Comment Re:Fingerprinting (Score 1) 470
I have been following the discussion but I have not seen anyone try
to summarize the meat of the paper. I will try to do that here.
Remember, this is just the gist of the paper; I have simplified
many things.
First, a definition of "clock skew": A clock with skew is gaining
or losing time. For example, a wall clock with a 2-minute skew that
correctly shows 12:00 at noon, will show 1:02 when it is one o'clock,
then 2:04 when it is two o'clock, next 3:06 at three, and so on.
Similarly, a clock with a -2 minute skew loses 2 minutes every hour.
This is different from a clock running fast or slow. A clock running
2 minutes fast would show 12:02 at noon, 1:02 at one o'clock, 2:02,
3:02, etc.
The authors' experiments demonstrate that the various clocks found
on a computer have tiny skews. The skews range from roughly -50 to 50
microseconds every second, and they stay constant for a particular
computer. The authors say that there is enough statistical variation
among skews to tell apart one computer from another if you can somehow
watch a targeted computer's system clock.
How do you watch the clock on a remote computer? It turns out that
most implementations of TCP/IP put a 32-bit timestamp into each TCP
packet. The authors' trick is to monitor thousands of packets from a
targeted computer over the course of minutes or hours; then, using
some linear algebra, they determine the targeted system's skew.
For example, a laptop accessing the Internet from New York may have
its skew measured as 45 microseconds per second. Later, the same laptop
connecting to the 'net from Berlin would again show a skew of 45
microseconds per second.
The authors claim that their method will allow you to learn 6 bits
of information about a device. Well, 2^6 is only 64 different devices.
If there are 200 million computers on the Internet, their method
would divide the world into 64 groups of 3 million computers each.
Your computer would look identical to 3 million other computers!
As other posters have already pointed out, this technique would
be useful to show negative but not positive results. If a laptop in
Berlin gives a skew value of 26 microseconds, you can conclude that
it is a different laptop than the one in New York. But if an arbitrary
laptop in Berlin shows a 45 microsecond skew, you can only say that
there are 3 million other computers like it. You cannot conclude that
it is the same laptop that was once in New York.
to summarize the meat of the paper. I will try to do that here.
Remember, this is just the gist of the paper; I have simplified
many things.
First, a definition of "clock skew": A clock with skew is gaining
or losing time. For example, a wall clock with a 2-minute skew that
correctly shows 12:00 at noon, will show 1:02 when it is one o'clock,
then 2:04 when it is two o'clock, next 3:06 at three, and so on.
Similarly, a clock with a -2 minute skew loses 2 minutes every hour.
This is different from a clock running fast or slow. A clock running
2 minutes fast would show 12:02 at noon, 1:02 at one o'clock, 2:02,
3:02, etc.
The authors' experiments demonstrate that the various clocks found
on a computer have tiny skews. The skews range from roughly -50 to 50
microseconds every second, and they stay constant for a particular
computer. The authors say that there is enough statistical variation
among skews to tell apart one computer from another if you can somehow
watch a targeted computer's system clock.
How do you watch the clock on a remote computer? It turns out that
most implementations of TCP/IP put a 32-bit timestamp into each TCP
packet. The authors' trick is to monitor thousands of packets from a
targeted computer over the course of minutes or hours; then, using
some linear algebra, they determine the targeted system's skew.
For example, a laptop accessing the Internet from New York may have
its skew measured as 45 microseconds per second. Later, the same laptop
connecting to the 'net from Berlin would again show a skew of 45
microseconds per second.
The authors claim that their method will allow you to learn 6 bits
of information about a device. Well, 2^6 is only 64 different devices.
If there are 200 million computers on the Internet, their method
would divide the world into 64 groups of 3 million computers each.
Your computer would look identical to 3 million other computers!
As other posters have already pointed out, this technique would
be useful to show negative but not positive results. If a laptop in
Berlin gives a skew value of 26 microseconds, you can conclude that
it is a different laptop than the one in New York. But if an arbitrary
laptop in Berlin shows a 45 microsecond skew, you can only say that
there are 3 million other computers like it. You cannot conclude that
it is the same laptop that was once in New York.
