Comments on: Track Any Computer on the Internet Using its Clock Skew Fingerprint

By: Richard Lynch

Richard Lynch — Thu, 23 Jun 2005 02:07:04 +0000

Read the article!

Many fallacies being discussed in the comments are covered in the article.

AboutTime is just like NTP and won’t change the skew.

The skew-times are embedded in the TCP packets that are forwarded by the proxy, I think it says.

The “extra effort” for Windows is to always respond with time-stamps in the TCP reply packets, even though that violates the spec, and Windows will cheerfully start responding to your replies with time-stamp info in subsequent packets. That ain’t much extra effort.

I suspect many software packages will start mucking with TCP packet time-stamps to foil this technique, hopefully before spammers/scammers start abusing it to be Big Brother.

By: Bill

Bill — Wed, 08 Jun 2005 18:41:49 +0000

Skew refers to the rate of deviation, not the amount. That would be constant even if the clock had been set a few seconds previously.

By: Michael

Michael — Sat, 26 Mar 2005 00:55:45 +0000

I run AboutTime in background updating my PC clock to NTIS or navy.mil every two hours, automatically. Would that affect this technique? It seems whatever clock skew I might have gets changed every two hours. Sort of like changing fingers periodically.

By: jeremy

jeremy — Sun, 20 Mar 2005 14:06:00 +0000

Does anyone know how to actually implement this clock skew fingerprint?

By: joe sixpack

joe sixpack — Sat, 12 Mar 2005 20:41:21 +0000

if you read there research paper you’ll notice taht it takes extra effort to fingerprint a
windows machine because it will not stamp the packet by default.
At any rate if you use a proxy server it should be impossible to detect unless you capture
the packet before it hits the proxy.. i think.
if you ran a software clock depending on how it was written could get near atomic level of accuracy
but it would prob eat up sizable resources. but if softclocks was commen then there will almost no wiggle
room for clockskew. it seems to me that to keep track of a specific machien you would need to know
every systems finger print at all times. that would require total collection of all packets.
even so the ip v4 gives space for almost 4billion machines (not including private ranges 10.x.x.x, 172.16.x.x, 192.168.x.x)
and there could be near unlimited numbers behind NAT
given the very large number i’d think there would be systems that are identicle to there fingerprinting
but how large a number i dont know.

By: Tom

Tom — Thu, 10 Mar 2005 17:22:59 +0000

I would think that the reason for connecting to a NTP or other time synchronization service is because the system is unable to keep corect time. I would also think that it would be simple enough to capture and anlyze a few packets, especially those to and from and NTP server, from any system on the net and determine a specific clock skew. I find it most interesting with the lengths manufacturers go to to create duplicate chips over and over that such a minor imperfection as clock skew can create a traceble and unique signature.

By: Tom

Tom — Thu, 10 Mar 2005 17:17:04 +0000

I would think that since the only reason to reconnect and re-synch with an NTP service or any other time synch service is because your system is unable to keep perfect time, hence a clock skew. I would also think that the skew can be detected and calculated by capturing and analyzing only a few packets even (or especially) those going to a NTP server. It is interesting with the lengths manufacturers go to make chips exactly the same over and over that an imperfection in time-keeping can lead to an unique signature.

By: Leslie Anne

Leslie Anne — Tue, 08 Mar 2005 13:22:26 +0000

Does this technique still work if the computer is connected to an automatic tim correction utility that corrects the time several times a day?

By: Kelson

Kelson — Fri, 04 Mar 2005 18:45:02 +0000

Hmm, I wonder how long it takes to obtain a reliable fingerprint, and what impact automatic time synchronization programs (like NTP) have on it. Time to start searching…