Slashdot Mirror
Computer's Heat May Unmask Anonymized PCs
Virtual_Raider writes "Wired is carrying a story about a method developed by security researchers to identify computers hiding behind anonymity services. From the article: 'His victim is the Onion Router, or "Tor" — a sophisticated privacy system that lets users surf the web anonymously. Tor encrypts a user's traffic, and bounces it through multiple servers, so the final destination doesn't know where it came from. Murdoch set up a Tor network at Cambridge to test his technique, which works like this: If an attacker wants to learn the IP address of a hidden server on the Tor network, he'll suddenly request something difficult or intensive from that server. The added load will cause it to warm up.'"
http://knuttz.net/hosted_pages/USB-Cooking-2006082 2
the heat-up causes a shift in how much the clock drifts, and you can query time from different servers to pinpoint which one it is.
See what reading the article gets you? A tiny nugget of useless information.
It's a little wrong to say a tomato is a vegetable. It's a lot wrong to say it's a suspension bridge.
You really should've read TFA in this case. Apparently, heating up the box causes fluctuations in system time which this chap claims to be able to detect in a meaningful way. There's more to it - interesting read.
Alli
OMG!!! Ponies!!!
but what if the router happens to be an overclocked gaming system and the user happens to have fired up Prey/Doom3/others for an intence gaming session?
The temp increase is the method to cause the clock to skew as the chip heats up due to added server load. The heat itself is not detected, so the summary is very misleading. The idea is to load the server enough so that the timestamps begin to change, and these changes can be detected.
Of course, the defense to this attack is probably something along the lines of:
$ man nice
Try to hack my 31337 firewall!
Um... doesn't that require him to have physical access to the server anyway?
According to TFA, no. Now maybe you want to R it.
Don't become a regular here -- you will become retarded.
You left out the part about how his method only has 64 unique "fingerprints" and so this is utterly useless.
They'll peg the CPU, that way it'll be warm all the time. And since they can be set as an idle process they'll step aside as needed.
"You are only young once, but you can be immature forever." -www.animemusicvideos.org
You measure clock skew before, during, and after you hit the hidden service. If the change in clock skew happens at the same time you load the server, that indicates that it's probably the correct server.
Ewige Blumenkraft.
Randomizing the clock of systems serving Tor traffic would render this attack worthless.
Since this and other such attacks are based on analyzing very small changes in the target system clock, even a tiny amount of randomization or pseudo randomization would be effective.
What if your servers are busy with other tasks, like decoding other people's TOR traffic? It seems to me that busy servers are pretty chaotic and this attack would be pretty dicey in the real world.
I read the internet for the articles.
Not that I think this sort of thing is really going to become anything more than an interesting proof-of-concept anytime soon, but couldn't you combat this by having a local NTP server for your server farm, and then setting the servers to update from that server at frequent intervals (say every 5 sec or so)? It would waste cycles on the machines and generate some extra load on the network, but it would keep the clocks from ever drifting far, and it would narrow the window in which you'd be able to detect drift to something pretty small.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
So the next iteration of TOR will inject random +/- tick into the timestamps. Making it impossible to decorrelate.
Not to mention that anonymous browsing are not servers. They will not respond to load.
What is needed - better protocols for mail and other services making anonymous services moot.
I'm changing my heatsink from copper to fiber...
Help test the
I miss read the title the first time, the joke being I do heat my office with computers. I have three of them in the room and the 4800 dual core puts out a fair amount of heat on it's own keeping it toasty compared to the rest of the house. I used to have a dual 300 that got so hot you couldn't touch the side of the case. I literally put a box fan on that one to keep it running.
I picture this attack being used as part of an ongoing investigation. They have a target and they just need some pattern analysis to secure the warrant. Over a month-long investigation, they could glean a lot of info by throwing up very specific requests and seeing if your hard drive springs to life or your CPU spikes.
In most cases, the wouldn't even need to be near your house. A well-positioned amp-meter with remote sensing could tell you if the CPU suddenly needed more power.
I'd rather you do it wrong, than for me to have to do it at all.
It's amazing how fast the year flies. It seems like Christmas was just this week and we're already at April 1.
Close, but no cigar.
His software lets you pinpoint servers in the anon TOR network, good trick, but ultimately useless (since its the users computer you are trying to find).
Of course the other problem is "giving it a heavy load" define heavy load? is it just a little more than usual? or does it mean you have to heat board (he goes off system clock, maintained by a frequency crystal on the MB), most data centres I would think would be fairly efficient at routing even high heat loads out of enclosures and away from the machine.
And then, whoever he does this to can sue him for DoSing their machine, if they can prove (and its not overly difficult) that heat damages computer parts, he can be nabbed for wilful destruction of property as well, since his whole exercise heats the machine for no other reason than locating it.
Then of course, the only way to "heat up" said computer is to do it through the TOR api, which i am guessing most anon servers are built to handle very well (since that would be their primary task).
Oh, and this of course neglects to take into account that your TOR requests may be handled by many many servers in a cluster, each one heating and skewing at different rates...
Ok, its late on a Saturday afternoon and I can poke that many holes in his trick (even if only one is at all real), gimme a good 2-3 hours with some energy drinks in me and I can find more I am sure ^_^
If he can prove it works (and successfully do something usefull with it) in the real world, then it would be a better story.
...
consider the parent posters ID: 25287
:P
consider your id: 223197
then, consider the fact that you found "You must be new here" a novel response - at least novel enough for you to use it. let me just say, *You* must be new here.
P.S. i hope the recursive irony - including my ID and the parent posters ID - is self evident. no need for recursive "*You* must be new here" replies. please think of the children.
P.P.S. i don't really think recursion is the right word. but the fact that an 'older' user is declared 'new' by a newer user on each child post should lead to a division by zero, a black hole, or at least a bazzarro world somewhere... or it might just be my bed time.
Read what you just said. Skew is a distortion of measurement. In normal operation there is no distortion, only when the crystal is heated. So by definition there is only one possible value for the skew and it's the change from before to after the crystal has been heated.
Ok, so if I am using Tor, presumably I've got clients behind these servers.... so according to the article, he can detect a server? What good does that do him? That doesn't identify *MY* machine the client which is actually doing the browsing. So, he can see which server is running Tor... couldn't he just portscan to find that out?
Sounds alot like the timing based attack on RSA. And it's very easily countered with adding some extra (random if you want) time padding.
Sure there's clock skew normally. I know that my computer doesn't have a caesium-133 atom inside of it. As such, the clock is inaccurate and bound to vary relative to the correct time. I have noticed that it has been up to a couple of minutes off. Right now, as I updated it from an NTP server, it was 4 seconds off. It has to become inaccurate to have that problem.
Ewige Blumenkraft.
More info on Murdochs talk can be found at the congress website.
I'll take issue with your usage of the word "older"; I'll have you know that, at a measly 23 years old, I'm probably younger than
And I'm too tired to really care that I really don't need to get involved in another log(UID)-based pissing match. (But hey, isn't that what posting on Slashdot at 2:30AM is all about? Besides, I already made a constructive comment over in the article about embedding DB authentication credentials on software.)
(And this ends my stupid and over-explained attempt at being funny May a future potential employer find this comment and giggle.)
tasks(723) drafts(105) languages(484) examples(29106)
folding@home running at low priority will suck up the unused cycles on your machine giving a pretty much flat power draw in response to "extra" work since you are always doing extra work
Snowden and Manning are heroes.
You must be new here.
Everyone knows that no number of P.P.P.P.P.P.P.S.s that you can add will prevent SOMEONE from posting this very comment.
I pretend to know more than I really do by mooching off google and wikipedia.
Yes but that's not the skew he's measuring. He's only measuring the skew caused by heating the crystal.
The word you're looking for is induction.
There are CPU frequency-shifting programs (for Linux: cpufreq) that allow the computer's user to change the CPU's frequency to his/her liking...
One could easily set the frequency lower than the original maximum, so that spikes can't be detected.
Add to the above approach, keeping the clock in sync, as others have noted.
Mod points are a dangerous tool. Abuse them wisely.
My CPU temp would spike more than what he's doing to me. Or if I'm playing a game.
Packet-rewriting firewalls, here we come :)
Trying to become famous by taking photos. Visit my homepage please.
Apparently written by someone whom has never stepped in a well stocked data center before.
Never randomize what you can remove. They'll do a bunch of attacks, then average out the randomness.
Best to try to correct for the clock skew more often, instead.
Plus other distributed projects, like the ones from http://www.distributed.net/
Mod points are a dangerous tool. Abuse them wisely.
You must be new here...
I really don't need to get involved in another log(UID)-based pissing match. (But hey, isn't that what posting on Slashdot at 2:30AM is all about?
:-P
STFU, noob.
Waiting, waiting, waiting.....
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Just run Folding 24/7, max out your CPU. Also, monitoring heat requires physical access to the server. Oh well, nice try though.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Gee, all this braintrust and everyone missed the part were he says that there are easier and faster ways to attack Tor. Maybe you all should be worrying about THAT, instead of how to keep your clocks from skewing?
All the anonymised computers which heated up had Pentium 4s.
Classical Liberalism: All your base are belong to you.
lot of hot air to me ! *ducks*
And here I thought he was executed via hanging. Instead...
Death by Boonga-Boonga!!!
This space unintentionally left blank.
. . .the fact that an 'older' user is declared 'new' by a newer user on each child post should lead to a division by zero, a black hole, or at least a bazzarro world somewhere...
.in Japan!
. .
KFG
You need to query a list of suspects and there are only at best 64 unique fingerprints.
Should I be scared now?
It looks to me like this can (somewhat) finger print a given machine but I sure don't see how it can discover an IP on TOR.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
pwned
Somehow I don't think that would meet the standard for evidence...
You need to measure tiny variations in current caused by one device, mixed in with the haystack of all the other electric devices in your house... Most of which can vary significantly from moment to moment.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Commodore64_love: I don't comprehend people who're so frightened of death that they'll bankrupt themselves to stay alive
You must be ....
.. forget it.
awww
1. Create a minor botnet
2. DDoS a server, not enough to kill it but slow it down a lot
3. Measure response times to hidden service
4. If all requests using different paths now are slow, you got it
Also, that attack scales to detect multiple hidden sites simultaniously - hit one server, request ten sites and see who answers quickly and not. It's just a consequence of depending on one machine. The only way you could totally avoid that is to not have services at all, only distributed datastore like e.g. Freenet. That would severely limit the possible applications though.
Live today, because you never know what tomorrow brings
Since date and time information isn't included in TCP/IP packets, this kind of attack won't work for all services. Assuming that the "hidden servers" in question are HTTP servers, there is a rather simple workaround: simply disable sending the "Date" header. This can probably be accomplished with mod_headers in Apache, but I've never tried using it myself. Oddly enough, the server would still be standards compliant. Obviously, servers that leak the current time by some other means would still be vulnerable.
A simpler, less precise attack of this nature would simply be to continuously ping the suspected server via both Tor and the public internet. If they (reproducibly) fail at the same time (and we could launch a denial-of-service attack to make it fail), they're probably the same machine. Attacks of this nature might even be able to confirm if a hidden server is on the same network as another computer.... But any of these attacks require someone to suspect you of running the server in the first place—and if they do, you probably have bigger problems to worry about.
The bottom line is, as Tor's manual clearly indicates, having a hidden server machine accessible from both Tor and the internet is a bad thing. Operators of hidden services should use a dedicated machine and block all incoming traffic (on all TCP and UDP ports) that is not via Tor.
At our school, we don't earn a degree when we graduate—we earn pi/180 radians
That's it, I'm removing the NSA logo'd temprature monitor from my PC.
If you leave a process running in the background consuming 100% of your cpu all the time, like setiathome or distributed.net, then your system won't get hotter, rather it will just be processing something else to load the cpu and still generating the same amount of heat.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It shouldn't be too hard to isolate the power usage of your basement.
What if there were a time sync server in the setup whose whole purpose in life is to keep track of the time?
Have no other apps running on it, so that it has negligible system load. All the other systems in the TOR could be set up to sync their time with it every few seconds, i.e. before clock drift becomes detectable. Might check each and every second so as to intentionally cause a collision on the time server and add some randomness. Or, do a time sync every random(1..10) seconds. Or, use multiple NICs going to different ports on the switch/router where one NIC has a short ethernet cable, and the other one is quite long, so as to introduce different delays in the comms with the time server. I'm sure there are other ways.
Here is a simple way of beating this attack, run Seti@Home to keep your computer cooking at all times.
Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
This theoretical attack is based on using (previously covered on /.) clock skew to identify systems.
The correct defense is the same as the last time:
a) Make sure that there is no system clock skew, by running Network Time Protocol (NTP) on all servers.
b) Make sure that all externally visible timestamps are based on the system clock.
Part (b) is the only difficult step, since many current IP stacks use a private counter/clock instead of the system clock, presumably to reduce the overhead of providing timestamps. I know that Linus T have discussed using user-level library code to provide microsecond resolution (or better) timestamps, with very low overhead:
The library code can just query the cpu/system timer, multiply by the current scale factor (which depends on things like dynamically variable cpu clock frequency), and add the base time which was stored by the OS on the last HW clock interrupt: Total runtime, including call/return overhead can be below 100 clock cycles, which is fast enough to use it everywhere timestamps are needed:
BTW, I wrote asm code to do exactly this inside Novell's NetWare OS a little over 10 years ago. In NetWare these timestamps were used by the Packet Burst algorithms which optimized packet transmission rates.
Terje
"almost all programming can be viewed as an exercise in caching"
And you must have missed the part that it's not the timestamp he measures, but the change in timestamp over a period of time that correlates to what he has the remote server do. That's a lot more telling.
Ok, I read the article, and it essentially says.. "Do something intensive, the clock slows down marginally, then use the differences potentially created to find which machine it was".
In his TOR network test, he apparently found the machine, but.. How many of them were receiving "Normal Day to Day" use? On how many of those machines were people playing first person shooter or real time strats? even once the TOR request is complete, if people are still gaming, in the time it takes to find the IP, that skew more than likely would have increased more.
In a real life situation, the time it would take to find a tor server, would be easily long enough for a different skew to have developed.
Apparently it's difficult to defend against it, but it's also difficult to actually PROVE it.
What i haven't seen mentioned yet is:
;)
Won't this break down if more than one investigator is running this attack on a network? What if several people try this trick against a group of servers? How would they know the time skew was due to THEIR query? What if this is the best trick ever so everyone trying to track down a computer uses it
Couldn't they detect whatever the popular trick is to increase temp and have the computer try and skew others on the network. I don't suppose you would want to do it randomly against your own network as it may slow everything down but it seems you certainly could.
Seems like a lot of variables in there along with the other ideas presented.
Sounds like a good theory that runs into real world speed bumps pretty quickly.
Having a flying car to get around traffic sounds great, until everyone else gets one too....
I miss read the title the first time, the joke being I do heat my office with computers. I have three of them in the room and the 4800 dual core puts out a fair amount of heat on it's own keeping it toasty compared to the rest of the house. ...
I did the same "back in the day" when I got my first personal Unix box - an Altos 68000 - one of crowd of generic Motorols 60x0 unix boxes that came out before PCs squeezed them out. With a meg of RAM and an 8" hard drive it put out enough heat to keep the computer room and the adjacent living room toasty in a Michigan winter.
Of course this was an issue in a Michigan summer. Fortunately the 4" fan blew OUTWARD at the rear of the box. I modified a drier vent to mount over the fan and ran a 4" drier hose to a similar vent mounted in an insert in the window. Then the heat was exhuseted outdoors. B-)
Ops/watt were a lot fewer in those days. But the dissipation per room without cooling and power available per outlet is still the same. It's interesting that we now have enough uses for crunch that the old room-heat issue is still (or once again) with us.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Not one. You have to know a finite set of computers that are a Tor network. In my reading of the article it seems that without this finite set you fall victim to the 16 per 1000 that have the same skew, problem.
Without knowing as well that all systems are skewd differently you also have a problem. What if you grabbed a random set of 32, with 2 groups of 12 and one of 8 with identical skews.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
is this the place for people with uid's under 100,000?
I can see SWAT teams zeroing in on toaster ovens all over the World.
Any self-respecting admin is going to keep his servers in a temperature controlled environment, but the lunch room is another story entirely.
I want to know the size and source of the grant supporting this research. I'm looking for funding for my fusion-at-room-temperature device (pics on YouTube!).
You are welcome on my lawn.
This paper is actually a few months old. It was presented to the ACM in October and linked from Light Blue Touchpaper in September. Here is a link to the summary along with links to the actual paper and slides to Murdoch's talk:
- or-not-revealing-hidden-services-by-their-clock-sk ew/o t
http://www.lightbluetouchpaper.org/2006/09/04/hot
http://www.cl.cam.ac.uk/~sjm217/#talk-ccc06hotorn
I believe many of the mitigation techniques mentioned in previous comments have been discussed elsewhere and some of them do not work nearly as well as you would expect.
9 million different things could cause a cpu to heat up.
first of which is poor circulation.
bad software, a network attack, a defrag, a virus scan
and since when is TOR a bad thing? since when is anonymizing your computer a crime?
They're using their grammar skills there.
An easier fix would be to keep the processor pegged at 100% with a low priority process. Any new process would just keep the maxed, so there shouldn't be any appreciable heat related skew.
I thought you were dead....
Not at all, people are making too many assumptions about what is not written. All it says is that he tests the skew caused by heating up the crystal which takes several hours to do. It says nothing about testing the skew while the system is "idle" because in reality there's no way for him to know if the system is actually idle or not. His system is all about making sure there is a load and then testing the skew while it's hot.
Simply lock up the CPU doing something busy all the time.... ie
/dev/zero > /dev/null &
:) No recompile or rewrite of some RFC required.
nice -n +20 gzip <
On any modern unix variant, you'll not notice any loss in performance, however, just about every available cpu cycle will be chewed. Your system load (cpu and interrupt) will be relatively constant, regardless of what else you might have the box doing.
Check and see, but I think all of us unix junkies have those commands installed by default.
I think it's a cool fix.
This technique will work to find where they are looking, but now who is doing the looking. It'd take a lot of traffic to make my computer at home heat up.
Sounds like what they have is more a way to tell which server you are using. not sure it would be useful to anyone else. Also, there must be some false positives here too.
Everybody knows 3 people with my name.
On the other hand, Tor can be used by simply configuring the users application to use a known Tor entry point as a proxy server. This configuration can be removed when the user is done, leaving little or no tracks. In this way, Tor can be used by any system that supports TCP/IP and SSL.
This is slightly offtopic, but I didn't realize that you could use the TOR network in this way. Can you expand on this? I thought in order to use TOR, you had to install the TOR software package on the end-user's machine, and then point the web browser to use a SOCKS4a proxy on the localhost, running on some special port.
I always saw this as a weakness of TOR, because it meant that you couldn't use it from a public computer, or in an atmosphere that was hostile to the very idea of anonymity products in general.
Do you have to set up a special TOR node to accept external SOCKS connections, in order to use TOR without any software installed? Or can you just get a list of addresses somewhere that are known inputs into the TOR network, pop one into your proxy configuration, and surf away? (And in the latter case, where does a person get the addresses?)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Seems like a pile of steaming bs.
Even if the theory were true, you still would be going through multiple computers, so you would be unable to detect skew, let alone packet latency which would differ.
NEXT
Darren
- Some dialogue explaining the process* in a step by step manner that can be spoken over stylized computer screenshots and typing noises.
- Some Photoshopped computer screens with GIGANTIC FONTS that look like the process is happening. Progress bars please.
- Some kind of hip crime that computer nerds are doing now. Pedophilia is old news--Dateline has that wrapped up. Something with barely concealed titties would be nice, but I may be asking too much.
Thanks for your help, please send said help with a waiver.* Accuracy NOT required.
blarg.
Fuck you. Anyone who still pretends they're a "phreaker" needs to have their nuts removed so they can't reproduce.
http://zero-to-enterprise.blogspot.com/
Rofl, sounds like I hit a nerve. I made a few accounts way way back and this is the only one I've been able to remember and don't give a rats ass about how bad a name it is.
Or possibly even have it randomly change frequency within a range of a couple hundred mhz at random every few seconds.
My name isn't Rofl.
...Noob
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
You definitely are new here.
Abandoned ID's can be reclaimed by new users.