Involuntary Geolocation To Within One Kilometer

Schneier's blog tips an article about research into geolocation that can track down a computer's location from its IP address to within 690 meters on average without voluntary disclosure from the target. Quoting: "The first stage measures the time it takes to send a data packet to the target and converts it into a distance – a common geolocation technique that narrows the target's possible location to a radius of around 200 kilometers. Wang and colleagues then send data packets to the known Google Maps landmark servers in this large area to find which routers they pass through. When a landmark machine and the target computer have shared a router, the researchers can compare how long a packet takes to reach each machine from the router; converted into an estimate of distance, this time difference narrows the search down further. 'We shrink the size of the area where the target potentially is,' explains Wang. Finally, they repeat the landmark search at this more fine-grained level: comparing delay times once more, they establish which landmark server is closest to the target."

implications

[Hazel+Bergeron]

I don't know about your internet, but mine involves alternative routes to a particular physical location. Not just because that's how the Internet works, but because there are competing providers. And there are all sorts of things which delay, from WiFi to pipe congestion to intentional prioritisation to the OS having something more interesting to do.

Although I should have stopped reading at "time it takes to send a data packet to the target" - really? How does one measure precisely this?

Re:implications

ping?

Re:implications

[Hazel+Bergeron]

No. What does ping actually measure?

Re:implications

[s0litaire]

If it was only ping, they'd probably locate my half way to the moon.
The joy's of multiple P2P connections on ping....

Oh! and Geo-location puts me in a different country than i actually am ^_^

Re:implications

[j00r0m4nc3r]

My internet is just a series of tubes, so all you need to do is measure the distance the hamster travels in the tube. Simple.

Re:implications

[Ynot_82]

Total round-trip time
Ping isn't a measurement in a single direction

Re:implications

Latency

Re:implications

[circletimessquare]

it's reporter-speak for a ping

you could do this on a webpage with some fairly innocuous javascript that keeps track of timestamps and reports back

and yes, if you have alternate routes, this method fails. except that describes only 0.1% of internet users. for your average bloke with a cable modem opening a webpage with a speck of seemingly harmless javascript, this method should work fairly reliably

Re:implications

[Rinisari]

There was that story a while back about some physicists figuring out that they couldn't send email more than 500 miles.

Back on topic, I'll bet VPNs throw wrenches in their methods.

Re:implications

[jpapon]

I don't see your point. It's very simple to measure the time it takes a packet to get somewhere and back.

You seem to be under the impression that they're simply taking the speed of light and dividing by the delay to get distance. That is, of course, not what they are doing at all.

Re:implications

[jpapon]

I of course meant multiply, not divide.

Re:implications

[Shados]

Bingo. I see a lot of people already going "BUT BUT THIS DOESNT WORK WHEN (insert edge case here).

Even if this is 70%~ reliable at most, it would still be a marketing gold mine, where the accuracy is very low to begin with and relies heavily on loose estimation.

Re:implications

[gstoddart]

I don't know about your internet, but mine involves alternative routes to a particular physical location. Not just because that's how the Internet works, but because there are competing providers.

Yeah, but in practice depending on where you live and how your ISP is set up, you'll probably find the address allocated to your cable modem is fairly static, or at least consistently within a range. I just don't think that if you're in a fairly major center this isn't already fairly well established.

Fairly consistently, if I'm using my iPad and using anything with location-based stuff, it pretty much knows where I'm at for all but a few places I've been (and that's without 3G, purely based on my wifi).

I also see a lot of embedded ads that know what city I'm in. Sadly, I fear that just by brute force, most possible locations for most ISPs are already fairly well mapped out and your location is already well known.

I alternate between being creeped out by this, and liking the fact that things like Urban Spoon work when I travel.

Re:implications

[poetmatt]

70%? I wouldn't even gamble on it being reliable information outside of it's use as a ping. 1 Kilometer can be a small range or a huge range depending on population density and whether urban vs rural.

Re:implications

[CastrTroy]

So if you introduce some random delay in responding to pings, or don't reply to them at all, does that mean they can't figure out where you are? By introducing delay into your reply, could you fake your position to somewhere completely different?

Re:implications

[circletimessquare]

you have a speck of javascript on a webpage that opens an XMLHTTPRequest (AJAX) and sends a series of overlapping timestamps. you could have a couple dozen samples in the time it takes you to read this comment, average them out on the server side, include some more sophisticated methods taking into other extraneous measurements like traffic estimates for time of day and general location, type of modem/ internet provider, etc, and get a genuinely reliable lock for any average web user sitting on any average cable modem

this is a real game changer, for advertising, and for expectation of privacy

so i'm going to be marketing my ping time obfuscator shortly for you in the 300 BLOCK OF SYCAMORE ROAD IN TACOMA WASHINGTON (blink, blink, blink)

Re:implications

So, this can be thwarted by...torrenting?

Re:implications

[abarrow]

No, because along with a simple ping, one would employ some sort of traceroute that would record the routers that a particular route used. So, if I traceroute to you once and see the routers that were used, then trace again, get the same routers, but a different round trip time, I would just assume that you are trying to fool me or your network interface is very busy.

Re:implications

1 Kilometer in marketing is a small range. Population density doesn't matter. What matters is that the person is within walking distance of .

Re:implications

[jhoegl]

Each packet sent has a time association with it.
You do a packet capture on one end, and a packet capture on the other.
Ping is not needed.

Re:implications

[_0xd0ad]

So if you introduce some random delay in responding to pings

Then they just have to ping you enough times and the random delay will average out.

or don't reply to them at all

It doesn't necessarily have to be a ping. Any connection would work as long as you could time how long it took between sending the packet and getting a response. That said, putting a condom over your ethernet plug would probably protect you quite well.

By introducing delay into your reply, could you fake your position to somewhere completely different?

You'd probably have to know the locations of the servers you were being pinged from and introduce specific delays to make it look like you were farther from the ones closest to you than you were from the ones closer to where you wanted to seem to be. Theoretically possible, at least.

Re:implications

[thomasdz]

My internet is just a series of tubes, so all you need to do is measure the distance the hamster travels in the tube. Simple.

My internet is also a series of tubes, but I think mine use compressed air to send messages around...so I think you must have "dial-up" and I must have that "high speed broadband".

Re:implications

That's an interesting story. Funny what happens when you let someone else into your system.

Re:implications

[petermgreen]

It measures the time to send a packet to the target and get a reply back.

While I could see this technique working in some cases there are several factors that work against it.

One is jitter, afaict you can't directly measure the time from a router to the target. You can only measure the time from yourself to the router and from yourself to the target. A subtraction should yeild the difference BUT only if the time from you to the router is stable.

Things are further complicated by the fact that afaict you can only trace the outbound route of a packet and there is no gaurantee that the return path will match the outbound path and more importantly in particular there is no gaurantee that two users who share a router in the outbound path will take the same return path..

Finally I don't know what internet infrastructure is like in the US but there is no way they would achive that accuracy on average here in the UK. Too many people are on ADSL connections that are effectively tunneled to london.

Re:implications

[bberens]

For some reason I giggled a bit when thinking about pinging through TOR. hop, hop, hop, hop, hop

Re:implications

[mikkelm]

.. Or that one or more of the routers in the path are doing something more important than sending Time Exceeded messages, or that something big and bursty hit one of the pipes, or that the message yielded to higher priority traffic, or any of the many other things that introduce unpredictable delay across the Internet.

The entire premise is fairly absurd in that, aside from the obvious shortcomings, it completely ignores that A) delay doesn't indicate direction, and B) most ISP access services reach at least 2 miles in any direction, and often 10 miles and more. So how does this guy propose to locate an individual when the last layer 3 hop in the path is a CMTS serving a neighborhood 10 miles to the North, and another neighborhood 10 miles to the South?

Re:implications

[CastrTroy]

Not to mention that traceroute hasn't worked in a long time, most of the time, the routers will just not respond. I've haven't been able to do a reliable traceroute in years, at least for many places I tried to trace.

Re:implications

[lemonfresh33]

if I add in a random amount of time delay, but you average them out, you don't find out the time to my system, but the average amount of delay I have added PLUS the time to find my system. I'll end up looking further away than you think whatever happens. The only time when averaging out would sum to zero is if I sometimes add a negative delay, and sometimes a positive delay.

Re:implications

[JWSmythe]

    I think that's why they said they could get the IP within 690 meters on average.

    You have to figure in that Google does plenty of data mining. Consider what they know about so many users. They know the name, address, phone number, and a bunch of demographics on a lot of users.

    Consider if Person A was to be located by Google. He comes from a particular subnet on a large ISP. They already know that recently active users on that subnet give a physical/mailing address at addresses within .5 kilometers of a point. They can also pretty easily judge the latency without a ping. For example, the time that a Google Adsense javascript was loaded, to the completion time of a contained element.

    There are still plenty of "edge" cases, where a user utilizes Tor (again, identifiable), VPN to another site, wireless bridging, etc.

      It's already obvious Google has a hint of where you are, if you are not blocking ads. The displayed ads are not only based on what you search for and the content of the page, but frequently give local vendors. For example, I just went to Google and searched for "Food". On the right side, it shows a little map with the center within about 10 miles of my location, and 7 named locations within 10 miles of me. The same applies for "tires" and "parts" (separate searches). I've been doing a good bit of automotive work on my own vehicles lately, and some has involved searches for vehicle specific things, so they're showing items related to my recent searches, although I specifically set my Google account to not track me. (Hmmm). Lately, I've been working on American cars, so it showed me primarily American automotive related things. When I've done work on foreign cars (such as Mercedes and BMW), the ads shift towards those types of vehicles for a couple weeks.

    So their geolocation isn't completely dependent on network items, but somewhat based on your own Internet usage. (my Google login, the Google fingerprint of my computer, Google Analytics, Adsense, etc).

    While we have plenty of edge cases, where we VPN, use Wireless bridges, etc, those are still the minority. It's just like, how many people clear their browser cache and cookies on a regular basis. Probably users here do frequently, but the total probably account for less than 1% of the general population online.

Re:implications

[Captain+Hook]

Actually, since you can't randomly make the reponse time shorter, what ever the shortest response time they get back is going to be the most accurate.

The best you can do is make it appear you are further away than you really are.

Of course that actually depends on this technique working which does sound very unlikely.

Re:implications

[circletimessquare]

my sex partner is just a series of tubes. coincidentally, a hamster is also involved

Re:implications

[circletimessquare]

it's a given google pretty much knows more about the average bloke than the average bloke knows about himself

but this research demonstrates a way anyone can piggy back on google's servers and get that info for themselves as well, which ups the creep factor considerably

furthermore, with triangulation of servers, and a bunch of pings over time, i bet you could refine the results considerably, down to one location

it's one thing for google, some advertiser, or the feds to be able to locate you by ip. its another thing entirely for any asshole with a creepy attraction or creepy grudge to find you this way, just by getting you to visit some web page

Re:implications

[rcamans]

Hamsters? I want my internet upgraded to Hamsters. All I got were worms.

Re:implications

mmm, lemmiwinks methinks!

Re:implications

[_0xd0ad]

I'll end up looking further away than you think whatever happens.

I'm not worried about how far away you seem to appear, I'm worried about the relative distances you appear to be from points A, B, and C. Given that larger distances cause larger average delays, I can triangulate your location. It doesn't matter if there's a constant added to the delay somewhere, as long as it's always the same constant after I've averaged out enough samples.

And I'll leave alone the bit about adding a negative delay...

Re:implications

[ColdWetDog]

Despite the advertising claims to the contrary, my Internet line appears to be turtles, all the way down.

Re:implications

[cgenman]

It's easier than that. Just figure out how much energy a hamster consumes walking a mile in the tubes. Weigh them when you send them out, and weigh them again when they come back.

Re:implications

[cgenman]

If it increases marketing responses by even 0.1%, you know it will be standard on every single web ad served up in three years.

Re:implications

[_0xd0ad]

The best you can do is make it appear you are further away than you really are.

That's all you need to do. Your network's latency will already make you look farther away than you really are, so the triangulation will have to ignore it.

If your average ping is 50 ms to LA and 12 ms to NYC, you're probably closer to NYC.

If you're on a connection with high latency and your ping is 500 ms to LA and 120 ms to NYC, you're still probably closer to NYC.

So if your real ping is 50 ms to LA and 12 ms to NYC, by delaying long enough before sending responses to servers in NYC it'll appear that you're closer to LA.

Re:implications

[JasterBobaMereel]

My ISP is 100 miles from where I am ... and I am not on wireless ... ..oh you appear not to be anywhere near right ...

Re:implications

[SQLGuru]

Please tell me of this magic you have that introduces negative delay in my connection. :)

Re:implications

Dude, is that a Corvette or a Viper in your driveway? It's white with blue strip down the center.

Or maybe you're across the street.

Re:implications

[Khyber]

All it takes is getting to the supposed source and re-running the test to find out you're fucking with the network traffic, and they restart the search in other areas.

Re:implications

[Khyber]

Richard Gere, is that you?

Re:implications

[jd]

There haven't been competing providers for a VERY long time. Not in any serious sense. Most of the Internet is one gigantic spanning tree with no redundant connections anywhere. Because of a design flaw in the BGP4+ protocol, alternative routes can also cause router flaps.

As for your other points, use Pathchar or PChar some time. It reports to you not only the time it takes to bounce packets but the pipe congestion at each link as well. You also want to look up "Internet Weather", which reports the overall picture of congestion on the backbone.

Combine the Internet Weather reports with the PChar findings and you can factor out all the congestion, prioritization and OS issues.

Re:implications

[killmenow]

You know what else throws a wrench in their methods? Seven proxies.

Re:implications

[guruevi]

It's basically triangulation with TCP or ICMP packets. It's not based on a single measurement from a single location. Let's say Google (Because they like to play where is waldo with their customers) has 100 datacenters. They measure a couple of times the time it takes from each datacenter over routers with known locations and average delays to your ISP's IP you connect from. They just keep drawing circles and the area that overlaps the most times is most likely the area you're in. Given that you or the router before you are not actively trying to obfuscate those things, on average they will be able to triangulate your location within a 1 kilometer squared (1.5 sq miles). There will always be mistakes but given that most large routing centers have a known, fixed location and an average delay between the large data centers and those routing centers plus most if not all of the wires to your house are publicly documented, you can calculate it pretty well.

I don't know about you but usually there's about 300 houses in that area, not enough to identify you but enough to either send you a local ad or send a nuclear bomb to clear you out. If you're connecting through TOR you will be originating from different IP's anyway but they could triangulate those IP's individually.

Re:implications

[BuckaBooBob]

Dont forget the Windows 7 and Vista do bad stuff to packets and end up increasing latency by 200+ ms that any gamer should know... a packet can go pretty damn far in 200 ms... then as you mention link congestion/last mile technology can also increase latency aswell..

Re:implications

You have to figure in that Google does plenty of data mining. Consider what they know about so many users.

Not very much, if you don't give it to them.

Google's geolocation believes that my computer is about 30 miles away from where it actually is. Since their incorrect location also makes them think it is in another state, there is less than zero value in the data about my location (at least as far as advertisers are concerned).

Re:implications

[david_thornley]

Similarly, by looking at my ping times, it's possible to show that I am no more than six thousand kilometers from my ISP. I'm not sure that's good enough to find my street.

Re:implications

[_0xd0ad]

Not if you're doing it correctly. For example, in the example I used before, suppose you're actually in Chicago and the ping times are 50 ms to LA and 12 ms to NYC. You want to look like you're in Las Vegas, and you want the ping times to look like 120 ms to LA and 500 to NYC, so you'd delay an extra 70 ms when you get pinged from LA and an extra 488 ms when you get pinged from NYC. Then suppose they try pinging you from Denver, and your real ping time to Denver is 25 ms. Vegas is closer to LA than to Denver, so you want to look like your ping to Denver is 300 ms, which means you delay an extra 275 ms when you get a ping from a server in Denver. Etc. If you do it correctly, they can't tell you're manipulating the results - just that your connection has high latency.

So you have actual ping times, from Chicago:
LA: 50 ms
Denver: 25 ms
NYC: 12 ms
which reveals that you're about 1/3 of the way from NYC to Denver, and about twice as far from LA as from Denver.

But the person trying to locate you sees pings of:
LA: 120 ms
Denver: 300 ms
NYC: 500 ms
giving the false impression that you're about 1/4 of the way from LA to Denver.

Re:implications

[bennomatic]

Your poor hamster...

Re:implications

and yes, if you have alternate routes, this method fails. except that describes only 0.1% of internet users. for your average bloke with a cable modem opening a webpage with a speck of seemingly harmless javascript, this method should work fairly reliably

You forget the growing numbers of people out there employing VPNs and Proxies. Won't work on them, or at least, it'll return a false location.

Re:implications

[jonadab]

> Most ISP access services reach at least 2 miles in any direction, and often 10 miles and more.

This.

I happen to know (approximately) where the router at the other end of our T1 line is located. It's in Columbus, more than an hour's drive south from here.

The technique in the article might be reasonably effective against people in big cities, where everybody gets their upstream bandwidth directly from a local provider, but it's not going to work against networks with long-distance connections, which is fairly common outside the big cities. (Okay, it's not common for home users, but home users' ISPs sell geolocation info to the advertisers anyway, so they can just look you up by net block and get your zipcode.)

Re:implications

[TheCRAIGGERS]

Mod parent up. This might not be so useful for getting driving directions to the house the cute girl you're stalking lives at, but this could still be used for many other purposes like local advertising and other demographic data mining.

Re:implications

Richard Gere called, he wants his tube and hamster back.

Re:implications

[Khyber]

As they move from known physical router to known physical router, pathways are going to change. You're going to have to know where the trace is coming from at all times. Good luck. In theory, sounds good, in practice, isn't happening.

I've worked with law enforcement on tracking, from stray video signals looking into someone's bedroom to catching a guy in another country that was displaying child pornography. It's fairly trivial to trace, and also, once they've got your actual IP, they can just request the address of the modem attached to that IP. It's all in the records SOMEWHERE.

Re:implications

[jonadab]

> Then they just have to ping you enough times and the random delay will average out.

So make it pseudorandom and use the first byte of the source IP as part of the seed. That's easier to implement than true randomness anyway.

Of course, introducing (otherwise unnecessary) latency into all your traffic does have some practical consequences that you'd have to take into consideration. The more inaccuracy you want to introduce into their ability to locate you, the longer the delays all your traffic would suffer. If you don't want the delays to be human noticeable (even when multiplied by the inherent back-and-forth of various protocols) they're going to have at least a *general* idea of your location -- but they probably would anyway, by looking up netblock owner.

VPNs and proxies and other route-through-elsewhere setups also complicate matters.

Re:implications

[jonadab]

> So make it pseudorandom and use the first byte of the source IP as part of the seed.

Do note that the seed would also have to be salted with a value unknown to the attacker, which you would probably select when you set the thing up, and which you wouldn't want to change very often because changing it would give them (a small amount each time of) new information about the average delay. They could also get information about the average delay for each different /8 they could use to try to locate you. A statistician could work out what their expected margin of error would be depending on how many different /8 networks they have at their disposal, but botnets would be a threat in any case.

Re:implications

[_0xd0ad]

This isn't about law enforcement finding somebody. Obviously if they want to find somebody they can. This is about marketers and trend researchers finding out where their visitors are coming from. It's about demographics and advertising.

Re:implications

By studying the time difference between sending a packet and its ACK, maybe. Certainly they do something meaningful in NTP to account for delays over the internet.

Re:implications

[jonbryce]

If it is to send an ad for a local pizza delivery service, 1km is close enough wherever you are.

Re:implications

[JWSmythe]

    You know, I totally misread the article the first time around, and saw it as saying that it was a Google project.

    Triangulation doesn't really do much for you. You have to consider the routes used. I ran a side project at one job for a while, which mapped routes between our own points. Well, there is a full description here. In doing this, we had traceroutes run about once every 5 minutes.

    I had more detailed reporting that wasn't shown in the portfolio.

    In what the story is referencing, a report showing all nodes that we controlled, to a specific endpoint would be similar. What we'd see is what anyone else who has done the same thing would see. You may get a few distinct routes to the provider, but once inside the ISPs network, it'll generally go down one route. The best you could know with that is a maximum range from the edge of the ISP network to the end user. Using the Google landmark server only gives you a range from the ISP to the Google server. It's less useful as knowing the ISP edge router. Of course, if you don't know where an ISP's edge is, then this would bring it into the right vicinity. With just network information, you can identify me within the correct US Census MSA, or making me effectively one of about 3 million people. I've had a little luck identifying users locations based on IP, but that uses a machine on the same provider, at a geographical edge and watching the latency. For example with one of the providers, the machine I can use is on the far East side of the MSA. Very low latency means they're nearby, within about 10 miles in any direction. Mid-range latency (for the purposes of this, (15ms to 30ms) puts them in the middle, or a 10 to 20 mile radius towards the West. 30ms to 50ms puts them on the far side of the area. That area is bounded by water on the West side, so you don't have anyone farther west. Over 50ms means they are farther than the West boundary, which either means North or South on the Western edge.

    The network topology makes it pretty easy to visualize. I know generally (or sometimes specifically) where several routers are, and they use an extended star topology. Traceroutes are very useful there, since the end user may be doing a lot of traffic, but generally their first uplink connection won't be saturated.

Re:implications

[DarkOx]

What are you talking about, traceroute works fine. Maybe your Network Admin blocks ICAMP except echo request / reply?

Re:implications

[PhunkySchtuff]

I don't know about your internet, but mine involves alternative routes to a particular physical location. Not just because that's how the Internet works, but because there are competing providers. And there are all sorts of things which delay, from WiFi to pipe congestion to intentional prioritisation to the OS having something more interesting to do.

Whilst your data can take any one of a number of paths as it travels across the Internet, in practice (particularly over short timescales) it will tend to take the same path each time. The routing tables will pretty much ensure that unless there's been a big change to the backbones, there is usually one efficient route to take. For instance, I ran traceroute to slashdot.org three times, each a few minutes apart and in each case my packets took exactly the same route. On the timescales that they're talking about in the article (over a handful of seconds at most) the data will tend to take the same path to geographically similar locations.

Although I should have stopped reading at "time it takes to send a data packet to the target" - really? How does one measure precisely this?

Have you ever used ping or traceroute

Re:implications

[Khyber]

All it takes is hiring a private investigator with the right connections and marketers and trend researchers can get what they need.

Re:implications

[Thraxy]

I don't see how this is a marketing gold mine. The pizza place already put a menu in my mailbox...

Re:implications

So you're one of the assholes doing p2p over tor?

Thanks for making life difficult for those running exit nodes.

Re:implications

[sjames]

So hack your kernel to randomly delay ICMP responses.

Re:implications

[CastrTroy]

Even if you don't block them, a lot of the intermediary routers seem to not response at all. For some reason I can tracert www.google.com (9 hops), but I can't traceroute www.microsoft.com, because it starts giving "request timed out" after 12 hops. This is what I mean, while traceroute works for some, it's ineffective in tracing your route to most hosts, as a lot of intermediate nodes block it.

Re:implications

[EdIII]

But how do you account for the smarter ones that smuggle cheese along for the trip?

Re:implications

[EdIII]

All the more reason to move to a network similar to what TOR is trying to accomplish. I know that drawbacks of TOR, but the goal is desperately needed in the light of Net Neutrality and the attempts by government and corporations to data mine and destroy our privacy for their own self interests which in most cases are not in our own.

It's funny that the DVR article today mentions the grocery shopping cards that keep track of your purchases. I participate with about a couple hundred other people on a single card (via phone number) to get the discounts without the tracking since a lot of us pay cash. For good reason apparently.

The KGB article about monitoring VOIP and email is a funny example of timing here too.

A ping time obfuscater can be implemented on a router level. Just randomize the ping times.

I think the whole thing is bullshit to be honest. Especially with heavy usage on a connection, ping times from a single browser on a single system might vary wildly from one hour to the next in a congested system.

In any case the javascript methods you speak of could be obvious and "fingerprinted". How long might it be till there are products or attack definitions for exactly this type of threat?

If this a serious threat I will bet that you will see a Chrome or Firefox plugin soon that checks the downloaded javascript for this behavior or modulates the AJAX calls in such a way that your location will not be accurate or precise. Whether or not the AJAX call is intended to do this or not is irrelevant. Most AJAX calls and even low latency applications would not greatly suffer from a 30-40ms random variance.

I know from experience that VOIP can withstand a pretty good amount of jitter before you can really tell there is a decrease in quality

Re:implications

However the value will converge to an approximation of the correct location (with a 1 km fudge factor), with a sufficient number of trials, for a significant subset of the standard user's internet.

Re:implications

[WillKemp]

[........] the relative distances you appear to be from points A, B, and C. Given that larger distances cause larger average delays, I can triangulate your location.

Bullshit! If i was multi-homed, maybe you could, but you can't if i'm not. You could maybe triangulate my ISP's router, but that could be hundreds of kilometres away from where i am.

Re:implications

[WillKemp]

[......] here in the UK. Too many people are on ADSL connections that are effectively tunneled to london.

Which is mostly relatively close to where they are (although not close enough to be significant). In Australia, ADSL connections can be tunneled to routers thousands of kilometres away.

Re:implications

[_0xd0ad]

...about every one of a few million people who visit the site.

Right...

Re:implications

[_0xd0ad]

Naturally it stands to reason that you can't triangulate if there's only one point to triangulate from. If every message between you and the internet passes over exactly the same segment of the route, that's as close as they could get. However apparently whoever did this study found that, on the average, that's pretty close to the person's actual location.

Re:implications

[lemonfresh33]

negative delay == sarcasm. I guess that didn't come across

Re:implications

[lemonfresh33]

negative delay == sarcasm. clearly never gonna happen- that was my point.

Re:implications

[kmoser]

Ask the target computer's sysadmin to call you when they receive the packet and tell you exactly when it arrived.

IPv6

[CynicTheHedgehog]

Will the same technique work for IPv6?

Re:IPv6

[SmilingBoy]

Why shouldn't it? IPv4 and IPv6 are not that different. Only problem is that few web sites are IPv6 enable currently, so you would have less landmark servers.

Re:IPv6

IPv4 had nothing to do with this except that it identifies the end node. You could do the same for any network protocol.

Hopefully people will start tunnelling their connections en masse in the near future, seeing as onion routers and darknets are becoming user friendly. Someone could figure out where an intermediary node is, and little more (unless they're at Fort Meade)

Re:IPv6

[CynicTheHedgehog]

I'm haven't done a whole lot of reading on IPv6, so I was just curious whether the increased address space leads to any difference in how routing is done. It seems that with a unique public addresses and no NAT there would be more direct routes that could be taken, which would potentially mean more routers with the same address in their routing tables, which would mean more targets to check. Then, depending on congestion along various paths, one landmark may *seem* like the closest when in fact it simply has a fatter pipe going to the target.

And then, as another poster suggested, there is tunneling and all the other additional features in IPv6 , which would make it harder to do this.

Re:IPv6

[jd]

IPv6 creates an interesting problem, as it is fundamental to the protocol that you can transition from one ISP to another without loss of any connections and without having to use a packet forwarder. This means that under some circumstances a more accurate picture can be built with enough data (since you have to be on the border of the two ISPs) but equally it means that for the same amount of data the calculation will be less accurate because routing assumptions won't hold up. You're no longer comparing like with like.

Re:IPv6

[aaarrrgggh]

No, it won't work for IPv6, since the speed of light is so much faster with v6.

Re:IPv6

[TheThiefMaster]

Real (not from a tunnel broker) IPv6 is hierarchical. This means that the first half of the address will give you a rough geolocation, and you can use landmark servers with the same prefix to go from.

The technique should work just fine.

Re:IPv6

[BitZtream]

Just because there is PLENTY of address space doesn't mean it resolved the actual issue thats causing us to run out of address space.

Routing table growth.

If you broke everyone done into the smallest possible subnets that were needed, rather than what can be routed globally, you'd see a more than slight change in the sudden availability of address space.

Routing table growth will still require that IPv6 addresses be summarized and broadcast as blocks of roughly the same size as now, until all of the worlds routers have many gigs of ram to handle knowing about smaller prefixes, you won't be doing anything different with IPv6 address space than you were with IPv4.

Re:IPv6

[jd]

Rubbish. IPv6 is heirarchical with fixed-size subnets, which means that the absolute largest routing table you can EVER have in IPv6 is 512 entries (256 upstream, 256 downstream).

Secondly, I'd said nothing about address space, which is an incidental feature of IPv6 and largely irrelevant - particularly in this discussion.

IPv6 addresses don't need summarizing. You have two possible bytes that can change, one marking upstream, one marking downstream. In principle, a router need only know its address and then store just those two bytes and the corresponding port as the routing table. (Basically, this is a result of inheriting addressing ideas from TUBA - a better protocol in some respects, though a bugger to use in hardware.) In practice, you need 512x128 bits to store all the addresses you can ever directly see. The remaining gigabytes of memory you suggest are needed would then come in handy for a router-based Quake server, but that's about it.

Re:IPv6

There are already over 1000 bgp routing table entries for v6 and over 30000 for v4

Well, there goes my identity.

[Compaqt]

Used to be, on the Internet, no one knows you're a dog.

I've been playing a lawyer for a long time, but I guess it's better to disclose before being found out. You heard it here first.

Re:Well, there goes my identity.

[JohnRoss1968]

Thats fair since Lawyers have been pretending to being human since the dawn of time.
(some exceptions of course including a certain Legal Eagle from the NY area that is well know here on /.)

Landmark servers?

What are the landmark servers they speak of? I can sort-of understand pinpointing someone from several different locations (much like triangulation) but I have a hard time seeing you could do this with latency from one point in space only.

Re:Landmark servers?

[xaxa]

A server you know the location of.

If you know the spacial location of example.com, and the route to example.net is the same except for the last couple of very short hops, you can guess they're quite close.

Re:Landmark servers?

[peragrin]

It isn't example.com you need though.

it is the gateway servers of a given city, combined with the internal routers of what ever the local ISP is.

a traceroute to my home on Time warner shows all packets route first through NY city, then Syracuse , NY and then to my home city with at least 2 different gateways inbetween.

The trick is the first gateway is located in my home city and the second isn't. so you really can't narrow it down on ping time times as 1 ms can be several dozen kilometers apart.

Re:Landmark servers?

[BitZtream]

Yea, except it doesn't take them very long to know the EXACT position of your upstream routers, at which point they can use that data to increase the accuracy of their reports.

To go a step further, most of the layout of TWCs network is already public knowledge. For instance I already know the location of every CMTS within 100 miles of me, that in and of itself is almost enough to tell me where you are too there level of accuracy, not quite, but pretty close. Once I know the location of your CMTS, the only time I care about is the difference between communicating with your CMTS and you, and that'll tell me roughly how far from the CMTS you are. I don't care what path it takes to get to the CMTS, I know where the CMTS IS, everything before that point is irrelevant to me, and you're connected to exactly one CMTS and I know where it is.

Distance not the only source of latency

[Burdell]

How do they expect to tell the difference between latency due to distance and latency due to protocols, encoding, etc.? For example, a local T1 might have round-trip latency in the 3-4ms range, while a DSL to the same location might be 10ms (in fast mode, even higher for interleaved). A dialup connection will be much higher, while a metro-ethernet might be less than 1ms. All those times also assume no congestion along the path.

Since the speed of a signal in single-mode fiber is about .6 c, each 1ms difference in round-trip latency gives a 90km margin of error.

Re:Distance not the only source of latency

[Dan+East]

Further, the best accuracy you can obtain with DSL, for example, is the radius of area served by a particular station. The DSL latency times per kilometer are in the dozens of microseconds, so it would not be possible to resolve distances within a DSL service area just by millisecond ping times. In my rural area they push DSL out at least 3 miles. So even if you consider "average" as half of that radius, that gives an accuracy of 2,400 meters. I think they claim to narrow that down by the fact that DSL stations are placed in the center of population centers.

However, just as scary (in differing ways) is that entities like Google are able to take your position via Google Maps on your cell phone and correlate it with your wireless router's Mac Address (if your phone connects to your wifi). That's how Google knows EXACTLY where I'm at even when from my home PCs now. That is coupled with their wardriving efforts to map out mac addresses directly.

Re:Distance not the only source of latency

If you measure from multiple surrounding locations the latencies probably cancel out on average. Honestly, I'm sur

Re:Distance not the only source of latency

[_0xd0ad]

The amount of latency inherent in your connection wouldn't matter, so long as it was fairly consistent. As long as a route of longer distance consistently returned longer ping times than a route of shorter distance, it could be inferred that you're closer to the server which can ping you quicker.

Re:Distance not the only source of latency

"However, just as scary (in differing ways) is that entities like Google are able to take your position via Google Maps on your cell phone and correlate it with your wireless router's Mac Address (if your phone connects to your wifi). That's how Google knows EXACTLY where I'm at even when from my home PCs now. That is coupled with their wardriving efforts to map out mac addresses directly."

This is wrong because your MAC address does not traverse the IP layer, i.e. only your ISP knows your MAC address.
More likely and easier for google is to just track from which IPs accounts are logged in from, and then compare that to the gmail account on your phone.

Re:Distance not the only source of latency

[Albanach]

This is wrong because your MAC address does not traverse the IP layer, i.e. only your ISP knows your MAC address.

Well, sort of. Your ISP knows it, as does your PC/phone. Most wireless routers broadcast a BSSID including the MAC address of the wireless access point. Your phone/computer etc can then see the MAC address of the device it's connected to as well as those of other networks in the vicinity.

You're correct this doesn't traverse the IP layer normally. However, google offer a geolocation API. In using this, a device can send a list of the wireless router MAC addresses visible to it in the vicinity. Google can then lock these up in their database of geolocated MAC addresses and use a form of triangulation to locate the user's position.

Re:Distance not the only source of latency

I'll go a little bit further. You can be in the same room, and the wireless connection (with some interference) can lead to consistently higher delays than a wired connection.

Re:Distance not the only source of latency

[sootman]

Bruce Schneier is almost certainly a lot smarter than anyone posting on this page so it would be foolish to simply dismiss anything he says out of hand. OF COURSE all the subtle nuances of their work won't fit into a Slashdot summary. Don't you think it's likely that they did some testing and determined that their results had X accuracy Y percent of the time before they published their findings? This isn't just two morons BSing in a coffee shop saying "Hey, I bet we could..." and then publishing a blog post without doing any work.

Here are two possible solutions that immediately popped into my mind and have certainly popped into theirs: 1) you could combine this with a bandwidth test to get an idea of what the user's connection is. 2) IP addresses are usually grouped, and just by IP address alone they could know if you're on dialup, cable, DSL, or a T. (Even though 3 of those 4 come through the phone company, they, too, usually group numbers--a block for dialup customers, a block for DSL, etc.)

Re:Distance not the only source of latency

[Burdell]

Your two solutions don't work:

- I've seen 1.5x1.5 DSL (same base speed as a T1), and even 1.5M metroE.

- Static IP block assignments (for DSL customers that pay for it, or any T1/metroE type connection) are not usually grouped by service (especially since customers move from one service to another, or even have multiple services for redundancy).

Re:Distance not the only source of latency

[Burdell]

But the claim is "accurate to 1km", and latency measurement has a much too large margin of error for that.

Re:Distance not the only source of latency

What? Last time I checked your Mac isn't visible to Google over the net. How would driving around and collecting Mac addresses tell them anything?

Won't work for 3G

3G IP addresses are gateway-ed from a single location typically. My IP resolves to Oldham, UK. In reality I am 300 miles away...

Re:Won't work for 3G

[petermgreen]

Plus at least with O2 3G connections are behind ISP level NAT.

Not involuntary surely?

Involuntary? Unless you're voluntarily providing them with millisecond-accuracy timing information as to when you exactly receive the packet they've sent (or responding to pings), the best they can hope for is a TTL expired from the router immediately prior to you to get some timing information. Which, if they know the exact location of anyway (as their technique seems to require) doesn't exactly resolve your location to any greater accuracy than contemporary methods.

Location steganography

[mbone]

Seems like this would be easy to counteract (although at the kernel hack level). All you would have to do is introduce a 30-50 msec time variable delay into all new packet sends (i.e., ICMP responses, first packet of a TCP session, etc.).

In fact, if you encrypt everything, you may get these sorts of delays "for free."

Also, this will not work well if you are using encrypted tunnels or VPNs to access the web. Your delay then is (tunnel delay) + (tunnel end point to attacker delay) + (encryption delays), so you seem a good deal further away than you really are.

Re:Location steganography

Introducing a bigger delay doesn't stop you ping from being closer to a closer computer's than a farther away computers. The initial sweep is much less important than the Google Maps Landmark server comparison. As long as you're not introducing some significant sort of chaos to your latency, the tracer can always triangulate you with three or more servers in your general area. And if you can't be caught on the initial sweep, they can triangulate with three or more servers in a huge range around you.

That being said, this will pretty much give an accurate location of where your proxy is if you're using one. So that method of obscuring your location seems like it should still hold.

Re:Location steganography

[mbone]

Well, if you are going to introduce an arbitrary delay to foil geolocation, it should certainly be a random delay.

However, I think that even a constant delay (or a tunnel) would still work pretty well.

Suppose I am using a tunnel, and the tunnel delay is 20 msec, and the tunnel end point is in Boston. Now, they can certainly find out that the lowest latency is for a probe from Boston, and so Boston is "closer" to me than LA or Seattle or Washington. But, they cannot be sure that this means that

- I am in Boston and injecting 20 msec of constant delay or
- I am somewhere else (say in upper Vermont) and my network routing goes through Boston (with or without injecting an arbitrary delay), and it just happens that there is not a "landmark" router near me.
- I am 20 msec from Boston and using a tunnel.

Given that 20 msec (one way) spans the continent, and that a 40 msec round trip delay is not perceptible in VOIP, it seems that this could hide you pretty effectively.

Also, note that it would be pretty trivial to vary the latency in a software tunnel.

Re:Location steganography

Seems like this would be easy to counteract (although at the kernel hack level). All you would have to do is introduce a 30-50 msec time variable delay into all new packet sends

You mean, like using Windows?

Re:Location steganography

By doing so, you just increase the search area, but you're still inside it.

Re:Location steganography

[mbone]

So ? You can already assume that I am on the planet. If I increase the search area to 200 msec, you won't be able to be much more precise than that. I don't see how a geolocation to "Earth" is doing you any good.

Re:Location steganography

[sabt-pestnu]

The problem with this is that you are further away from *everywhere*. That is, you are further away from all landmarks equally. For all intents and purposes, then, you are saying you are "straight down" from where you really are. Even then, you are only affecting the last leg of the route. You only have limited control over who you directly connect to, and that would seem to provide the maximum bound over which you have control. Of course, if you have a single link to the outside world through your data center *elsewhere*, you can only be localized to the radius of that link.

Introducing a variable delay doesn't help the case unless the variable depends on the path. Enough samples can average the delay, thus negating the effect of a random delay.

Re:Location steganography

Leave it to Slashdot to take a conversation about networking and TCP/IP and turn it somehow into a typical anti-Microsoft rant. Congratulations other Anonymous Coward, you are officially a SlashSheeple!

Re:Location steganography

Well, neither side can actually pick the exact route their packets take. This geolocation approach just tries to discover the routes using times to servers with known locations. It presumes the delay to you is similar to the delay to the closest known machine to you. It doesn't tell those machines to ping you and then report the results back. A delay (constant or variable, as long as it's large enough) will defeat the technique.

However, someone could build a botnet (legitimate or otherwise), and then use this geolocation technique *on the bots* to find out where the bots are. Then have the bots ping you and report back. Google could do this itself, since it does own the landmark servers already. But then, if you've already set your machine up to stuff in extra latency, you probably also already set it up to not respond to any unexpected packets, so it still won't work on you.

This is why...

[fotoguzzi]

...I connect to the internet with a 15 km fibre optic cable.

Re:This is why...

[VolciMaster]

...I connect to the internet with a 15 km fibre optic cable.

In the middle of the LHC Token Ring, eh?

Marco Polo

[HikingStick]

So, in reality, they figured out a way to use ping responses the way kids at the lake (or pool) play Marco...Polo.

I wonder how many they had already kicked back when they came up with their idea?

Don't get me wrong--it's cool tech, but I continue to be amazed by how so many "new" technologies simply mimic things that already exist in other parts of life. Kudos to the researchers. I think I'd rather spend time at the lake.

Similiar Technique used 20 years ago

[cavreader]

Back in the early 80's a Physic's grad student at Berkley was working in their data center and noticed a descrepency in user usage statistics and started investigating. He was able to isolate the user ID of the unauthorized user by analysing the usage statistics. At the time the user statistics were used for billing computer time. The user was basically trying to use the Berkley system as a proxy for attacks on other systems. He eventually spliced into the network to intercept packets containing the User ID in question and calculated the amount of time it took for those packages to complete a round trip to determine the geo location of the person hacking into the system. At first he thought he was wrong because his calculations based on signal response time said the unauthorized user was 6000 miles away. He later discovered the calculation was correct and the hacker was located in Germany. He published a book called "The Cuckoos Egg" with all the details. It is a really good book.

Re:Similiar Technique used 20 years ago

Clifford Stoll is the author (https://secure.wikimedia.org/wikipedia/en/wiki/Clifford_Stoll), and that was my first thought too.

My second thought was that I can use the Tor network to geolocate myself to the moon (and beyond).

Re:Similiar Technique used 20 years ago

[TheCarp]

I don't believe there are currently any onion routers on the moon and... tor connections typically have plenty of latency, no need to add a lunar round trip anywhere in the circuits.

Re:Similiar Technique used 20 years ago

well it was, until you ruined the ending for me! thanks

Re:Similiar Technique used 20 years ago

[klui]

I missed your point until I was watching the Nova documentary that discussed the subject.

1. The person used Kermit to transfer his data and Cliff Stoll measured the packet delay.
2. His initial data for the latency was 3 seconds and he used this delay to calculate that the individual was somewhere on the moon.

http://www.youtube.com/watch?v=v1swbLfrP6g

Re:Similiar Technique used 20 years ago

I don't remember him calculating location based on latency. He worked with law enforcement and the phone companies to trace the call back to Germany. The last leg of the trace was hard, because the hacker kept disconnecting before it could complete, so he created a honeypot of files that would interest the hacker and take a long time to download.

Re:Similiar Technique used 20 years ago

[Raenex]

Clifford Stoll is the author (https://secure.wikimedia.org/wikipedia/en/wiki/Clifford_Stoll), and that was my first thought too.

And he's on Slashdot occasionally, too:

http://slashdot.org/~Cliff+Stoll

Re:Similiar Technique used 20 years ago

"The Cuckoos Egg" is a great book. I've got to go read that again -- I'd forgotten the bit about his "miscalculation".

Re:Similiar Technique used 20 years ago

[cavreader]

It's been awhile since I read the book so I am not sure about the details but his method worked.

Re:Similiar Technique used 20 years ago

[xandroid]

Cliff Stoll was a sysadmin at Berkeley, not a grad student.

Re:Similiar Technique used 20 years ago

And when the loop came back he found the hack was coming from inside the lab. DADADA

amateurs

The government just log into server backdoors mandated in all domestic ISPs, and extract node locations directly.

Re:amateurs

Right, or through the backdoor in Windoze ..... hold on I forgot to put on my foil hat. . .. .

i see 2 points cropping up in the comments:

[circletimessquare]

1.. "my connection is too weird/ unique/ confabulated/ etc..."

yes, but you are 1% of internet users. the average bloke on a cable modem is reliably caught with this method

2. "there is traffic/ no way to ping/ etc..."

you have a speck of javascript on a webpage that keeps track of timestamps, opens an AJAX XMLHTTPRequest and pings alot, and the server averages things out. voila: you could get 60 samples in the time it takes you to read this comment, and therefore a good lock on your location

INCOMING...

Re:i see 2 points cropping up in the comments:

[black3d]

the average bloke on a cable modem is reliably caught with this method

Well, the average bloke is narrowed down to 1km, that's still a good 50-100 residential properties, and no way for the "attacker" to know which, so this attack on it's own doesn't do much. This coupled with perhaps someone's surname and a telephone book, might get a hit for a malicious attacker, but a lot of folks don't list in telephone books anymore. Ahh.. who knows. It might be useful for something. :)

Re:i see 2 points cropping up in the comments:

1... yada, yada, yada.......THAT's RIGHT! and as one of those 1 per cent, I say, NYAH, NYAH, NYAH!!!

Re:i see 2 points cropping up in the comments:

[_0xd0ad]

the average bloke is narrowed down to 1km, that's still a good 50-100 residential properties, and no way for the "attacker" to know which, so this attack on it's own doesn't do much

It'd be plenty good for showing him ads for restaurants and stores that he'd probably drive past on a regular basis, though.

Re:i see 2 points cropping up in the comments:

[circletimessquare]

i think you could do better than that by triangulating with different servers and averaging out over time

i think law enforcement/ counterterrorism/ etc. could make good use of this methodology. yeah, those guys could just subpoena the ip address, but in time sensitive issues, this is a pretty neat trick

heck, your average stalker weirdo with access to a number of servers in different farms/ colos either because of his job or just because he's a very committed stalker weirdo could do this

Re:i see 2 points cropping up in the comments:

[circletimessquare]

congratulations. paranoid schizophrenia has an upside

Re:i see 2 points cropping up in the comments:

[mikkelm]

How does this get +5, Interesting?

How far do you think that this "average bloke" on a cable modem is from his CMTS? How far in any other arbitrary direction do you think that another "average bloke" with a CM in the same addressing pool is from the same CMTS?

Re:i see 2 points cropping up in the comments:

[circletimessquare]

say i control a number of servers under the same domain, and i use a simple script to run many pings quickly. can't i correct for errors and refine the technique researched here and resolve you apart from your neighbor?

Re:i see 2 points cropping up in the comments:

[mikkelm]

No. Not realistically possible even with a single CMTS feeding a single neighborhood.

Completely impossible is telling your location apart from another customer on the same CMTS, in the same addressing pool, topologically located as far from the CMTS as you are, but in the opposite direction. Unless your electrons carry a compass.

Re:i see 2 points cropping up in the comments:

you have a speck of javascript on a webpage..

What's fucked up about this whole topic, is that you're talking about a situation where your computer contacted someone else's, then your computer downloaded a javascript program, then your computer exececuted that program, and people are using the word INVOLUNTARY?

WHAT. THE. FUCK.

If this is involuntary, then I submit to you that no computer user has ever committed any voluntary act.

Re:i see 2 points cropping up in the comments:

[circletimessquare]

ok, thanks, that's useful. i understand what a ring is. so you can narrow it down to 2 possibilities then? i mean a ping time is a ping time, right?

Re:i see 2 points cropping up in the comments:

[mikkelm]

What you can narrow it down to, if you're conducting your delay measurements from an external network, is that the IP address /might/ be leased to a CM that's somewhere within a radius of 20 miles from the CMTS. Then you need to figure out where the CMTS is.

This kind of accuracy is already being achieved by regular location databases.

Re:i see 2 points cropping up in the comments:

[circletimessquare]

why doesn't the ping supply info about location past the CMTS? assuming you could lock someone down to a particular CMTS, you could infer what portion of that ping time is due to travel beyond the CMTS to the CM, no? i understand one ping isn't reliable. but if you were talking about a scheme where you were bouncing off a number of servers and averaging out over say, 60-120 pings, with extraneous traffic, time of day, and internet provider recon mixed in, you could have reliable data, no?

but you are correct about location databases: that seems just as useful if not more useful than this google server piggyback scheme this research mentions

Re:i see 2 points cropping up in the comments:

[mikkelm]

Ping certainly could provide information about /delay/ past the CMTS, assuming that the delay between the source system and the CMTS is constant and predictable, but you cannot know where the target CM is located past the CMTS merely by examining delay from an external source. One interface on a CMTS can provide service to hundreds of homes, many miles apart, so you have absolutely no way of knowing whether two CMs to which the measured delay is identical are in neighboring houses, or equally far from the CMTS in opposite directions. Additionally, the network past the CMTS is a pure broadcast medium, meaning that congestion introduced by any of dozens of customers locked on the same frequency can introduce variations in delay. There are simply too many interfering factors to derive location from delay with an accuracy any better than the methods available today.

Re:i see 2 points cropping up in the comments:

[Khyber]

"you have a speck of javascript on a webpage"

I run NoScript, your attack is rendered 100% fucked.

Re:i see 2 points cropping up in the comments:

[circletimessquare]

alright, you schooled me, thanks

i assumed that it's just a ring past a CMTS, so you have 2 options, rather than 1. however, you are telling me the topology past a CMTS is more variable. additionally, the most useful piece of info you tell me is that if a neighbor starts downloading a movie, or the other neighbor starts playing WoW, variances in ping time become completely meaningless from one day to another, one hour to another, or even one second to another

got it, case closed, this method is useless

Re:i see 2 points cropping up in the comments:

[Khyber]

I see I've touched a nerve with my impeccable correctness.

Too bad. NoScript, the way to remain safe on the internet.

Re:i see 2 points cropping up in the comments:

If you're a law enforcement agency, it might be enough to get you a warrant to tap all data flowing through the nearest three telecomms hubs in the area, leading to a much higher chance of user identification than if you didn't know where in a country to start looking.

Thank you

This should be helpful.
Time to make some people not-so-anonymous.

But seriously, this arrives at a time where people have been increasingly joining the Anonymous Collective to stand up for internet freedom.
A time where DDoSing is at an all time high equally.
This now makes IPs a weapon for those being attacked.

This also makes me wonder if Sony will try to use this against those DDoSing their networks due to buttmad pirates.
Oh, don't take that as me agreeing with their attempts to see who viewed the videos or twitter information though, continue making everyone know of this and that it is, in no way, showing that someone was aiding any sort of hackery.
Quite a few people who never even had a PS3 almost certainly watched those videos, merely from curiosity or to laugh.

Google Landmark Server?

What is a Google Landmark Server?

Re:Google Landmark Server?

[Waffle+Iron]

What is a Google Landmark Server?

Always on the lookout for more places to put their server farms, Google has a deal with the National Park Service to rent out unused space in national landmarks. For example, the Washington Monument is hundreds of feet tall, but it has almost no windows. It would be a waste not to fill up the lower floors with server racks. The same goes for other buildings that have no other practical function, such as the Lincoln Memorial and Grant's Tomb.

Unfortunately however, unless a deal is reached within the next few hours, all those servers will probably have to go offline tonight at midnight.

What an unfortunate name.

[ikarys]

"We shrink the size of the area where the target potentially is" says Wang. What an unfortunate name.

Re:What an unfortunate name.

It's pronounced "wong", you insensitive clod.

Re:What an unfortunate name.

[ikarys]

Damn, I got it Wong. :(

Nothing new

I've been doing this for years as a hobby. Latency, combined with some general information about the area, the ISP in question, the last mile transmission medium (dsl, cable, cellular, fiber), you can narrow an IP address to a neighborhood. That's about it. I would say a lot farther then 690 meters. It's still funny to scare people on IRC and claim you know where they live, using a little bluffing & social engineering.

This method works best in developed countries for numerous reasons too long to type.

If it were possible to narrow down where people live to 690 meters, guess who would have done it already? -Adultfriendfinder. Cuz' you know-there are just so many horny single girls in Lansing, Michigan!

It may just find your ISP

[Geeky]

All the location based adverts I see in the UK (mainly "hot girls in are waiting for you", but I digress...) seem to centre on the location of my ISP's data centre.

The only routers visible to the outside world will be upstream of my ISP. Latency might tell someone how far I am from them +/- the distance from my ISP, but last time I looked my ISP blocked ping anyway.

I would imagine this would apply to the majority of UK DSL users.

Re:It may just find your ISP

It's the same for me, location based ads think I'm 200 miles away from my place, that's a long way to go for 'hot girls'.

Re:It may just find your ISP

[Geeky]

Indeed. They'd be cold by the time you got there.

As a Tor User, I'm on the Moon

I figure that with the Tor router latency, this system will geolocate me as being on the moon.

Triangulation?

[denyingbelial]

I haven't rtfa'd, but wouldn't they employ a form of triangulation? pings from three land-mark servers (or more) to help pinpoint which it's closest to and by how much? I mean, triangulation is pretty precise and the encryption, connection type, etc, wouldn't affect it as much since it wouldn't be an issue of how long it takes, but how long it takes to reach from one server compared to the other. I can't shake the feeling they are using the ratios converted to distance, not the latency directly. The summary kinda suggests they use just one server-to-target connection to do the estimate, but that doesn't sound very plausible.

Bad Internet Connections FTW

[bill_mcgonigle]

Good luck, boys, my cable modem is two miles from the house.

Re:Bad Internet Connections FTW

[drinkypoo]

Being able to find your repeater is as good as finding you... Now if you have multiple hops with directionals only on your side then it could take them a minute...

Re:Bad Internet Connections FTW

[bill_mcgonigle]

Yeah, I'm almost 20 devices, 4 houses, and multiple VDSL/802.11 conversions away from the Internet connection. One of the VDSL lines is buried and goes over a ridge.

But, really, I'd give up any anonymity that provides for a cable or DSL line to the house - doing tech support for your neighborhood after an ice storm sucks.

Re:Bad Internet Connections FTW

in what direction?

so where is the demo?

[LWATCDR]

I want to try this out and see how they do. Every other geoplocation service I have tried puts me miles from where I am at. I take that back infosniper.com may have gotten it exactly right. They only show the town but the marker was right one my office.

Re:so where is the demo?

Same, no chance it'll locate me.

It'll locate my city, but me? Not a chance. And to a 690 meter radius, not a chance.

Re:so where is the demo?

[LWATCDR]

Try infosniper.com it was only a few hundred meters off.

how accurate?

[ruiner13]

I assume that like most places, the cables aren't direct lines from A to B, so an accurate judge of distance seems hard to do. Cable length, perhaps... but coiled wires, vertical spans, and other runs of cable would seem to skew the judge of distances based on packet times. Am I wrong? Wouldn't that at least introduce a large margin of error? What about packet buffering?

Re:how accurate?

[jd]

ICMP isn't significantly buffered (although all packets are buffered to some extent) and the law of large numbers suggests that the cable length issue will be the same for all possible paths given enough hops and enough paths, so will simply fall out of the equation given enough directions. You couldn't use triangulation on two paths, but the errors caused by such variation should fall off (albeit asymptotically to some minimum error - which seems to be 1 Km) as the paths increases.

My guess is that, in practice, you'd have to square the number of paths to halve the error (above the minimum error obtainable) in the calculation.

In other words, interesting in theory, but due to a lack of redundancy a totally useless in practice observation.

Won't work if the ISP PoP isn't nearby

[Guspaz]

I have DSL. My ISP's closest PoP is over 500KM away in a Toronto (I'm in Montreal). My PPPoE session is carried over an L2TP tunnel; my first hop is 500KM away. This is actually a very common scenario for anyone in Ontario or Quebec, since that's how all DSL in the region works. If you're on Bell Canada, your PoP is probably in the same city, but if you're using a wholesaler, it's probably not. Because the lowest possible latency to me is in Toronto, that's where this technique would see me.

As such, it'd be impossible for anybody to geolocate me down to 1KM, or even 100KM. Every geolocation service I've ever tried has pegged me as being 500KM away. You might suggest that they could calculate my distance to Toronto based on last-hope latency plus known DSL fastpath latency and figure out that I'm in Montreal as it'd probably be the only major intersecting city at that distance. The problem with that is that the last-hop latency depends on too many factors, such as connection speed, connection type, interleave depth...

Re:Won't work if the ISP PoP isn't nearby

I have DSL. My ISP's closest PoP is over 500KM away in a Toronto (I'm in Montreal). My PPPoE session is carried over an L2TP tunnel; my first hop is 500KM away.

Well, I am pretty sure we can find you now.

Re:Won't work if the ISP PoP isn't nearby

[Em+Adespoton]

I used to have the same situation... At best, they could have figured out that my location was precisely 2084 miles away from Toronto. For reference, that could place me in 2 Canadian provinces, 2 Canadian territories, Mexico, Panama, or even Venezuela.

you could triangulate

[circletimessquare]

Same-Origin-Policy enforcement in the AJAX means means the javascript can't hook out to other servers... unless you control 3 or 7 or 37 different servers in different farms/ colos under the same domain name. the distant servers couldn't receive the info, but you could have each server fire in cycle, and have one receiving server take the timestamps in. so with a heavy rotation of pings over a brief period of time, and a bunch of different servers to triangulate ping times over time, and some extraneous info like traffic estimates/ internet provider/ etc., i bet you could get an exact location that would resolve itself in a couple of seconds with good accuracy

Re:you could triangulate

Same-Origin-Policy enforcement in the AJAX means means the javascript can't hook out to other servers... unless you control 3 or 7 or 37 different servers in different farms/ colos under the same domain name.

So then, it only works if you're a major ad network.

Re:you could triangulate

[Phaeilo]

While AJAX has the Same-Origin-Policy you can load an image- or script-file from any domain you want.

Could Add-on Stop This?

If you're using JavaScript to AJAX a timestamp (via Date object I'm assuming), could you make a Firefox addon that essentially zeros out the millisecond accuracy of the Date object? I.e., force the Date object to always return 1000 rounded numbers when calling getTime() function. Good luck calculating an accurate ping time from that, eh?

Youngsters

If you are just now hearing about Cliff Stoll, get off my lawn!

(Oh, and did you hear about the kid who's got cancer and wants to collect greeting cards?)

Re:Youngsters

[mbone]

If you are just now hearing about Cliff Stoll, get off my lawn!

But not before I tell you about these investment opportunities in blocked Nigerian accounts !

Network Topology

[mbone]

Note that it is not enough that there is a "landmark" router physically near you, it also has to be near you from a network topology sense. It doesn't help geolocation much if the museum next door has a landmark router if the peering point between your networks is 1000 km away.

Now, if you are in a city on a major ISP, this is likely not to be problem. If, on the other hand, you are out in the country, then there is unlikely to be a landmark router near, and if there is one, it is quite possibly on a different network, with a peering point many miles away. For example, many university extension campuses connect back to the main University NREN, and all Internet traffic then goes through one or two "GigaPOPs" in the state. So, even if there is a university extension next door, it is likely to help with geolocation much.

So, I predict that this will not be good to anything like 1 km accuracy away from major cities.

Old news

FBI has been doing this for well over a decade, even offers software for many years now to banks and other financial companies to insert this right into the transaction processing stream. For example, sites that take money for online casinos and live-sex-cams use it to know where you were when you bought chips, so they can get a decent rate with credit card companies since those transactions have higher dispute rates than average.

So now Schneier can find Scoble

[thisisauniqueid]

http://www.isscobleinthisroom.com/

WiMax

I can turn my antenna to have poor reception, and can have 1000-2000+ms pings when desired (or 29ms when aligned properly).

If not working with the ISP to measure signal direction and strength, it would be near impossible to actually determine my location within a 10 km radius, or it'd show as being somewhere around the tower (which is 5km away).

Even with help from the ISP, it's still not exact as there are some directions to point the antenna that the signal happens to 'bounce' the right way or is picked up by a different tower.

So, with ICMP responses blocked...

[TrentTheThief]

... and sitting behind the mystical, seven anonymous proxies, the method is useless to find anyone actually smart enough to properly operate a computer.

I suppose it'll be helpful to find the average user who's playing at cyberstalking or sending threatening emails.

Without using Visual Basic?

[Provocateur]

Color me skeptical.

heck i was going for the cheap shot

Ha ha, joke's on you!

[One+Louder]

We don't use the metric system in the US! You'll never find me!

or you could

[fuckamonkey]

just use this ... http://tracr.net/. It uses data collected from companies you do business with online. I think it uses a logic that goes something like this: X number of people purchasing dildos from dildosales.com gave an address on Blah Blah Road and had an IP address in subnet 10.1.1.x therefore you must be near Blah Blah Road if you are in subnet 10.1.1.x.

How big a bomb for 345m radius?

[unil_1005]

I'm sure we have some that are non-nuke.

Hogan's Heros

[ThatsNotPudding]

With this method, they could have finally found that coffee pot.

Sounds like he is using ICMP

[SilverJets]

Ok, so he is using ping. Who in their right mind still allows their computer to respond to ICMP requests?

Re:Sounds like he is using ICMP

[Chuck_McDevitt]

Well, for example, anyone using a tunnelbroker to enable IPv6 support. Since the tunnelbroker uses it.

Route This Tomato!

[Zephiris]

Well, my router has defaulted to NOT respond to pings in the default configuration for years. Finally, there's a good reason not to, but seriously, even the known TCP/UDP traceroutes require an open inbound port on both the end host, and the same(?) on every intermediate host.
There's no good reason to have ping (and hence traceroute) enabled.
You're far more likely to have your IP address and/or your MAC address located by street address via Google, because 'everyone' tends to have unsecured wifi now.
Ignoring the facts of fast GPU-driven encryption cracking for wifi purposes, don't use unsecured wifi, and don't use your real MAC address for wifi.
It seems like RFID, they ignored predictions on technology advancement, so now anyone with enough hard drive space (by far the limiting factor, last I checked) and a $5 wifi adapter can can crack any 'encrypted' wifi (except apparently RADIUS, maybe)., but spending a few hundred dollars, is 'easy' if you're interested in looking at everyone's stuff, whether for creepy personal motives or profit.
Another reason to only use SSL or SSL+tor when on wifi.

Re:Route This Tomato!

[BitZtream]

Well, my router has defaulted to NOT respond to pings in the default configuration for years.

Good for you, of course, that doesn't actually accomplish anything useful. If someone wants to flood you, not responding to PINGs isn't going to stop them, and all you've done is make it more difficult to find out if your host isn't responding without having nmap handy, which will probably figure it out regardless of what you've set your firewall up to drop. Turning off ICMP just shows a general lack of understanding of the problems your attempt to fix. Turning off ICMP broadcast responses iis another story, but just dropping icmp ping responses outright is silly in general, breaks a bunch of crap (or at least make it sit there waitting for a time out, unless you only block echo related packets, in which case the other ICMP packets can be abused equally as well).

There's no good reason to have ping (and hence traceroute) enabled.

No one worth mentioning has used ICMP echo or trace requests for traceroute functionality in god knows how many years. ICMP trace requests can only hold something like 8 hops anyway (could be wrong about the exact number, been years since I bothered looking at it since its unused). Most traceroute's now days use a tcp connect or udp packet with a TTL of 1 to start with, send a few packets (multiple so you can detect multipath), then get the TTL expired message back from the first hop, and increase the TTL to 2 and send the next couple of packets, rinse repeat until you get to your destination giving you a response. The only way to stop these is to block ICMP TTL, which causes other problems, and shouldn't be done.

If you want to play nicely on the Internet, you shouldn't be outright blocking ICMP, that just shows why people shouldn't be playing with things they clearly don't understand the functionality of. If you want to rate limit ICMP responses in order to deal with DoS attacks, sure I get that, but flat out dropping all ICMP is just stupid and you deserve the shitty network responses you get because of it.

The IP Google got in their travels is going to internal to the wifi network, almost certainly using common non-routable address space ... and shared by every other dinky little home wifi router/nat/gateway device sold as well as all of those people who use private address space within the organization. Its almost certainly useless for geolocation in almost every case. Remember, they weren't broadcasting, only listening, so they'd have no way of seeing your external interface address. In order to get that data, they'd need to send a packet outbound, through your network, to one of their servers in order to see what address it appeared to come from. That would have been a very clear criminal violation. They didn't do that. They just listened. Any charges/lawsuits against them because of their listening are just for the sake of suing Google in order to make some lawyers money, the people suing are too stupid to realize that broadcasting in clear to everyone near you is a stupid idea, equivalent to announcing all your conversations in your home via loud speakers that broadcast it down the block attached to the outside of your home.

Any MAC addresses picked up by Google are also worthless. The MAC address doesn't leave the local subnet with IPv4. It would be up to your browser to find and send that information to them in order for it to be useful. I'm not aware of a way to get the MAC address of a machine via javascript, so that rules it out as useful. If we were talking IPv6, the mac address would be marginally useful ... maybe. Default implementations as a general rule just use the MAC for that part of the address, but that will certainly change in the future once people start using this sort of thing to their advantage as unique identifiers.

So basically, nothing useful in what you mentioned was gained from Googles roaming around. What THEY got o

Re:Route This Tomato!

[Zephiris]

Wow, that comes off as angry, snarky, and generally trollish for putting words in my mouth. Where did I say anything about 'turn off all ICMP'?

Windows uses ICMP for traceroute, Linux uses UDP packets, a few separate utilities use TCP. None of which trace very far with that disabled and active iptables firewall on the router. It disables echo, maybe traceroute, not ICMP in general. Using a variety of ICMP, UDP, and TCP online tools (I don't have a handy unix shell available right now, try again tomorrow), tracing to my public IP, with it allowed gets everything right quickly. Switch that one thing off, not one of the traces completes, some trace to completely different IPs and 'fall off'. All take a long time (1 to 25 minutes).

Can I get other, useful ICMP types? Yes. Do I have any reliability, latency, or speed issues with ICMP, TCP, or UDP, of any variety whatsoever? No.
The only other ICMP message which security implications (as far as I'm aware) is redirect, which is scarcely used for anything good anymore, at least on residential ISPs. Some ISPs block ICMP echo altogether upstream due to worms of the past using it as a popular technique (and congesting everything to hell).
Other than that, for IPV4, aren't only Unreachable and Time Exceeded generally used anymore for actual usage? Probably won't get "Header Parameter Problem" unless you're experimenting with the IP stack itself.
I don't know -as- much about ICMPv6, but it looks like there are 4 useful error messages, and 7 useful information messages, not counting echo; it's useful for infrastructure and servers to have echo on, not for home users who don't need to be pinged directly to see if they are alive.

DoS attacks are illegal, very obvious, and ISPs don't like it. I don't know what brought on THAT comment. I'm not particularly concerned about that, because I can be pretty sure they won't be getting access to my information if they're flooding theirs, and that tends to get law enforcement involved really quickly. If somebody keeps my piddly little desktop offline for a day, they get to go to jail. Even if my ISP might possibly be too dumb to filter it at the edge of the network (or at the source if in-network)... jail for them, a mild inconvenience for me. Somehow, I'm okay with somebody that stupid not being my problem.

Google collected a lot of data. It's beyond inane to assume they couldn't (or wouldn't) have obtained other details, when -I- can do so with a commodity bargain router and a few utilities (all of which can run on the router itself and don't involve 'breaking' or accessing anything, just passively listening). On open networks, everything's transmitted in the clear. YOU don't have to log in, if you can watch somebody else do so. I don't think Google cares that much, and isn't that nefarious. But it's purely naive to assume that just because Google got away with it, others aren't interested in information you transmit.

This is frigging Slashdot, isn't it common knowledge to secure your data (as best as possible) over a completely untrusted, and insecure network, notoriously vulnerable to external snooping from anyone with a $5 USB plug and a computer from the last 10 years? It's not some kind of national security thing, but I don't exactly feel comfortable with a hotel manager (or someone in the neighborhood if I were dumb enough to run an unsecured router for my own use) reading my personal correspondence with relatives and friends. That's a very basic privacy and trust issue, not one of location finding. It's also common sense.

There are a number of proofs of concept (http://samy.pl/mapxss/ for instance) showing that you can use javascript to determine public MAC information, and street address, using Google's own tools, but not requiring any sort of 'privileged' access to anything whatsoever. More than one person I knew had been able to locate their exact street address because their router had at one time been broadcasting. That one doesn't use a public IP address, but the MAC address. Assuming

N0rt3lL0v3

B0mbaClat

Close only counts with hand grenades...

...and horseshoes is what my Dad always said.

Agreed

[marcus]

Considering some extremes...

Using the satellite link on my RV, he'd only be able to resolve my position down to a hemisphere(actually you can do better than that, but not by his techniques).

Using the packet radio available to hams, there would also be considerable variation, perhaps even a day-night cycle of delay times.

My friend has a wifi link that spans part of a lake. It's at least a 1000 yards(greater than my laser rangefinder can measure). He shares service with a friend on the other side who, due to the geography, cannot get DSL.

Re:Involuntary Nullification

a blast from the past! Thanks, Smidge204... I mean, 207. :)

A more precise method...

[HenryKoren]

This method of obtaining geolocation is far more precise:

http://geolocation.kmz.me/2011/04/08/geolocation-gone-terrible-with-googles-help-black-hat-hackers-can-pinpoint-web-users-via-javascript-xss/

Although its probably going to be far less accurate as it requires a known router type with a default internal IP and default password. Not to mention it requires a router that has been located on Google street view.

New Scientist!

[WillKemp]

Just the usual bullshit from Schneier! I read New Scientist every week and i know they know very little about networking and are even less capable of writing coherently about it. It's a good magazine, but the journalism very often sucks. Of course Schneier's silly enough to quote their misconceptions.

But if I tether...

[niftymitch]

But if I tether my laptop via my phone
my IP address maps to someplace multiple
time zones away. Marketing wants to
at least get the zip code right because
mobile is a more impulsive market.

Recently some of the new HTML5 folk are frobnosticating
on location protocols... and how to bypass or manage the
user controls associated with location data.

Part of the issue has to do with the quality and
locality of the numerous landmark servers used
for reference. As others noted most routers do
not respond to ping or other ICMP packets that
do not originate from a management center (NOC).
And the location is more and more being considered
a classified tid bit of info to keep the bad guys from
knowing where resources are located in any
locality.