rule which rewrites all the packets to have a randomized deviation from an NTP derived timestamp overcome this? That'd seem like the simplest solution if it's true.
Now we just need to implement TCP clock skew randomization to make this go away.
Computrace, amongst others.
Entrepreneur : (noun), French for "unemployed"
All you need to do to stop this is run your computer on an atomic clock. Instead of measuring your time shift, it will end up measuring that of the computer analysing the data, because your clock will be more accurate. Also, once many computers have atomic clocks, the time shift differences would be too miniscule to detect, and you'd never be able to pick out which computer with an atomic clock you were tracking.
what sig?
Say your clock drifts .000023MS per second. So between 1:00:00 and 1:00:01 there's a .000023MS difference.
.000023MS drift between 1:00:04 and 1:00:05. So it can still be identified even if you cahnge the clock.
You reset the time by three seconds, to 1:00:04. But it's going to have that same
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Tcp1323Opts
o rk/deploy/depovg/tcpip2k.mspx
Key: Tcpip\Parameters
Value Type: REG_DWORD--number (flags)
Valid Range: 0, 1, 2, 3
0 (disable RFC 1323 options)
1 (window scale enabled only)
2 (timestamps enabled only)
3 (both options enabled)
Default: No value; the default behavior is as follows: do not initiate options but if requested provide them.
Description: This parameter controls RFC 1323 time stamps and window-scaling options. Time stamps and window scaling are enabled by default, but can be manipulated with flag bits. Bit 0 controls window scaling, and bit 1 controls time stamps.
http://www.microsoft.com/technet/itsolutions/netw
Now we need to make a windows virus that disables the setting to create a pool of anonymous users.
All your caida are belong to us.
You have no chance to survive make your time.
You see? You see? Your stupid minds! Stupid! Stupid!
I don't know if you noticed, but he has a history of breaking, oh, WinZip, Diebold voting machines, and SSH.
Now my wife can find me easier...
My
Integrate a TCP packet scrubber in which the time stamp seconds digit is somewhat randomized (perhaps just randomize the decimal of the second, and maybe even the seconds digit within 1).
It may be possible to still track a single computer, but this would probably be effective to put on a NAT firewall to hide the number of connections behind it.
Or, just disable the time stamp in the TCP stack... it's optional anyway.
Anyway, I thought the mac address stayed in the TCP packet? Maybe I didn't pay enough attention in CISCO class...
Didn't intel give us the ability to identify an individual pc on the net by it's processor ID?
Standard practice for MOST people that know about this is to turn it off, and I'm not sure if this "feature" has been removed the p4's. But it is present in all p3's.
With that activated, an API of the OS can ask the proc for it's ID and include it in online transactions, letting you say that wasn't me my procID is XXXXXXXXXXXXXXXX not YYYYYYYYYYYYYY..
any other clock drift, or any network characteristics can be forged. The proc ID can be as well, but if they're targetting someone specific. The attacker would have to learn that procID and then use it.
Of course, i could be completely mistaken. But that doesn't happen often.
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VxD\MSTCP
Value Name: Tcp1323Opts
Value Type: String Value
Value Data: 1
Details: The possible settings are 0 - No Windowscaling and Timestamp Options, 1 - Window scaling but no Timestamp options, 3 - Window scaling and Time stamp options. The value is documented in RFC 1323. According to Microsoft, Tcp1323Opts should be a DWORD, rather than a string value, however seems that the documentation is incorrect and a string value is necessary to enable large RWIN support.
http://www.wisenetworks.net/tweaks.html
I guess we really need those Open BIOS projects so that we can introduce jitter into our clock values at an appropriately low level.
Course, I guess portions of the OS might not like that.
I'd like to personally thank the jerk who came up with this idea (get a Ph.D by curing cancer for Christ's sake!).
/.'ers barely have wives let alone mistresses.
Now I gotta buy a new computer every time my wife figures out which unique PC I'm using when I'm surfing the 'net at my mistress' house.
IronChefMorimoto
P.S. - I'm screwing with your mind --
I'm just a silly slashdot lurker, but mod the parent post up! This is an important answer to the grandparent's question. Of course, it's not funny or trolling, so it probably won't see the light of day here :)
I am using Anonymizer and other proxies to hide myself as I "borrow" music. ;) I can imagine that the RIAA and MPAA would invest heavily to do a better job of tracking who has their content and who is downloading it.
Therefore, we developed a trick, which involves an intentional violation of RFC 1323 on the part of a semi-passive or active adversary, to convince Microsoft Windows 2000 and XP machines to use the TCP timestamps option in Windows-iniated flows.
and
without the fingerprinted device's known cooperation
sort of require a search warrant don't they?
IANAL, but seems to me that forcing your computer to do something other than what you've directed it to do (like forcing a timestamp you've turned off) without your persmission would be B&E. Unless you explicitly gave permission in the form of agreeing to a EULA or such.
Yet another reason to read the fine-print. You may inadvertently give persmission to allow this sort of privacy invasion.
I propose a new constitutional (for the US) amendment -- The congress shall not make any law that compromises the ANONYMITY of a citizen unless the citizen shall explicitly and intentionally give up that anonymity. In other words, unless I tell you who I am, you can't know who I am.
that and a dime 'll get you a dime.
man, I feel like mold.
If we could have used something like this to ban by computer, that would have been great.
How long before someone releases a kernel patch that randomises the time offset of all TCP packets sent from a computer?
Stateful TCP normalization (prevent uptime calculation and NATdetection)
e lopers.html
MF: Stateful TCP normalization is a set of techniques to remove or resolve ambiguities in network traffic. One of the techniques most important to the average user is TCP timestamp modulation. Most operating systems with high performance networking include a timestamp in every TCP packet.
Since that timer starts ticking when the machine was booted, a server (or anyone in between) can look at a packet and know the machine's uptime. An attacker could look at a machine's responses to know it hasn't been rebooting since the last patch came out so it is probably still vulnerable. Alternately a stingy internet service provider that charges extra for home networks can look at all of the timestamps coming from a link and count the number of NATted machines by the number of unique timestamps. The PF firewall can scramble both uptime calculation and NAT detection by modulating the timestamps with a random number. There are a variety of other normalization techniques done and others still in development.
http://www.onlamp.com/pub/a/bsd/2004/04/15/pf_dev
this is a more impressive (and unique) way of looking at the problem
/golf clap
You got that right! Regardless of the possible sinister big-brother applications, didn't we all read this and deep down think Whoa, that's pretty damn cool! I know I did. This guy deserves major uber-geek points.
Why does the government need to find individual computers?
Not so simple:
What is the danger to the world that an individual PC is unidentified?
Compared to that danger, is the loss of anonymous free speech worth it?
If the answer is yes, then do we ourselves get to identify the PC's of CEO's, congressmen, celebrities, and other Upper Class members? Or is anonymity reserved for those who are rich enough, famous enough, powerful enough, or connected enough to hide?
And if they get to hide, but not us, isn't the very security we buy with our freedom to be anonymous then a sham? A method of control, the way Scott Ritter the ex-Marine weapons was slimed with kiddie-porn allegations from law enforcement that were just happening to be monitoring his habits just as he was being vindicated in his proclamations that the war's justifications were fake? BTW: the charges were dropped after his cred was ruined. Nice job burning the witch, Rove. Power to monitor coupled with the power to accuse and charge is the power to silence anyone, anytime for any reason and suffer NO CONSEQUENCES. Who was charged with sliming Ritter at such a politically convenient time for the Bushites? No one. And in the future, when they come for you, no one will save you or punish your accusers. Who themselves are anonymous and untouchable.
Are YOU safe from ruin is someone monitors you 24 hours a day?
If they can justify monitoring your internet usage, or track anyone they like, the legal precedent is set to monitor anyone, anytime, for any reason or non-reason, such as political/economic personal assassination. Not just your PC. What would stop them from establishing cameras on poles in front of your house to monitor your comings and goings? Microphones? They can already "sneak and peak" with a judges rubberstamp and no subpoena. They are establishing precedent to track your car with devices planted without warrant.
The current administration is currently using security laws to crush lawsuits about the detention and torture of people taken secretly after 9/11. Tom Delay used Homeland Security, illegally, to track down the Texas Democrats last year to bring them home to force a vote to disenfranchise Texas democrats - no penalties for him, and a precedent and example was set. The security apparatus established during the hysteria is being used to crush political oppostion to the President and his party; they have shown that they are abusing their power, and care nothing that anyone knows.
The internet is the last, only hope for anonymous gatherings and free speech left in the world, and they, the amalgamate they are desperately shutting down the last means of mankind to speak to power without getting arrested or ruined for claiming their birthright.
I've not the skills to fix this technically. But we need a new communications system, asap, that is not under U.S. control or capable of being traced or monitored. I've got zilch. Is there a way of making a new pipe that CAN'T be subverted or controlled by the power mad? This is a serious question, and we may need an answer really soon.
If I read this article correctly, it requires the target to respond to TCP packets. Now, a stateful firewall is likely to prevent such repsonses ever being sent if they are unsolicited, so unless such a system were installed in every ISP or at Akamai's servers, or similar(and used connections initiated by the clients) it is not going to work.
The real "Libtards" are the Libertarians!
this won't work..
Doesn't xntpd adjust the system clock's drift to most closely match the real time? Wouldn't this completely kill the entire idea?
So all you have to do is apply a random fudge value of +-5 to the Round Trip Time Measurement in the packet header (and possibly the maximum segment lifetime), the system performance not likely to be affected, and you suddenly appear to be 50 different machines? It wouldn't be that hard to code, and (sniff) I smell a patch being brewed, tested, and posted as I speak. Oh, there, (sniff) I smell an improved version... ...Thanks for posting the tactic, too bad it's already been defeated.
posting to kill a bad moderation I made...
That said, there are some usefull things you could do with this. One example I can think of would be to detect some obfuscated scanning techniques. As an example, nmap impliments idle scanning, which is usually reasonably obvious because of the characteristic SYN->SYN/ACK->RST sequence, especially if the SYN and RST have different TTL's. Adding timestamp checks would make it more obvious (although, just as difficult to track down the original scanner).
Also, if someone used a decoy scan in nmap, it might be reasonably easy to tell which source addresses were really the same machine. You would probably also get enough information to construct a fairly accurate timestamp/skew profile of that machine. If you ever saw those IP addresses again, then you'd be able to check whether it was the real machine.
But, these are just my own ramblings. At the very least it seems to be interesting work (although the article linked is pretty crummy)
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
Why not just use the MAC address for identification? No two computers should have the same one.
Mike @ The Geek Pub. Let's Make Stuff!
Randomly adjust your RTC by a few millisecs every 30 seconds or so, or have your edge router (NAT box) mangle the timestamps.
OT Note to comcast and other ISPs: I am not violating anything in your usage policy by running my own nat. I do not want third third rate router you offer for "home networking".
Go ahead and try and employ these types of douchey tricks to "catch" me doing something that's perfectly acceptable to you (using my cable connection for my personal use, and that of my immediate families). All that'll happen is Speakeasy will get a new customer.
I don't need no instructions to know how to rock!!!!
The military has been doing this sort of concept for years, except with electromagnetic radiation.
The technique is called Specific Emitter Identification (SEI), and it's used to create a unique fingerprint of the signal characteristics of every known radar platform in the world.
And I'm not just talking about a fingerprint by model...we're talking a unique fingerprint for every individual radar in existence, all available in a managed database.
Of course, the enemy has no expectation of privacy if they broadcast radar waves, and honestly, neither do home users who connect to the open net.
If you want to fake out the SEI database, you either never transmit, EVER, or you tune or replace the radar. If you want to fake out this system, you don't connect to the net...or you tune or replace the processor. It's much like dodging cookies and such: it's perfectly possible to avoid being tracked by them, but it's on your shoulders to do so.
Man is the animal that laughs.
And occasionally whores for Karma.
It's funny, but what you suggest
really happened with a Novell server over a 4-year period at the University of North Carolina...
Is there some other reference to your apartment I'm missing?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Some people mentioned running NTP to eliminate the skew, but I say you wouldn't even need that. Computers are complex electronic devices and just because your CPU has 1.6 Ghz written on it doesn't mean it runs exactly at 1.6 Ghz. The frequencies vary with time and are influenced by any number of things, starting from the power grid and ending with your neighbor's powerful sneeze.
:)
Laptops are even worse. different battery charge, moving from one power grid to another. And what about frequency scaling? Can you imagine the havoc this technology wreaks on your clock skew?
In short, this technique will never work outside of the lab. Back to the drawing board, assholes!
This is just another creepy technology that is getting out of control. Do we really want this? Anonymity goes hand in hand with security and is essential for a number of systems e.g. Freenet. It needs to be preserved and I do not want my tax dollars to go to waste on another piece of creepy technology for totalitarian governments.
Look on page 7 of the paper... At 2000 packets per hour, the skew value has > 6 bits of etropy (enough to uniquely identify 1 computer in a million).
installing a small TE or resistive cooler/heater on the clock crystal and randomly varying the temperature to remove systematic (i.e., repeatable) clock skew?
Here you can see who paid for such a nonsense paper: http://www.caida.org/members Is that where our money is going nowadays? That makes paying taxes really fun...
This kind of reminds me of the ballistic fingerprinting systems that are being pushed for by some gun-control groups. They all rely on some way of cataloging the physical marks left on a cartridge case (and sometime a bullet) when fired by a particular firearm.
The problem is that they are first, not very effective, and second, very easy to defeat. They are unreliable because an attempt to identify an arbitrary shell casing will cause the system to spit out several hundred potential matches. With guns made to exacting quality control standars, it can produce thousands of potentials. It's easy to defeat because the markings used are all produced by parts of a gun which are very easily replaced. All one has to do change the ballistic signature is swap out the extractor, firing pin, and barrel of the weapon.
Something similar could probably be done here. One could swap out the oscillator crystals, change a few key capacitors to introduce timing variations, or even raise the temperature of a key component, and you'll have a different clock signature.
It's good to use your head, but not as a battering ram.
I was just glancing over that paper. This is total bullshit. Well, students have to make money somehow and sometimes they find some idiots who pay for stuff like that.
So if this becomes common place can i randomly adjust the clock speed of my cpu to circumvent it, hell im already 600mhz over stock, a few mhz to the + or - wont hurt
> PC clocks are rather crappy and temperature sensitive
Line voltage sensitive, too. With the way newer processors throttle their speeds around based on temperature and loading, and the way fans change their parameters based on temperature, I have little hope for this technique nailing any new system.
Let's see, what were the authors using in the lab where they tested machine to machine variations?
"All the machines were Micron PCs with 448MHz Pentium II Processors". Right. From this, we get the grand statement shortly afterward "The current results strongly support our claim that modern processors have relatively stable clock skews". Uh, sorry guys, you didn't use a single modern processor for this section; just some obsolete ones that run so cool they don't have any CPU clock or temperature varation. There's not a machine to be found in their entire test that features the kind of design we seen in acutal modern processors.
The article linked to by slashdot does not fit the technical aptitude of many of the readers. Fortunately, it does link to the actual 15 page paper. The official page link with abstract is here. The full 15-page text is available in PDF.
With regards to your question about accuracy, here is a snippet from the actual paper(PDF)
This is an incredibly accurate and precise method of verrifying if the computer is the same.
Some people have also mentioned NTP subverting this method. Here are a coupole of key quotes about NTP.
Additionally, the method described can be used with the TCP timestamps option which
Paraphrasing, The article says that this technique can be used by websites, Carnivore-like apps, anybody between you and the computer you are communicating with, banner-ad companies and ISPs (think comcast forcing you to not use a NAT).
This is an incredible, and incredibly scary, way to track a physical computer. Doubtless, many security reform
There's no place like ~/
It is a Novell server :)
3.243F6A8885A308D313
The paper http://www.cse.ucsd.edu/users/tkohno/papers/PDF/ shows that they were able to get less than 7 bits of identifying information when monitoring communications for 2 hours. So they would only be able to distinguish 1 out of 128 machines. That would only be useful if there was a very small set of candidate machines.
3.243F6A8885A308D313
... what real apps actually use the TSpot info?
./, the MS dig)
... why are optional pieces of protocols leaking system info by default.
(And as required by
... why is MS allowing incoming packet options to violate RFCs and change system security performance?
Has problems.
Over time add and subtract will average let person still see the infomation they want. Just it will take longer.
Just a dirty little trick I did in the past. Is a double clock core. Both drift at different rates once drift of both are known you can stop the drift almost completely. Note this is cost. Using a program that knows your clocks drift will reduce the drift alot. Ie the linux clock system can be set this way. It still will drift due to external events.(Ie local events) Now this is a nasty trace once someone gets there clock too clean.
The causes of the drift. Cheep grade clocks on motherboards. Processor Noise Fan Noise and anything else making electromatic noise that can effect the crystal. Ie mobile phone are great can themselfs cause a 1 ms drift. This makes fingerprinting hard by time by it self in a place with a lot of moving stuff screwing with the clock(workshop endup making the login computer remote due to the login computers drifting randomly 0 to a full min in a the day ie 30 days could be 30 mins out but not drifting much when not in the workshop).
What are the chances that a person would have 2 machines with the same skew.
Ie you register you machine I get your skew so when you register again because you have had to reinstall I can compare that it was the same machine.
Now this would stop motherboard changing dead. Or make it really hard to register a pirate system for updates.
The god dam mess was not ment to be installed on another motherboard.
Yep you are a pirate just because you swaped a motherboard. Really annoying this is the importants of stuff like Linux where you buy licence for support not for software in most cases.
In theory, there's no difference between theory and practice. In practice, there's a big difference.
There is an imperfect crystal on your boardboard. This is the realtime clock. It will tick many many times a second. Let's assume for arguments sake, that this clock will tick 2143123321 times a day. Let's also assume that if this crystal was perfect, it should tick 2143123920 times a day.
The difference - 599 ticks, is the clock skew. You can set your clock with ntpd 86400 times a day (once a second), and your clock skew will be ~599 ticks. You can set your clock once a week with ntpd, and your clock skew will STILL be ~599 ticks. Clock skew it independant of what time your clock thinks it is.
By clock skew, they mean the difference by which each computer counts time. That is what is being measured.
If each computer has unique skew how are they going to establish a common time reference standard? You can't have one phisycal machine sniff the whole net. Having a few however, would mean that the skew they measure is based on their perception of time, which is (as per definition) uniquely skewed. Now, if they can sync many machines completely, then we can basically do the same.
Someone above mentioned that the numbers indicate it should be accurate enough "to uniquely identify 1 computer in a million". Given that, combined with other identifiable info it should be enough to get a hard ID.
However, I'm wondering how easy it might be to spoof, such as with a firewall *designed* to produce random skew. Thoughts, anyone??
~REZ~ #43301. Who'd fake being me anyway?
Has problems.
Does it?
Over time add and subtract will average let person still see the infomation they want. Just it will take longer.
The above is predicated on having long term samples to analyze. But if they can identify your machine over a long time to gather samples, then they don't need this technique in the first place. The whole point is to identify a machine which is moving around, connecting through multiple netwokrs or otherwise taking actions which, intentionally or not, work to obscure their identity.
The one use that they mentioned where this might not apply was identifying the number of machines behind a NAT connection, but that should be trivially defeated by having the NAT machine re-timestamp each packet. All connections would show the timeskew of the NAT server.
There are, of course, other cases where it might come in handy. For example, you could likely show that a laptop that a user caries from home to work and back on the daily basis is the same machine, even though it has different IPs in the two locations. But this is a much narrower use. A criminal who connects via wireless at various Starbucks Cafe's for short periods of time probably won't leave enough of a trail for this technique to work if he's taking precautions against it like adding random offsets to his time.
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
3.243F6A8885A308D313
Actually, if you check later on in the paper, they test a Dell Latitude C810 laptop as well. And in fact they find (section 7) that their techniques don't work so well there - clock skew varies depending on whether the laptop is on battery or line power, and in the latter case whether the battery is charging or not. Of course, anyone who's ever run adjtimex -c on a laptop has seen this....
If you read the whole FA that you linked, you'll find that the authors aren't claiming they can uniquely identify any computer on the net with this technique. In fact, they specifically disavow it (p. 13 of the PDF):
"For forensics, we anticipate that our techniques will be most useful when arguing that a given device what not involved in the recorded event. With respect to tracking individual devices, we stress that our techniques do not provide unique serial numbers for devices, but that our skew estimates do provide valuable bits of information that, when combined with other sorts of information such as operating system fingerprinting results, can help track individual devices on the internet."
So it's a bit less precise than a fingerprint or DNA testing. It would be nice to know how much less precise. The number of computers they tested was rather small.
Subjecting the clock crystal to random heating and cooling will foil this method easily. The variation doesn't need to be drastic. Randomly subjecting the clock crystal to a temperature variation of +/- 5 degrees would be more than plenty. Probably +/- 2 degrees would be sufficient.
The frequency and stability of a clock crystal if a function of temperature. Frequency as a function of temperature roughly follows a third order polynomial. By changing the temperature of the crystal, you place its operating point a different positions on the curve. Pick a position with a steep slope and you have high jitter. Pick a position of local maxima or minima and you have low jitter. All crystals are cut with a specific operating temperature in mind. Any variation from its design temperature will induce more jitter and drift.
What is lovely about third order polynomials is that depending on the operating point, you can have positive, negative, or zero derivatives. Vary the temperature and you vary the apparent physical characteristics of the cyrstal, and thus the signature of the clock skew.
Sync the software to hardware clock at boot time, and update the software clock in a low level interrupt. With a few subtle little variances worked in, and balances out a few seconds later.
I thought most OS's did most of that already (apart from the subtle variance bit)?
As far as NAT goes, why not b0rk the timestamps a bit on the packets? I'm no networking guru, but someone will come up with something soon enough to stop this.
Sure it's handy to have as evidence, but what can be used to solve crimes can also be used to carry out crimes.
this will not work with mobile systems because the skew is modulated by the range diviation from the AP.
there are a couple of ways to beat
easiest is to discipline the clock with some randomness. this would require a much larger number of samples and traditional logging techniques coupled with a script could block the probes before any definitive 'fingerprint' is established.
one might also derive ones clock from GPS. if enough people did this in conjunction with blocking discovered probes there would be no way to 'fingerprint' a particular machine.
of course, the 'criminals' will be the only guys trying to subvert this by blocking probes or messing with their clox so they are defacto GUILTY
One of these days there will be a better place to live than USA and it will not be because other places are getting better.
man adjtimex ...under linux, it would be trivial to change your skew slightly each time you attach to the network
---
the pen is mightier than the sword, the sword is mightier than the court, the court is mightier than the pen.
Comment removed based on user account deletion
[pg 4] Although the system clocks on professionally administered machines are often approximately synchronized with true time via NTP [19] or, less accurately, via SNTP [18], we stress that it is much less likely for the system clocks on non-professionally managed machines to be externally synchronized. This lack of synchronization is because the default installations of most of the popular operating systems that we tested do not synchronize the hosts' system clocks with true time or, if they do, they do so only infrequently. For example, default Windows XP Professional installations only synchronize their system times with Microsoft's NTP server when they boot and once a week thereafter. Default Red Hat .installations do not use NTP by default, though they do
present the user with the option of entering an NTP server.
Default Debian 3.0, FreeBSD 5.2.1, and OpenBSD 3.5 systems, at least under the configurations that we selected (e.g.,
"typical user"), do not even present the user with the option of installing ntpd. For such a non-professionally-administered machine, if an adversary can learn the values
of the machine's system clock at multiple points in time,
the adversary will be able to infer information about the device's system clock skew.
GPS Atomic clock sync'd, 1 usec clock accuracy can now be had for less than $100. (ntpd + Garmin GPS 18 w/PPS). I've done it with the Garmin GPS 16. Works like a charm when the antenna has a clear view of the sky. Put one of these on a PC on your LAN and all your hosts will skew less than they can measure.
First let me say this was brilliant. It is easily subverted; however. NTP tricks won't work. Randomizing the returned TCP timestamp won't work - for long. What's the solution? Calculate the time skews for all of the systems that your system interacts with and simply "mirror" those time skews in your TCP timestamp in the communication with those systems.
Put the application that does this up on Sourceforge and submit an article to Slashdot. Within day's, millions of computers around the world will be echoing time skews, thus rendering this method useless.
The problem with this method is that it relies on obscurity and secrets. As long as you never tell anyone about the method and no one ever figures it out, it works. The second you write a research paper and tell the world it no longer works because some anonymous coward on Slashdot figures out how to subvert it.
CAIDA?
given who is suggested to be recruiting him for a UAV launched Maverick Missile, I suspect.
Facebook is a woodpecker tapping on the skull of Humanity, Forever.
Clock skew is the disparity between your clock value and some reference time value (probably the clock of the measuring machine. This disparity grows over time, and the rate of growth of this disparity is the difference between the rate of the measured system's clock ticks and the rate of the clock of the reference system's clock ticks. If you are going to do this "officially", your reference time should be an atomic clock instead of the rate of the measuring machine.
Thus the characteristic fingerprint that we want to measure is the rate, or frequency, of the clock on the measured machine -- or more precisely, its difference from some reference value. What we can measure are
- S1, S2 = The clock skew at two points in time
- DT = The time between the two observations.
The clock frequency error is then calculated asThis approach has a number of consequences:- The longer you measure, the greater the number of bits of precision that you get in your measurement.
- More bits of precision mean that you can tell more machines apart. To identify one machine on the entire internet requires many bits of accuracy. To identify one machine on a LAN requires very few.
- Long measurements can be defeated by periodically resetting your clock. Rebooting, running NTFS, or manually setting your clock does this.
- Short measurements can be defeated by heating or cooling your machine, which affects the operation of the oscillator used by the clock.
- Swapping out the clock oscillator will change the fingerprint of your machine, but it may not be easy to do.
I hope this helps.John
Humm... I see "clock entropy rewrite" command being added to a pf near you. You listening to me you OpenBSD freaks?
Besides, at 6 bits of entropy and only 1 in a million, this is not very useful in the larger context of the internet. Keep in mind that NAT is all about fan-out of existing address space. How much globally reachable address space is lit up in your particular geographic region? Do you even know?
From a security forensics point of view, 1 in a million is *THE* definition of resonable doubt. 100s of millions, maybe, but the last thing I want to hear 10 years from now is that some shmuck got thrown in the slammer based upon bad math and a poor understand of just chaotic and complex the internet and laws of large numbers actually are.
All they're really relying on is that the TCP timestamps (as defined in RFC 1323) go unmolested by your average NAT. Two bigger questions that need to be answered before these assumptions are thrown out the window by new NAT deployments are: How easy is it to retarget clock entory to a patsey (keep in mind that spoofed NTP could remotely impact how the patsey's stack timestamps TCP packets) and just how necessary is compliance with RFC 1323 for the internet to remain functional.
Answer those questions and *MAYBE* I'll start paying attention.
...oh great, web pages that require +2000 packets to be sent before it loads.
Now I understand why broadband is the future.
...you should be able to send out packets with spoofed source addresses.
I'm waiting for the bit-torrent folks to implement a spoofed source UDP anti-leeching feature set to the protocol.
Combine that with the peersafe ip block list and bingo, the RIAA can get busy taking itself to court (and let's be realistic, how long will it be until this acutally happens... and who's to say that it already hasn't happened).
for future reference
So what machine, OS, IP address etc have I sent this reply from ???????? Or is this bulls*** Boz
www.boznz.com Simple solutions to complex problems.
I believe there is a clue to how to defeat these attacks burried in the report.
The researchers only included one laptop in their study and yet laptops are arguably the most interesting targets to try to track. It is due to their portability that they are attractive to those desiring to stay anonymous. I find it interesting that among more than 70 devices they studied, only one was a laptop.
I also think they have paid less attention to this laptop than they should have:
"When booting with outlet power, the clock skew on laptop running Windows XP initially begins with a large magnitude, and then stabilizes to a skew like that in Table 5 until we disconnect the power; the initially large skew may be due to the laptop recharging its batteries."
What this suggests to me is that the voltage supplied to the oscillator may alter the clock skew. In fact, I wouldn't be surprised if overclocking or underclocking a desktop PC also changes the skew. Changing core and RAM voltages might also modify the skew. They should have researched these possibilites.
I have seen little mention here of another type of attack they describe which is independent of the TCP skew. The Fourier transform attack is scarier than they let on:
"...[O]ur Fourier-based technique does not require knowledge of a device's TSopt or system clocks..."
"Some systems send packet [sic] at 10 or 100 ms intervals, perhaps due to interrupt processing or other internal operating system feature [sic] on one side of a flow. When this condition holds, we can use the Fourier transform to extract information about the system's clock skew."
"...[W]e can use the Fourier transform on packet arrival times to estimate the frequency at which the device actually transmits packets (here packet arrival times refers to the times at which the monitor records the packets)."
What this says is that even if you're running a modified TCP stack and are filtering out ICMP requests, attackers may still be able to find out your skew.
I anxiously await the results of research on skew modulation techniques.
Skew is the absolute difference between two clocks. They're actually measuring the drift, or the rate of change of the skew. Remember this as you read on--this mistake confused the heck out of me until I was well into the thread. Clocks which are not synchronized drift in time w.r.t. each other and this drift is more or less a constant and can be used to identify a particular system.
...of beeing identified on the Internet ??
Nobody seems to care that we can be located/identified thru our GSM-phone...