Thursday, March 31, 2005

remote hardware fingerprinting - implications

Remote hardware fingerprinting affects anonymity. Whether or not that's a good thing depends on how you feel about anonymity. For example, it makes it easier to prove that what appear to be two different computers really are the same computer, which could help with prosecuting hackers. (Note: that's not the same as saying that what appears to be two different computer users are the same computer user, since the technique identifies the hardware, not the user.) On the other hand, there are times anonymity is important, like message boards designed so that people can post anonymous questions about AIDS or mental illness.

Let's consider how powerful this technique is. First of all, there's a limit on how many different computers the technique can tell apart. Remember that the technique measures clock skew, how many seconds per day a clock gains or loses. Their resolution is limited: while clock skew is fairly stable, it does vary somewhat, so they can't measure more closely than a few parts per million. At the same time, there's a practical limit on just how much clock skew can exist in a real system. After all, a clock that gains ten minutes a day would be very rare. So, if we take an upper bound of 10 minutes per day (7000us / sec), and a resolution of one part per million (1 us/sec), we get 7,000 possible clock skews. Double it because clocks can gain or lose, and you're still in the neighborhood of 14,000 possible skews. The actual results will be smaller because of measurement errors and such.

On the other hand, the technique in the paper gives you the current clock's value as well as the skew. That can help you identify more machines: if two machines have the same skew, but one's clock says it's 7:00 and the other says 10:00, you know they're two different machines. (In reality, the clocks are going to say things like number of seconds since the last time the computer rebooted, rather than an actual time or date. The principle stays the same.) Also, there are techniques to tell different operating systems apart: different operating systems update their clocks at different rates and have other traits you can use to identify them. To be generous, lets say this technique can potentially distinguish in the neighborhood of 100,000 to 1,000,000 different machines. That's still far from the total number of machines on the Internet.

That last point bears repeating. This technique isn't like a classic "fingerprint". It does not let you uniquely identify every computer on the Internet.

One place it might be useful is in forensics: if Alice is trying to prove to a jury that Mallory broke into her web site, she may be able to submit additional evidence that Mallory's computer had the same clock skew as the intruder's computer. Mallory, of course, could counter that (1) there are hundreds of millions of computers out there, so there are hundreds of computers with the same skew as his, and (2) even if it was Mallory's computer, that doesn't mean Mallory was the one using it at the time of the break-in.

Another place people could use it is in breaking the anonymity on trace files. The people who own large, high-bandwidth links will sometimes record all the traffic that goes across those links and make the record available for research purposes. Typically, they make two kinds of records available. One is just the protocol, the signalling traffic back and forth, without any of the data. The other kind has the packets and the data, or at least more of the data, but for privacy reasons it randomizes the IP addresses. With this technique, if you have one trace of each kind, in many cases you can match the clock skews between the traces, so you can match the addresses in the first trace to the packet data in the second. Since clock skews don't change much over time, the traces don't have be at the same times.

remote hardware fingerprinting - how it works

Tadayohi Kohno, Andre Broido, and kc claffy at the San Diego Supercompter Center have published a paper called "Remote physical device fingerprinting. The paper discusses a technique for remotely identifying physical computer hardware. This article goes into how it works. I'll follow up with another that talks more about what it means.

First, here's the explanation for non-techies.

Their technique relies on a few things. (1) Every clock runs a little fast or a little slow. (2) Computers have clocks. (3) If the clock on the computer tends to gain 15 seconds per day, that gain per day is pretty much constant, and the same with how much time it loses per day. It doesn't gain 15 seconds one day and lose 15 seconds the next. (4) You can remotely read the computer's clock.

The practical upshot is that, if you're clever, you can find out that computer X has a clock that tends to gain, say, 15 seconds per day, while computer Y has a clock that tends to lose, say, 7 seconds per day. You can use that information to tell whether you're talking to computer X or computer Y regardless of where it connects to the Internet, or if it hides behind a firewall, or even if it's halfway around the world. This technique works even if the user is trying to stay anonymous.

Now, the turbo-geek version.

Kohno et. al. measure clock skew. They mostly focus on the TCP Timestamp option, which is built into most TCP protocol stacks. However, their technique also works with ICMP time requests. They've even presented a rather clever way to generalize the attack: most operating systems batch their packet transmissions at 10ms or 100ms intervals, but those intervals are also subject to clock skew. That means if you can accurately measure packet interarrival times and perform a Fourier transform on the difference between the batching frequency and the interarrival times, the peak frequency will show you the clock skew. (It's not clear to me whether transmission line characteristics or intermediate routers would obscure this last approach. Also, they don't present a way to automate it.)

Getting back to TCP Timestamp, most TCP stacks offer the timestamp in the SYN packet. Windows NT and XP are notable exceptions: they don't offer it. However, if the responding system breaks the protocol and requests TCP timestamps in the SYN-ACK, XP and NT will still turn on timestamp service. I don't know if Linux or BSD will do the same.

Kohno et. al. also look at the effect of NTP synchronization. On most operating systems, NTP adjusts the system clock but not the clock that runs the TCP timestamp (which presumably derives directly from system up-time.) So, if you turn on frequent NTP synchronization, the system clock's skew drops to near zero, but the TCP timestamp clock's skew remains largely unaffected.

To measure skew, they require a number of samples, though I'm not sure at this point how many they need. Then they use a linear programming approach to combine the samples to get skew.

It looks very much like you could implement the approach through a web browser using the high-resolution clock available on most Pentium systems.

being Robinhood

Shaun Martin pointed out this website where California gives public notice of property they owe people, so that people can claim it. It's a great spot to spend a few minutes typing in the names of friends and family members to see if they have any unclaimed property they should know about.

Tuesday, March 08, 2005

follow-up to bankruptcy law

This is a follow-up to an earlier article on the bankruptcy bill the Senate is currently considering.

Mika asked:

I am just wondering whether these people (those who declared personal bankruptcy due to high medical costs) tried to get Medicare or Medicaid or both? I would think people are likely eligible for Medicaid if they become so poor -- mortgaging the house to pay medical bills, having no income and having exhausted their asset. Medicaid covers hospitalization costs and home health care and so on (http://www.cms.hhs.gov/medicaid/mservice.asp). I have not looked at the research by the Kaiser Family Foundation, but do you recall that the researchers mention the roles of Medicaid or Medicare for helping these people pay for their medical expense even temporally?


According to the study, 6% of the medical bankruptcy debtors had Medicare, 8% had Medicaid, and 2% were veterans or had military coverage. The study doesn't address whether a larger percentage where elegible for those programs. However, it's worth noting that bankruptcy is not the same as low income: you can be bringing in a large amount of money but having to use a lot of it to maintain your debt load, so that you have only a small amount left over to keep yourself afloat. It would be interesting to know how that situation fits with Medicaid or Medicare qualifications.

Also, Charles at Off The Kuff pointed out that there is a special thread of the Talking Points blog that's tracking the bankruptcy bill.

Sunday, March 06, 2005

the bankruptcy bill in the Senate

As you've probably seen in the news, the Senate has been debating bankruptcy reform. Senate Bill S.256 introduces a needs-based test for bankruptcy. Much of the news coverage focused on high credit card debts, the implication being that spendthrift people were running up their credit cards and then using bankruptcy coverage to get out of the debt.

One question, though. What, exactly, were they charging to those credit cards?

If you haven't seen it yet, you might want to check out this very interesting study, which I found through the Kaiser Foundation. The authors sampled bankruptcy cases looking at whether or not high medical bills were a contributing factor. Turns out, they are.

The study created two categories of medical bankruptcies: major medical, and any medical. I'm going to focus here on the major medical category.

They define a “major medical” bankruptcy as one where the debtor

1. said illness or injury was a contributing factor, or

2. they had at least $1,000 in uncovered medical bills for each of the previous two years, or

3. they lost at least two weeks of work income because of the illness or injury, or

4. they mortgaged the house to pay medical bills.

It turns out that 46% of the bankruptcies fell into the “major medical” category. Or, if you want to be more strict about the numbers, 28% of the people going bankrupt said that illness or injury was a contributing factor.

Also, don't think you're safe just because you have insurance. 75% of the medical bankruptcy folks had medical insurance at the start of the medical condition that caused the bankruptcy. Common problems were gaps in coverage -- losing one job because of the medical problem, then not being able to get insurance at the next job because of the preexisting condition -- and lost income -- the medical condition kept them from working, either because they couldn't work or they had to take care of a family member.

Now, that's not to say that we would necessarily see the bankruptcy rate drop by half if we fixed medical coverage, since these factors tend to be interrelated, but it does suggest that the situation is a lot more complex than too many people maxing the plastic to buy that new beemer Z-series.

Friday, March 04, 2005

big week in aviation

Unfortunately, I don't have a lot of time to write at the moment, so this is a bit rushed, but there are some interesting things happening in the world of aviation right now.

First, Steve Fossett just flew around the world, nonstop, without refuelling, and he did it solo. Let's break that down. He flew around the world without stopping, about 67 hours in the air, which is impressive in itself when you stop to think that commercial aircraft have to have an inspection every 100 hours. Also, he flew an aircraft capable of carrying 67 hours worth of fuel. How many hours will your car run on a tank of gas? The airplane carries about 18,000 pounds of fuel. The number of gallons will vary with temperature, but that's probably in the neighborhood of 2,700 gallons: it's a flying gas tank. Finally, there was the technology to get him to an altitude where he could fly over the weather, keep him alive while he was up there, let him navigate and communicate while he was up there, and manage all of that capability single-handedly.

Next, the Experimental Aircraft Association has announced that you'll be able to see both Fossett's plane, GlobalFlyer, and SpaceShipOne (the privately-funded space craft you might remember from late last year, by the same people who built GlobalFlyer), at its annual convention/air show in Oshkosh, WI in July.

Also, the Light Sport Aircraft standards are getting close to being a reality, since they've just been published in the Federal Register. To understand why this is a big deal, you have to know that most of the light planes in the world today are old or based on old designs. It's sort of like if almost every car on the road today still used the height of 1950's technology. One of the reasons is that it's very expensive to certify a new design, so manufacturers don't like to change. One reason why certification is so expensive is that, unlike a car, you can't just pull over if there's a mechanical problem, so the government wants to minimize mechanical problems. They do that by heavily regulating aircraft manufacture. Whether or not that regulation achieves the desired effect would be a very interesting question to investigate, since it involves a trade-off between innovation and predictability.

The Light Sport Aircraft standards may inject some new life, and new technology, into the light aircraft world. The usual regulations apply to almost all light aircraft, from a simple, two-seat Cessna 152 up through highly complex retractables. After much discussion, the FAA decided that very small, simple aircraft were simple enough that they didn't need as much regulation: there's just plain less stuff that can go wrong with them. Among other things, the LSA rules relax some of the regulations for these small, simple airplanes. Relaxing the rules means the manufacturers have more flexibility to incorporate newer technology, which can lead to safer airplanes. It also means they can build these airplanes at significantly lower cost, which may lower the cost per hour of flying. Lowering the cost per hour would let pilots on a budget fly more often, making them safer pilots because their skills will stay sharper.