Clock Skew and your computer's fingerprint

Read this (dated March 13, 2005) at: http://www.spywareinfoforum.com/newsletter/archives/2005/mar13.php

In other words, in the "Kiss your Anonymity Goodbye" article unless you either falsify the timestamps on each packet or instruct the computer not to attach them to each packet - your computer clock skey can identify your computer.

-- Tom

Story Link: http://www.zdnet.com.au/news/security/0,2000061744,39183346,00.htm
Remote Physical Device Fingerprinting (PDF paper available at): http://www.caida.org/publications/papers/2005/fingerprinting/ (9.94MB)

 

This just goes to show that, just when you think you have privacy figured out, you DON'T.

If a doctoral student with a minimal research budget was able to figure this out, I imagine the governmental spy agencies have known about it for years and have simply kept it out of the public domain. Just face the music...you CAN'T HIDE from a government that can use its trillions of dollars in resources to find you (if it wanted you bad enough). Sure, you may be able to play your hide-and-seek games for a while using TOR and JAP and god knowns what else, but at the end of the day that's never going to be enough to defeat the full power of the top secret/"black" technologies and techniques used by governments all over the world everyday...or even from simple things such as this clock skew.

You can run....you can hide...but you can't escape. It's as simple as that.

 

Note the date was in 04 March 2005 for the article in ZDNet AU while the presentation at the Institute of Electrical and Electronics Engineers Symposium on Security and Privacy to be held in California in May was in 2005 also.

Research probably done mostly in 2004 sponsored by DOE.

If you read their conclusions in the PDF paper it points out the following

-- Tom

 

Hello,

They say :

They also say :

They probably missed the option "reassemble tcp" in OpenBSD Packet Filter(PF) firewall, which "Modulate RFC1323 timestamps in TCP packet headers with a random number".

http://www.openbsd.org/faq/pf/scrub.html#options

I may be wrong, but it seems that it would prevent this remote fingerprinting.

Regards,
gkweb.

 

Replies to the article at ZDNet.com.au also mentioned ways to subvert the time stamp, but I like the technique you mention for OpenBSD's PF firewall better.

-- Tom

 

You can disable the timestamps for windows with the TCPOptimizer program from speedguide:

http://www.speedguide.net/downloads.php

Alternatively, you can edit the registry.


You can also check here to see if timestamps is enabled on your machine:

http://www.speedguide.net:8080/


I've haven't noticed any speed difference with it enabled or disabled. I have it disabled.


Mike

 

Two points and one rebuttal about this post:

1) Note that it is the identity of the computer that can be seen, NOT the identity of the user of that computer.

2) It would also require your computer to send TCP/IP packets to someone that's trying to track you for them to measure the clock the skew, and those packets would have to be identified as coming from the same computer.

Not if "they" are tapped into the Internet backbones and have a way to trap your traffic from listening to everything. "They" probably are using Carnivore surreptitiously anyway - you do know whom I mean by "they" I presume. Assumption is that packets are timestamped.

-- Tom

 

z12

Thanks for the link, i'd forgotten about that site. Did a SpeedGuide test and no timestamps for me !

lotuseclat79

Yes i know who "they" are lol.


StevieO

 

"Connection parameters retrieved"

I got that msg from speedguide:8080, what does it means?

 

If you did not get the following information (with values) from visiting http://www.speedguide.net:8080/ then your setup is blocking the webpage:
MTU =
MSS =
Default TCP Receive Window (RWIN) =
bandwidth * delay product (Note this is not a speed test):
MTU Discovery (RFC1191) =
Time to live left =
Timestamps (RFC1323) =
Selective Acknowledgements (RFC2018 ) =
IP type of service field (RFC1349) =
DiffServ (RFC 2474) =

-- Tom

 

Wow, scary.... My proxomitron was blocking it. Now I see soo many values.

 

Hello,
Did anyone ever think Internet was anonymous?
Mrk

 

No but with the right minds and tools we can .. make it.

So, is there a way to block the timestamp?

 

As I understand it, by default, not only does Windows, i.e. current releases, not support TCP 1323 scalable windows, but the required key is not even in the Windows registry. So, by visiting http://www.speedguide.net:8080/ it should say: Timestamps (RFC1323) = OFF

If it does not, for a Windows system, then you must have scalable windows enabled. That would mean that you have a registry entry value name: Tcp1323Opts, in the following key for WinXP/2000: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
The particulars are:
Value Name: Tcp1323Opts
Data Type: REG_DWORD (DWORD Value)
Value Data: 0, 1, 2 or 3

* 0 = disable RFC 1323 options
* 1 = window scale enabled only
* 2 = time stamps enabled only
* 3 = both options enabled

Inquiry at Microsoft revealed that the default send window is 8KB and that there is no official support for configuring a system-wide default. However, the current Winsock implementation uses the following undocumented registry key for this purpose

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD\Parameters]

Value Name: DefaultSendWindow
Data Type: REG_DWORD (DWORD Value)
Value Data: The window size in bytes. The maximum value is unknown.

According to Microsoft, this parameter may not be supported in future Winsock releases.

If you are already using Vista Beta or planning on migrating to Vista you may be interested to know the following about Vista's TCP/IP stack: According to http://www.microsoft.com/technet/community/columns/cableguy/cg0905.mspx, the forthcoming new version of Windows, Vista (previously code-named "Longhorn") will feature a redesigned TCP/IP stack. Besides unifying IPv4/IPv6 dual-stack support, this new stack also claims much-improved performance for high-speed and asymmetric networks, as well as several auto-tuning features.

Ref: http://kb.pert.switch.ch/cgi-bin/twiki/view/PERTKB/WindowsOSSpecific

Linux, BSD, Apple, Solaris configuration links at:
http://kb.pert.switch.ch/cgi-bin/twiki/view/PERTKB/OperatingSystemSpecific

-- Tom