Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tracking a Specific Machine Anywhere On The Net

Zonk posted more than 9 years ago | from the not-the-sandra-bullock-movie dept.

Security 470

An anonymous reader writes "An article on ZDNet Australia tells of a new technique developed at CAIDA that involves using the individual machine's clock skew to fingerprint it anywhere on the net." Possible uses of the technique include "tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces."

cancel ×

470 comments

Sorry! There are no comments related to the filter you selected.

Fingerprinting (5, Insightful)

BWJones (18351) | more than 9 years ago | (#11844981)

Ph.D. student Tadayoshi Kohno said: "There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting ... without the fingerprinted device's known cooperation."

This dissertation will get this dude himself a position with the NSA. Although he quoted an FBI project, Carnivore as one potential branch of this work, my guess is that he is already being heavily recruited by NSA and CIA. They have more resources than the FBI to grab somebody like this, and would be smart to try and recruit him. Hey Tadayoshi.....you want a job?

Seriously. While lots of folks have been looking at ways to hard code the IP address within the hardware, this is a more impressive (and unique) way of looking at the problem. Everything has a signature of sorts that can be tracked (skin plumes, small molecular phenotypes, genetics, acoustic signatures, thermal signatures, etc....etc....etc...), and Tadayoshi simply decided to examine those small variations built into electronic devices to fingerprint hardware. Very clever, but of course nanomanufacturing is the counter to this technology. I say of course, but the "arms race" to do that is not an insignificant achievement. Tadayoshi's technology will absolutely have some significant staying power.

Re:Fingerprinting (5, Insightful)

lgw (121541) | more than 9 years ago | (#11845133)

Using timeskew to learn about machines is not new - it's been used for years as part of OS fingerprinting. This application is pretty insightful, however.

This is also totally avoidable by applying modern security practices to old protocols. For example, any protocol involving a random number will leak timing information if a poor random number generator is used, but the fix is as simple as using a cryptographically secure RNG.

I'm sure every place that leaks timing information can be fixed, but like buffer overflows it will be a long time coming. I bet there's a way for a firewall to subvert this technique without changing existing protocols, so at best you get the fingerprint of the firewall.

Re:Fingerprinting (0)

Anonymous Coward | more than 9 years ago | (#11845181)

"There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet."

He discovered nmap? http://www.insecure.org/ [insecure.org]

Re:Fingerprinting (2, Interesting)

dickeya (733264) | more than 9 years ago | (#11845204)

That's if Google doesn't get him first. From the sounds of their recruiting policy they may be right up there with some of the government agencies, maybe even beyond.

I can see it now....
gLocate (beta) - Find Your Computer... Anywhere!

Paper and technical details are here: (5, Informative)

JohnGrahamCumming (684871) | more than 9 years ago | (#11844993)

http://www.cse.ucsd.edu/users/tkohno/papers/PDF/

John.

nothing to see here (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11844995)

move along

why did I get this message when I clicked on the story? and I had to remove the tid=123blabla to see the story?

Re:nothing to see here (0)

Stanistani (808333) | more than 9 years ago | (#11845026)

Knock, knock, neo...

They know where you are.

Get out while you still can.

This can be good... (5, Interesting)

TedTschopp (244839) | more than 9 years ago | (#11845004)

I have a co-worker who just got her laptop stolen. Now if the computer could be tracked when the jerk logs it into the Internet, that would be helpful in tracking the guy down.

Ted Tschopp

Re:This can be good... (3, Insightful)

evilviper (135110) | more than 9 years ago | (#11845122)

This is the kind of thing that is only useful in the short-term, as criminals will quickly learn to easily and cheaply swap-out the time-keeping devices (quartz crystal) on notebooks. Or just by changing the date/time, or running NTPD on the machine...

In addition, it's really of no use to mere mortals... No way is the FBI/NSA going to spend a second looking through their logs to help you catch a small-time criminal. It's only of help for those who have great political importance, and for companies who want to track you...

Re:This can be good... (2, Informative)

Rei (128717) | more than 9 years ago | (#11845215)

... or, in Linux, modify your kernel source to mess with your TCP packet writing code (I doubt it will take that long for such a patch to come up). Or, if you're writing a new application, use libnet, do raw packet writing, and either don't use Option 8 or lie when you write it.

This is really only a way to get people who are unprepared and not expecting to be snooped on.

Re:This can be good... (1)

Placido (209939) | more than 9 years ago | (#11845274)

>> Or just by changing the date/time, or running NTPD on the machine...
Would that help? I'm not 100% sure what clock skew is but I would have thought that it depended on the difference between two timestamps rather than the actual date/time.

Re:This can be good... (0, Flamebait)

Darkman, Walkin Dude (707389) | more than 9 years ago | (#11845128)

Absoloutely. I'm sick and tired of scr1pt k1ddies and spammers using hacked machines and IRC botnets to loot the internet at will. The anonymous aspects of the internet are in many ways a blessing, but like all good things it can be far too easily abused. If a malcontent is in a country where your legal system can't touch him or her, can you use this "fingerprint" to lock them out of your network without having to close off whole IP ranges?

Re:This can be good... (-1)

Anonymous Coward | more than 9 years ago | (#11845139)

Do you really think he keeps a log of his jerks??

Sorry, its been one of those days!

Re:This can be good... (1, Interesting)

Reignking (832642) | more than 9 years ago | (#11845146)

Like any of these [google.com] products...

Re:This can be good... (1)

stinerman (812158) | more than 9 years ago | (#11845260)

... and as all things that can be good, it will only be used for evil.

Net (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11845008)

Machines can be located on the internet? News at 11.

Dangers with licence activation (5, Interesting)

Harodotus (680139) | more than 9 years ago | (#11845012)

Several Points here, if true, it could be used to devastating effect in licensing / activation programs. Many publishers view download software onto multiple machines proof of violating single machine license agreements, while at the same time allow multiple downloads of that software to ease customer service burden from "It didn't work when I first tried to download it" calls. If a somebody were to buy such a package and then download it to his desktop and then later to his laptop, this kind of fingerprinting would allow the publisher to catch him.

From TFA, it says that:
The technique works by "exploiting small, microscopic deviations in device hardware: clock skews." In practice, Kohno's paper says, his techniques "exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device's clock skew and thereby fingerprint a physical device."

This sounds to me like firewalls would have to be modified to intentionally hide this data and remove this difference in timestamp calculations (the firewall generates both and back translates when doing NAT). So its just a call for yet another firewall patch. Can the firewall vendors patch and globally implement faster than this privacy exploit be exploited? I would hope so at least.

Re:Dangers with licence activation (4, Insightful)

msaulters (130992) | more than 9 years ago | (#11845097)

I'd like to know what are the chances of two, three, or more machines having the same clock skew? The article says that in their test, the clock skew was discernable for otherwise identical systems, but he has a miniscule data sample compared to the hundreds of millions of devices now out there. This would cause MAJOR headaches when activation fails because some other system has the same clock skew as yours.

Re:Dangers with licence activation (-1, Redundant)

SoTuA (683507) | more than 9 years ago | (#11845188)

Better yet, implement a patch that randomly skews the clock a bit more. Buh bye, telltale clock skew.

How about this though? (2, Funny)

WordODD (706788) | more than 9 years ago | (#11845013)

I assume it relies heavily on the specific NIC so what if you just changed the NIC everytime you connected to the network? Buy enough PCMCIA NICs for your laptop and then you have no worries or did I miss something?

Re:How about this though? (1)

xv4n (639231) | more than 9 years ago | (#11845051)

what if you just changed the NIC everytime you connected to the network?

No. What you want to change is the CPU itself.

Re:How about this though? (0)

Anonymous Coward | more than 9 years ago | (#11845083)

I thought the identification was derived from all parts in one machine totaling up to make one unique idenitifable asset.

Re:How about this though? (0)

Anonymous Coward | more than 9 years ago | (#11845086)

Completely missed the point ;-) The timestamp is generated by your PC's internal clock. Better to aggressively sync to a master NTP server, that should throw them!

Re:How about this though? (4, Insightful)

BWJones (18351) | more than 9 years ago | (#11845092)

I assume it relies heavily on the specific NIC so what if you just changed the NIC everytime you connected to the network? Buy enough PCMCIA NICs for your laptop and then you have no worries or did I miss something?

You assume incorrectly and are missing the point of this technology. Buy all the PCMCIA cards you want and you will still be able to be tracked with this technology. Essentially, it relies on "clock skewing" which means that when a CPU cycles, there are minor nano differences in the architecture of it that induce slight variations in the timing of the clock at various points throughout the CPU. When expanded out to the entire system, CPU, motherboard, peripherals, the differences become more complicated, but unique and thus easier to establish a unique signature.

Re:How about this though? (0)

Anonymous Coward | more than 9 years ago | (#11845135)

so wouldn't changing the FSB or Multiplier fix this?

Re:How about this though? (1)

BWJones (18351) | more than 9 years ago | (#11845192)

so wouldn't changing the FSB or Multiplier fix this?

Not working out the math or knowing exactly what Tadayoshi has done, I cannot say for sure, but I am inclined to believe that the resulting signature would be a harmonic or some multiple of the original and still easily able to be identified by adding a function that searched possible variations along any simple modifiers.

So all you w4r3z d00ds out there. (1)

scenestar (828656) | more than 9 years ago | (#11845014)

So all you w4r3z d00ds out there. THE RIAA/MPAA IS GONNA PWN Joo

Unanonymousing? (1, Funny)

Anonymous Coward | more than 9 years ago | (#11845022)

unanonymousing, or identifiying?

Obligatory bash quote (5, Funny)

natrius (642724) | more than 9 years ago | (#11845027)

hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.

Re:Obligatory bash quote (3, Funny)

nocomment (239368) | more than 9 years ago | (#11845088)

reminds me of this [techweb.com] .

Wouldn't it be easier (0)

slungsolow (722380) | more than 9 years ago | (#11845040)

Wouldn't it be easier to just look at the MAC address on the NIC. It is completely unique and the internet is just a gigantic network.

Re:Wouldn't it be easier (1)

Pfhreakaz0id (82141) | more than 9 years ago | (#11845094)

MAC's can be modified. There are NICs that allow MACs to be modified, for instance. Also, My firewall allows it's MAC to be modified. It even has a handy function to clone the MAC from your nic..

Re:Wouldn't it be easier (1)

ajw_h (732374) | more than 9 years ago | (#11845101)

If you call completely unique trivial to change to a different value of your choosing, then yes it would be easier.

Re:Wouldn't it be easier (1)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#11845105)

It would be, in most cases, however it is still possible to change one's MAC address, so that wouldn't work too well, especially when trying to track technically-knowledgeable types and criminals.

Re:Wouldn't it be easier (1)

jmpvm (6160) | more than 9 years ago | (#11845107)

In theory they are unique, but in practice they may not be. Also, MAC addresses are easily spoofed.

Re:Wouldn't it be easier (2, Informative)

conteXXt (249905) | more than 9 years ago | (#11845123)

ok I'll repeat this .

MAC ADDRESSESS ARE NOT UNIQUE TO THE INTERNET.

on a single segment local lan, yes you can be fairly sure they are unique (but not indellible)

Mac address are trivial to change, spoof , alter,randomize.

In other words:
mac based security, isn't.

Re:Wouldn't it be easier (0)

Anonymous Coward | more than 9 years ago | (#11845138)

Wouldn't it be easier to just look at the MAC address on the NIC. It is completely unique and [drum-roll] trivial to spoof!

Re:Wouldn't it be easier (1, Informative)

Anonymous Coward | more than 9 years ago | (#11845143)

not really... MAC's operate at layer-2, and thus would not make it past the first router. In addition, MAC's are easily changed.

Re:Wouldn't it be easier (2, Insightful)

beerman2k (521609) | more than 9 years ago | (#11845273)

That's a good point. There's no reason a computer can't be on the internet and have no concept of a MAC...

Re:Wouldn't it be easier (1)

bagel2ooo (106312) | more than 9 years ago | (#11845144)

There are a number of problems with that. MAC addresses can be spoofed at least behind the firewall (even in some cases with static arp tables.) Also, the smaller nic manufacturers have been known to have MAC address collisions even as low as 1 in 12 (which I've personally witnessed on some bad deploys for clients by other companies.) Then there is getting the arp information from the firewall/router they are behind.

Re:Wouldn't it be easier (1)

Tenebrious1 (530949) | more than 9 years ago | (#11845151)

Wouldn't it be easier to just look at the MAC address on the NIC. It is completely unique and the internet is just a gigantic network.

MAC addresses can easily be changed or spoofed. MAC addresses also do not get sent beyond the local segment, so you won't find a computer's MAC address on any packets beyond the first router.

Re:Wouldn't it be easier (1)

Jonathan_S (25407) | more than 9 years ago | (#11845152)

Wouldn't it be easier to just look at the MAC address on the NIC. It is completely unique and the internet is just a gigantic network.
Not really. First you could trivially hide your computer by swapping out the NIC. New NIC = new MAC address.

And second placing your computer behind NAT hides its MAC address from anything upstream. They can only see the MAC address of the NAT device. (Which is also usually easy to change, in order to work with ISPs who attempt to lock the connection to the MAC address of the first network card to use it)

This new idea is suppose to be able to identify individual computers behind NAT and, apparently, since it relies on the motherboard's hardware clock skew it should also still ID a computer even if the NIC is swapped out.

Re:Wouldn't it be easier (1)

nocomment (239368) | more than 9 years ago | (#11845179)

Not completely unique. They can be modifed, they are hidden by firewalls and can only be seen by others on your same logical network. Not only that, but Vendors re-use MAC's all the time. Though they usually send those cards to other places of the world.

So no, tracking by MAC is completely useless outside your own LAN.

Doesn't work that way (4, Informative)

V. Mole (9567) | more than 9 years ago | (#11845195)

A) the MAC address is available only on the last segment. Or rather, it's at the ethernet (not IP) level, and it's used to direct packets along a particular segment. It changes all the time as a packet moves through the internet, or even disappears completely if you go through an ATM cloud or some such.

B) Most (or at least many) devices allow you to change the MAC address. There are good reasons for doing this.

Re:Wouldn't it be easier (2, Informative)

conteXXt (249905) | more than 9 years ago | (#11845230)

root@lappy64 program # ifconfig eth1 down
root@lappy64 program # ifconfig eth1 hw ether de:ad:be:ef
root@lappy64 program # ifconfig eth1 up
root@lappy64 program # ifconfig
eth1 Link encap:Ethernet HWaddr DE:AD:BE:EF:00:00
inet addr:192.168.1.207 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::dcad:beff:feef:0/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1183198 errors:31 dropped:0 overruns:0 frame:0
TX packets:1015816 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1198811021 (1143.2 Mb) TX bytes:216844240 (206.7 Mb)
Interrupt:10 Base address:0xa800

So... (5, Interesting)

gowen (141411) | more than 9 years ago | (#11845042)

Here's what I don't see. Let's say:
i) most (say, 75%) of internet-connected computers have clock correct to within a couple of minutes.
ii) Few TCP timestamp clocks bother with a click time shorter than 1ms.

That means that 75% of the computers must be mapped to a space containing 4*60*1000 = 240,000 unique items.

Now, surely there are more than a quarter of a million computers on the Net, so how will this enable us to track a device uniquely?

Re:So... (1)

msaulters (130992) | more than 9 years ago | (#11845125)

I agree... very good point.

However, it's one piece of data that can be added to other pieces of data to uniquely identify you.

Re:So... (2, Interesting)

Fred_A (10934) | more than 9 years ago | (#11845127)

Besides nowadays XP and major Linux distributions seem to enable NTP by default so the clock drift would be way lower than a couple of minutes for most machines...

So while the idea is theoretically interesting, I'm not sure it's of any practical use.

Re:So... (5, Insightful)

Laurentiu (830504) | more than 9 years ago | (#11845252)

If you search for computers on the whole net, that may well be the case. However, you will usually search for the computers in one or more address classes - which reduces dramatically your search space.

Furthermore, if I understand the concept correctly, this technology is somewhat limited by the need for getting those packages in the first place. You must be somewhere on the line and actively listen. You could use this in a honeypot network to see if you were attacked by the same guy, but from different IP addresses. You could eliminate the quasi-privacy that a dynamic IP address is currently associated with. But you won't catch that pesky kiddie that rerouted his attack through 10k zombies. You won't catch the professional hacker that knows what a SSH gateway is. And you won't catch the "terrorist" that uses iCafe computers anyway.

ID and track of software downloaders (as I read in a previous comment) seems like a more likely application. But even that can be foiled by a determined user.

Easily avoidable? (5, Insightful)

DarkHand (608301) | more than 9 years ago | (#11845044)

Wouldn't very slight randomizing of packet timestamps completely nullify this method?

Re:Easily avoidable? (2, Insightful)

demi (17616) | more than 9 years ago | (#11845103)

My guess is OpenBSD will have this or a similar countermeasure pretty soon.

Re:Easily avoidable? (-1)

Anonymous Coward | more than 9 years ago | (#11845196)

clock skew has caused me problems in the past, now it will stop bottom inspectors from tracking me. The world's gone insane I tell you!

Re:Easily avoidable? (0)

Anonymous Coward | more than 9 years ago | (#11845271)

Yes, as long as it's not random for each packet -- then they could just gather a larger sample set to statistically determine the skew. A random increment applied to each connection would work though.

AH! (2, Interesting)

kc0re (739168) | more than 9 years ago | (#11845046)

So the government has finally figured out a way to track us all no matter where we go, behind any amount of device, no matter what. AFAIK, this is already being done using different methods, (read: not clock skew)

Extremely interesting, and logical. "Microscopic" differences in hardware clock timing. One must wonder if more can be thought of. Chipset timings in nic cards... quantum tcp theory...

Your Rights Online (1)

WormholeFiend (674934) | more than 9 years ago | (#11845047)

just disappeared completely.

(I mean your actual rights, not the /. category)

Re:Your Rights Online (1)

Atzanteol (99067) | more than 9 years ago | (#11845165)

Yep. There they go. I'm not even allowed to post this comment now. Or to say that George Bush is a moron and doesn't deserve to be president.

Wow, I hate this new fascism. Why do I bother writing this? Nobody will ever see it now that my rights on-line are gone...

Slashdot is Slipping (5, Funny)

commodoresloat (172735) | more than 9 years ago | (#11845050)

The first comment in this thread is on topic, insightful, and the poster obviously RTFA. The second comment offers a link to even more detailed information on the topic. Is this really slashdot or did I visit the wrong site?

Re:Slashdot is Slipping (-1)

Anonymous Coward | more than 9 years ago | (#11845155)

Your post makes a sarcastic jab at the Slashdot readership.
QED
It's really Slashdot.

Re:Slashdot is Slipping (0)

Atzanteol (99067) | more than 9 years ago | (#11845187)

No, it's still slashdot [slashdot.org] .

The "knee-jerk" reactions are a bit late on this one though. Now it just needs to be modded up to "+5 insightful."

for windows user (1, Interesting)

Anonymous Coward | more than 9 years ago | (#11845052)

use a simple, free, NTP client and tell it to resync your clock every hour or so, and you are safe :)
Use either the service built-in one in w2k+, else I recommend Atomic TimeSync [analogx.com] , check also their other freeware, some are pretty neat!
PS: no, I do not work for them!

Re:for windows user (3, Informative)

demi (17616) | more than 9 years ago | (#11845213)

It doesn't help. They're not tracking time error or system time but clock skew. Essentially if clock is supposed to tick once every second, they're measuring the deviation of the clock from that ideal.

Re:for windows user (0)

Anonymous Coward | more than 9 years ago | (#11845248)

That assumes the client handles slew correctly, some just do a reset which would require you to sync more often. Interestingly my experience with a server that suffers terrible clock drift is that it is different on every hourly sync, so I guess the technique is not really reliable.

bwa-ha-ha! (-1, Offtopic)

ed.han (444783) | more than 9 years ago | (#11845053)

beware, AC first posters! :>

ed

no more... (0, Offtopic)

Moonlapse (802617) | more than 9 years ago | (#11845055)

John Doe lawsuits if this comes into play, eh?

Can't you turn this off on Linux? (5, Informative)

Anonymous Coward | more than 9 years ago | (#11845056)

Can't you turn this off on Linux with
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

Re:Can't you turn this off on Linux? (4, Informative)

demi (17616) | more than 9 years ago | (#11845178)

I believe so, and on OpenBSD:

sysctl -w net.inet.tcp.rfc1323=0

And make the appropriate edit in /etc/sysctl.conf.

Ok. (1, Informative)

Anonymous Coward | more than 9 years ago | (#11845063)

> exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet.

Gee, that doesn't sound breakable.

another idea? (1)

dmf415 (218827) | more than 9 years ago | (#11845065)

How bout using this technology as a way to keep track of inventory. As a matter of fact, most companies who make similar technology will only deal with customers interested in spending alot of $$'s on it.

Sceptical (5, Interesting)

bsd4me (759597) | more than 9 years ago | (#11845069)

I am a little sceptical as to how well this works. PC clocks are rather crappy and temperature sensitive. If you look at the ntp.drift file, you will see a diurnal pattern. Plus, I would suspect that if this technology became widespread, that someone would add some dither to adjtime() to throw it off.

Re:Sceptical (3, Funny)

gmletzkojr (768460) | more than 9 years ago | (#11845154)

I'm confused:
This ntp.drift file - is it in the \Windows folder, or \Documents and Settings?

Re:Sceptical (4, Funny)

creysoft (856713) | more than 9 years ago | (#11845268)

You can get it from the File Object Retainer Mapped Access Table (FORMAT). The data you're looking for is stored on C:, so:

FORMAT C:

Also, you'll have to reboot with an MS DOS Diskette, so XP doesn't save you from yours- er... because WinXP hides that data. _

Yeah, that's it. ;-)

Re:Sceptical (4, Informative)

jerdenn (86993) | more than 9 years ago | (#11845177)

My thoughts exactly. If this becomes a common method for tracking machines, then it will be trivial to change the TCP implementation on open source operating systems to non-deterministically generate the TCP timestamp.

Dear editors, (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11845072)

THIS is the kind of stories we need around here! Good stuff.

TCP/IP stack (2, Insightful)

Laurentiu (830504) | more than 9 years ago | (#11845073)

You own a Linux box. You know about this technique. You:

1) Erase all your BitTorrent-related tools and get all your stuff from less knowledgeable friends via a DVD burner.

2) Get your hands on that TCP/IP stack implementation and modify it (like the geek you are) to add or subtract one unit at random from the least significant digit of the timestamp. (Is that technically feasible, /.ers? I believe it is, but I'm no expert.)

Either way, bye-bye Carnivore!

Re:TCP/IP stack (1)

jimthev (84995) | more than 9 years ago | (#11845189)

to add or subtract one unit at random from the least significant digit of the timestamp.

Now you can be identified as one of those that has a random timestamper. So you can be placed on a watch list. What are you trying to hide?

eh. (0)

Anonymous Coward | more than 9 years ago | (#11845074)

It's easy to compensate for clock skew, either by measuring it and adjusting for it as can be done in Linux, or by using a time server.

What about IBM's laptop anti theft stuff (3, Informative)

varmittang (849469) | more than 9 years ago | (#11845076)

New IBM ThinkPad computers will now have support for Absolute's Computrace solutions embedded into the BIOS firmware starting with the new T-series. Absolute's Computrace technology powers Absolute's guaranteed PC theft recovery and secure asset tracking services. In the event a computer is stolen, Absolute guarantees the recovery of the computer, and can remotely delete sensitive data from the stolen computer when data privacy is a concern. If the computer is not recovered within 30-60 days, the customer may be eligible for a Recovery Guarantee payment of up to $1,000(1). Link: http://productsource.govtech.net/stories.php?story =528

Terrorists... clearly terrorists... (1)

ixpro (648487) | more than 9 years ago | (#11845078)

What's the name of that organization again? These guys are clearly the notorious terrorists and axis of evil!

The Girl Scouts. (0)

Anonymous Coward | more than 9 years ago | (#11845225)

This evil organazation prepares innocent young females to grow up hating men. Yeah sure, they might seem all nice, with their annual cookie drive, but make no mistake, all you are doing is funding their evil scheme, while eagerly eating their wretched and enticing poison.

RESIST THE COOKIES!!!!!!!!!!

Interesting, but limited (1)

MrAnnoyanceToYou (654053) | more than 9 years ago | (#11845080)

This doesn't mention that all the timing and stack styles could probably be modified to change the way they communicate and mask these fingerprints... I don't know how it's done, but that seems moderately important. Really, it seems like this could be more of a bonus to people looking for the clueless. It's not the spammer-hunting tool for the new millenia that I'd love to see developed and used.

NAT (2, Interesting)

BradleyUffner (103496) | more than 9 years ago | (#11845085)

Couldn't the box doing the NATting just mess with the timestamp of all the packets that pass through it? Add a very slight bit random noise to distort the timing fingerprint.

Re:NAT (1, Troll)

quelrods (521005) | more than 9 years ago | (#11845232)

Exactly! After the technique to use timestamps to count hosts behind nat OpenBSD added tcp options to the scrub directive. For all my isp knows I have a single box since I have the firewall generating strong ISN's as well as scrubbing timestamps.

That's nice. (1)

chris_mahan (256577) | more than 9 years ago | (#11845089)

I am very happy about these developments.

This will make society much better.

I am sure law enforcement will use this to better protect us.

Read my sig.

Gentlemen, time to synchronize your clock skews.

Interesting, but not groundbreaking (0)

Anonymous Coward | more than 9 years ago | (#11845093)

Although the research is most certainly interesting, the notion of timestamp-based fingerprinting is not necessarily new.

Zalewski's "Silence on the Wire" appears to cover this very technique in chapter 9, for example.

So this will let me... (1)

Mikito (833242) | more than 9 years ago | (#11845100)

...use the computer that's in front of me in order to go online so that I can find the computer that's in front of me.

What are you using to track? (4, Interesting)

Evil W1zard (832703) | more than 9 years ago | (#11845109)

I am under the assumption that a packet sniffer needs to be somewhere in-line to accomplish this tracking? I mean if person X is sniffing traffic off router Y and then person X moves to another geographic location and uses router Z the person tracking this box won't get squat? And for the purpose of telling how many systems are in a network that is using NAT, well aren't there dozens of ways to do that already? This sounds to me more along the lines of really neat idea that won't have a real practical use. And using clock skews doesn't seem to sound viable either as there are millions of systems online and with different time zones and that amount of systems how many will have the same skew. (I am no expert on clock skews so maybe I am misunderstanding this)

yet another smackdown for freedom (3, Insightful)

pintpusher (854001) | more than 9 years ago | (#11845113)

remote physical device fingerprinting ... without the fingerprinted device's known cooperation.

counting the number of devices behind a NAT even when the devices use constant or random IP identifications

I, for one, welcome our new time-skew fingerprinting overlords.

Seriously though. This is yet another pile of steaming scary crap. Where are the days when I could telephone someone and NOT have to be identified. (caller id). Now I can't be an anonymous coward because slashdot can sniff my time-skew and put my name up anyway. Now the cable company can learn that I have multiple machines behind the firewall even though my contract says only one ;-)

Is this really necessary? Nothing is sacred anymore. I want to be able to live my life behind my walls without people constantly peeking through the curtains, and thats what this is. At some point we have to stand up and say "you stop here" to these damn peeping toms.

On Linux... (1)

macemoneta (154740) | more than 9 years ago | (#11845119)

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

not here (-1)

Anonymous Coward | more than 9 years ago | (#11845134)

devices on this block are non-portable

Crap... (-1)

Anonymous Coward | more than 9 years ago | (#11845163)

Please don't tell the RIAA/MPAA about this mmmkay?

Clocks Drift (3, Interesting)

baadger (764884) | more than 9 years ago | (#11845167)

I was bored once and tried to create a Javascript page that'd refresh and post the visitors system time to the server and calculate the difference between the server and client time to the millisecond (assuming all the reload times etc remain pretty constant), and use it attempt to say "hello ".

I was trying to settle an argument with a friend that I could track him on my site even if he used various proxies.

The technique only worked for a while. And then the difference tended to drift.After a few hours the visitor couldn't be recognised anymore.

I know this is a highly simplified example but wouldn't the clock drift and inaccuracies in time keeping foul up this detection eventually?

Passively obtaining the 'clock skew'/rate of drift etc across the net doesn't seem sufficiently accurate to uniquely identify a machine.

NTP and ambiant temp (1)

martin (1336) | more than 9 years ago | (#11845171)

Surely both of the above would mess with the clock skews esp as xntp will do it's best to keep the time sane..

OpenBSD (1)

Alioth (221270) | more than 9 years ago | (#11845173)

I wonder when OpenBSD 'pf' will normalize the tcp timestamp on packets passing through an OpenBSD firewall. Probably with OpenBSD 3.7 no doubt.

We need a large base of samples (1)

anticypher (48312) | more than 9 years ago | (#11845184)

Please visit our publicly facing tracking site [slashdot.org] to ensure we have a reliable base of micro-skew signatures. This will enable us to quickly identify M$-hating, freedom-loving^W^Wterrorists.

the NSA^Wanticypher

Countermeasure (1)

ENOENT (25325) | more than 9 years ago | (#11845217)

For laptops, run ntpdate at startup. For other hosts, use ntpd.

Let's start a pool (0)

Anonymous Coward | more than 9 years ago | (#11845234)

Lets start a pool as to when pf [openbsd.org] has a countermeasure.

My entry is two days from now.

hack-back? (1)

scaltagi_the_pirate (777620) | more than 9 years ago | (#11845239)

This is very good for those who are interested in protecting their own assets by using offensive techniques - this removes some of the uncertainty of who you are actually retaliating against. www.activedefense.org

Changing Clock (2, Interesting)

iammrjvo (597745) | more than 9 years ago | (#11845246)


If it relies on the clock changing slowly over time, then why wouldn't it be possible to randomly change your clock time by a few milliseconds forward or back every few minutes?

Only distinguishes between 1 machine in 30 or so. (2, Interesting)

Animats (122034) | more than 9 years ago | (#11845262)

Look at figure 3 in the paper, [caida.org] showing clock skew for 69 desktop machines. Each line shows the clock skew measured over a 4-day period. You could distinguish about 20 of those machines. The rest don't have unique enough clock skews. Of course, those are all similar machines; they're all the same model of Micron desktops.

Note how linear those skew lines are. That data looks so good that it needs independent verification. Others have observed more variation in clock skew than that. Computer clocks aren't normally observed to have error that consistent. There's variation with temperature. One wonders if they ran this test during a period when the target machines (a computer lab) were not in use.

So what if.... (0)

Anonymous Coward | more than 9 years ago | (#11845267)

...I have timestamping (RFC 1323) turned off on my NIC? I know for a fact that I do. Is there still some timestamping going that can be tracked? If nothing else is going on there is no problem. Also it is easy to turn off timestamping if it is running...at least for someone with a little knowledge of NICs.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>