Clock Skew and your computer's fingerprint

Discussion in 'privacy technology' started by lotuseclat79, May 11, 2006.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Read this (dated March 13, 2005) at: http://www.spywareinfoforum.com/newsletter/archives/2005/mar13.php

    In other words, in the "Kiss your Anonymity Goodbye" article unless you either falsify the timestamps on each packet or instruct the computer not to attach them to each packet - your computer clock skey can identify your computer.

    -- Tom

    Story Link: http://www.zdnet.com.au/news/security/0,2000061744,39183346,00.htm
    Remote Physical Device Fingerprinting (PDF paper available at): http://www.caida.org/publications/papers/2005/fingerprinting/ (9.94MB)
     
    Last edited: May 11, 2006
  2. Maji

    Maji Registered Member

    Joined:
    Apr 26, 2006
    Posts:
    32
    This just goes to show that, just when you think you have privacy figured out, you DON'T.

    If a doctoral student with a minimal research budget was able to figure this out, I imagine the governmental spy agencies have known about it for years and have simply kept it out of the public domain. Just face the music...you CAN'T HIDE from a government that can use its trillions of dollars in resources to find you (if it wanted you bad enough). Sure, you may be able to play your hide-and-seek games for a while using TOR and JAP and god knowns what else, but at the end of the day that's never going to be enough to defeat the full power of the top secret/"black" technologies and techniques used by governments all over the world everyday...or even from simple things such as this clock skew.

    You can run....you can hide...but you can't escape. It's as simple as that. :p
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Note the date was in 04 March 2005 for the article in ZDNet AU while the presentation at the Institute of Electrical and Electronics Engineers Symposium on Security and Privacy to be held in California in May was in 2005 also.

    Research probably done mostly in 2004 sponsored by DOE.

    If you read their conclusions in the PDF paper it points out the following
    -- Tom
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    They say :
    They also say :
    They probably missed the option "reassemble tcp" in OpenBSD Packet Filter(PF) firewall, which "Modulate RFC1323 timestamps in TCP packet headers with a random number".

    http://www.openbsd.org/faq/pf/scrub.html#options
    I may be wrong, but it seems that it would prevent this remote fingerprinting.

    Regards,
    gkweb.
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Replies to the article at ZDNet.com.au also mentioned ways to subvert the time stamp, but I like the technique you mention for OpenBSD's PF firewall better.

    -- Tom
     
  6. z12

    z12 Registered Member

    Joined:
    Oct 5, 2005
    Posts:
    5
    You can disable the timestamps for windows with the TCPOptimizer program from speedguide:

    http://www.speedguide.net/downloads.php

    Alternatively, you can edit the registry.


    You can also check here to see if timestamps is enabled on your machine:

    http://www.speedguide.net:8080/


    I've haven't noticed any speed difference with it enabled or disabled. I have it disabled.


    Mike
     
  7. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Two points and one rebuttal about this post:

    1) Note that it is the identity of the computer that can be seen, NOT the identity of the user of that computer.

    2) It would also require your computer to send TCP/IP packets to someone that's trying to track you for them to measure the clock the skew, and those packets would have to be identified as coming from the same computer.

    Not if "they" are tapped into the Internet backbones and have a way to trap your traffic from listening to everything. "They" probably are using Carnivore surreptitiously anyway - you do know whom I mean by "they" I presume. Assumption is that packets are timestamped.

    -- Tom
     
  8. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    z12

    Thanks for the link, i'd forgotten about that site. Did a SpeedGuide test and no timestamps for me !

    lotuseclat79

    Yes i know who "they" are lol.


    StevieO
     
  9. ambolu

    ambolu Registered Member

    Joined:
    Apr 8, 2006
    Posts:
    14
    "Connection parameters retrieved"

    I got that msg from speedguide:8080, what does it means?
     
  10. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    If you did not get the following information (with values) from visiting http://www.speedguide.net:8080/ then your setup is blocking the webpage:
    MTU =
    MSS =
    Default TCP Receive Window (RWIN) =
    bandwidth * delay product (Note this is not a speed test):
    MTU Discovery (RFC1191) =
    Time to live left =
    Timestamps (RFC1323) =
    Selective Acknowledgements (RFC2018 ) =
    IP type of service field (RFC1349) =
    DiffServ (RFC 2474) =

    -- Tom
     
    Last edited by a moderator: May 18, 2006
  11. ambolu

    ambolu Registered Member

    Joined:
    Apr 8, 2006
    Posts:
    14
    Wow, scary.... My proxomitron was blocking it. Now I see soo many values.
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    Did anyone ever think Internet was anonymous?
    Mrk
     
  13. ambolu

    ambolu Registered Member

    Joined:
    Apr 8, 2006
    Posts:
    14
    No but with the right minds and tools we can .. make it. :D

    So, is there a way to block the timestamp?
     
  14. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    As I understand it, by default, not only does Windows, i.e. current releases, not support TCP 1323 scalable windows, but the required key is not even in the Windows registry. So, by visiting http://www.speedguide.net:8080/ it should say: Timestamps (RFC1323) = OFF

    If it does not, for a Windows system, then you must have scalable windows enabled. That would mean that you have a registry entry value name: Tcp1323Opts, in the following key for WinXP/2000: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
    The particulars are:
    Value Name: Tcp1323Opts
    Data Type: REG_DWORD (DWORD Value)
    Value Data: 0, 1, 2 or 3

    * 0 = disable RFC 1323 options
    * 1 = window scale enabled only
    * 2 = time stamps enabled only
    * 3 = both options enabled

    Inquiry at Microsoft revealed that the default send window is 8KB and that there is no official support for configuring a system-wide default. However, the current Winsock implementation uses the following undocumented registry key for this purpose

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD\Parameters]

    Value Name: DefaultSendWindow
    Data Type: REG_DWORD (DWORD Value)
    Value Data: The window size in bytes. The maximum value is unknown.

    According to Microsoft, this parameter may not be supported in future Winsock releases.

    If you are already using Vista Beta or planning on migrating to Vista you may be interested to know the following about Vista's TCP/IP stack: According to http://www.microsoft.com/technet/community/columns/cableguy/cg0905.mspx, the forthcoming new version of Windows, Vista (previously code-named "Longhorn") will feature a redesigned TCP/IP stack. Besides unifying IPv4/IPv6 dual-stack support, this new stack also claims much-improved performance for high-speed and asymmetric networks, as well as several auto-tuning features.

    Ref: http://kb.pert.switch.ch/cgi-bin/twiki/view/PERTKB/WindowsOSSpecific

    Linux, BSD, Apple, Solaris configuration links at:
    http://kb.pert.switch.ch/cgi-bin/twiki/view/PERTKB/OperatingSystemSpecific

    -- Tom
     
Loading...
Thread Status:
Not open for further replies.