Slashdot Mirror


Tracking a Specific Machine Anywhere On The Net

An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."

5 of 470 comments (clear)

  1. This can be good... by TedTschopp · · Score: 5, Interesting

    I have a co-worker who just got her laptop stolen. Now if the computer could be tracked when the jerk logs it into the Internet, that would be helpful in tracking the guy down.

    Ted Tschopp

    --
    Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
  2. Dangers with licence activation by Harodotus · · Score: 5, Interesting

    Several Points here, if true, it could be used to devastating effect in licensing / activation programs. Many publishers view download software onto multiple machines proof of violating single machine license agreements, while at the same time allow multiple downloads of that software to ease customer service burden from "It didn't work when I first tried to download it" calls. If a somebody were to buy such a package and then download it to his desktop and then later to his laptop, this kind of fingerprinting would allow the publisher to catch him.

    From TFA, it says that:
    The technique works by "exploiting small, microscopic deviations in device hardware: clock skews." In practice, Kohno's paper says, his techniques "exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device's clock skew and thereby fingerprint a physical device."

    This sounds to me like firewalls would have to be modified to intentionally hide this data and remove this difference in timestamp calculations (the firewall generates both and back translates when doing NAT). So its just a call for yet another firewall patch. Can the firewall vendors patch and globally implement faster than this privacy exploit be exploited? I would hope so at least.

    --
    Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.
  3. So... by gowen · · Score: 5, Interesting

    Here's what I don't see. Let's say:
    i) most (say, 75%) of internet-connected computers have clock correct to within a couple of minutes.
    ii) Few TCP timestamp clocks bother with a click time shorter than 1ms.

    That means that 75% of the computers must be mapped to a space containing 4*60*1000 = 240,000 unique items.

    Now, surely there are more than a quarter of a million computers on the Net, so how will this enable us to track a device uniquely?

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  4. Sceptical by bsd4me · · Score: 5, Interesting

    I am a little sceptical as to how well this works. PC clocks are rather crappy and temperature sensitive. If you look at the ntp.drift file, you will see a diurnal pattern. Plus, I would suspect that if this technology became widespread, that someone would add some dither to adjtime() to throw it off.

    --

    (S(SKK)(SKK))(S(SKK)(SKK))

  5. Re:Fingerprinting by Fjornir · · Score: 5, Interesting

    How about rigging my TCP stack to add/subtract a random number to the timestamp in my headers?

    --
    I want a new world. I think this one is broken.