Fingerprinting in Cyberspace

Since I'm all for open debate, I want to assure those that have commented, that I will try to respond in a not too far future.:-)

But first, I want to talk about something that cought my eye not long ago.

In the eternal cat&mouse game of those trying to make computers or communication safe, secure and anonymous, and those that try to break it, the latter have just got a considerable powerful tool.

It seems that a student by the name of Tadayoshi Kohno of the university of California has developed a way to identify a computer, regardless whether it is NATted or behind a firewall, and regardless what IP that computer uses or shows.

While at first the usual reaction would be disbelief, it seems he actually has a working way of doing exactly what he claims. However, it should be noted, that what he discribes in his paper as 'unique identification' is, in the context used, NOT about the geographical position of the computer. Thus, it is not knowing where, exactly, the computer is, it is rather knowing which (among the many) computer it is. Some might think: "so, what, that is not much more information than can be gathered from the IP of a machine", but this is not competely true.

His system, basically, works with the so-called 'Clock-skew' and goes way beyond what is possible with server-fingering or portscans and the like. Rather, it is a remote way of doing forensic research, using forensic techniques. His particular technique is based on how the TCP protocol works when used on the internet. Tcp tries to make use of the Net as efficiently as possible (for its protocol), but this is not an easy task, because it has to 'guess' how many bytes can be send to a random receiver - but this is, obviously, also dependent on the load of the network. The way it does that, is by starting slow and then going faster and faster, untill it goes wrong; then it takes a step back. Another way it does that is by using rfc 1332, which consists of two parts, one of which is a time-stamp. It is exactly that time-stamp that is the weak spot used in the method of Yoshi.

When one sends a tcp-packet, this packet receives a timestamp, after which the receiver, when the request is acknowledged, resends the original timestamp. That way, the sender can easily determine the time it took for it to arrive at the receiver, and how long it took to get back (RTT). This system is used to determine how fast data can be transmitted, and is a normal practise of the internet-workings. However, the timestamps are based on the clock of the computer who sends it, and there is where the problem lies: *every* clock in *every* computer around the world has a deviance. This is called the clock-skew, and even when it is a minute difference, it is still detectable, and what's more, the exact aumount of time it deviates turns out to be as telling as a fingerprint, and thus one can identify the sender (at least his computer).

This has big implications, because, wherever one uses his laptop/PC when connecting to the Net, even when doing so in Japan and the next day in the USA, BOTH times it is recognised as being exactly the same computer. It also means that, whether you are behind a firewall or NAT, it STILL sends the timestamps with the ICP-packets, and thus, your computer can STILL be uniquely identified. Which can have enormous consequences for systems that rely on anonimity, because, when requesting something, even if it is routed through another computer, it is still possible to identify the exact computer that requested whatever it was that it requested. At least for a system relying on 'reasonable deniability', such as Freenet, this is a great potential threat: obviously, if your computer can be uniquely identified as the one that requested something, you have *no* deniability left whatsoever.

The way Freenet goes wrong

Who says birds of a feather flock together? Maybe they do, but there can be a lot of picking, regardless.

Ian and me go back a long time, by now. More then 4 years ago, I began a more active involvement in his Freenet-project; back then the Big New Hot Thing of the time in cyberspace. While, at first, things went along pretty well, our mutual understanding deteriorated to the point where I am now blacklisted on his emaillist - an unicum, according to himself.

The reasons are diverse; he blames it on arrogance; I do the same. Only we have eachother posts' in mind. :-) We are probably both guilty; Ians' ego is as stuborn as mine, and sometimes personalities (or ego's) just don't get along. One would think that, me and him, both libertarian minded, would get along just fine, but the contrary is true; we're too much alike. The difference being, he manages his OSS projects in the cathedral way - instead of the bazaar way, and having been a central application manager myself, I can see how he mismanages most of the projects in a terrible way. He, ofcourse, has another opinion, and since I'm not a coder, he finds all what I say of little interest - so he has claimed himself. This attitude is pervasive and widespread, which, IMHO, is one of the reasons Freenet has went nowhere, even after 5 years of development.

Obviously, Ian disagrees. He cites it's novel and complex as the reasons...but that doesn't explain why there isn't more effort to involve people, why so many have thrown Freenet in the bin and went to I2P, which, strangely enough *does* manage to get considerable leaps in usability. AND in a fraction of the time that Freenet took to come up with a largely defunct network - even though for years Freenet has a full-time payed coder, where I2P has to manage with what volunteers can do in their spare time. The 'complexity of the code' has nothing to do with how one manages projects on the human-management level, especially OSS projects; and if, like Ian does, you do not deem any input comming from a non-coder as being worth your attention, then there is something wrong with how you regard contributions. If you think only code matters, then you fail to realise the potential every person can give to a project.

I'll take myself as an example, since I know that case best ;-). I am not a coder (unless in a very minor way with js), and I have said so from the start. Yet, of all the non-coders, I dare say I have done the most: I have sponsored and donated to Freenet myself, I have searched and found new additional sponsors for Freenet, I have helped maintain and update the site, I have offered to help with showing a more transparent way concerning the finances of the project (it's financed by the public, after all, as a non-profit org. At the end - you guessed it - it was ultimately denied), I have erected the freenethelp-site (and given it webspace, hosting and maintainance for free) which is meant to help users of Freenet, I have run several nodes and inserted content, etc.

Does all this mean anything in the eyes of the founder of Freenet? Well, apparently not much. This was more then obvious when I posted a critical suggestion or comment. It is true; after a while, I and others began to lose patience, and I posted several posts that were less then diplomatic - but I really can't feel much remorse, because I only react to people as they react to me. At least I wasn't hypocritcally lecturing anyone about how one should behave, while disregarding it myself. Ian apparently fails to realise, that comments with criticism are wortwhile too, and should be considered contributions, not attacks - even when, through his own fault of continious disdain of non-coder input, some posted with a lot of sarcasm at the end (including myself, I confess). But ofcourse, no doubt Ian sees this in a whole other light, so I'll give some examples:

I and others have numerous times suggested things that most would see as obviously welcome. An example is: a search-engine. One has to be blind and stupid not to realise this is one of the major disadvantages of Freenet: it has no capability to search. While it was clear that a true searchengine was not for the forseable future, someone with a feeling for what the public wants could have decided to make a temporary one. That someone wasn't Ian. Every suggestion was deemed unacceptable, if not 'idiotic'. His reasoning was like: it's not good enough. A client-based js searchengine? No way, josé! He'd rather have nothing then a temporary solution. And at the end, he had exactly that: nothing.


Numerous other times have followed the same pattern: making his freenet-finances more transparent? Not necessary. Creating TUKs or other ways of having permanent yet updated freesites, without having to go through the hassle of inserting them every 24 hours? Not needed. Creating a testnetwork so we could actually have a chance of making progress in defining the underlying routing/loadbalance problems? A waste of time. Providing a bit more news or feedback to the users/sponsors/etc so that you create a sense of involvement and direction, instead of the impression everthing lies dead in the water? We have more important things to do! (untill users and sponsors don't donate enough money anymore, then suddenly it becomes important, and the begging begins). Try to involve others more in the project, even coding wise?

There have been numerous suggestions from me and others about this in the past, but somehow, it's never deemed worth a response. Yet, other, similar projects are more open and flexible, and at least give it a try: http://dev.i2p.net/pipermail/i2p/2005-May/000727.html If I2P can do it, why can't we?

But; offering bounties for help in some areas of Freenet-coding? Hell no! Making better documented specs, so coders that weren't here from the start have a fair chance of understanding the code before they die of old age? Who cares!

It is exactly that sort of pervasive we-do-as-we-like-and-screw-the-rest mentality that destroys that what is precisely the strongest asset and driving force of many OSS. Ian fails to see this, alas. Does it surprise anyone, that Freenet, after years of development is, where it was 5 years ago, in a practical-usability sense?

Sure, numerous technical things have changed, and new features and possibilities and routingmechanisms have been touted, again and again, as the solution for a working Freenet-network. But, at the end, we still have a crappy network with little content to be found, where it takes days to get connected, and where it is virtually impossible to get any of ten randomly chosen freesites (which was proven by me with factual data; the only way to do it, because it was, time and again, refuted that freenet was working like crap as I said it was. One can see this data in the archives of the mailists; it comes right after the episode where Ian revoked my freenet-emailaddress, because my critical attitude to the current development-proces was aparently not to his likings).

There is also a grand self-delusion going on, with Ian, and even with Toad, where they think they actually have a GOOD working network. I don't know how this is possible. Maybe they base themselves wrongly on their own experiences with their optimised nodes, that are running 24/24, 7/7 and act as seednodes. Or maybe they just don't want to realise what most joe doe users (and slashdotters) already have realised and said in their posts: that Freenet, while a good idea, just sucks, currently.

It is with pain in my heart that I have to agree with that, because I really like the project as a concept, and I have invested much time and money and effort in it - even when it is not appreciated by the Higher Gods. In fact, if I hear someone else speak negatively about freenet, I have the reaction to defend it too - so it's not like I don't understand Ians' irrational attitude towards criticism, when you view that as an attack. But, one can not deny it any longer: Freenet has gone nowhere, in a practical joe-doe-can-use-it sense. After 5 years, we have nothing to show for it, and I largely blame the management - and the unwillingness to listen to input from others - for it.

Now, once again, a decision has been made (from the 'top' down, as usual) to completely revamp Freenet, once again. Will it be any better now? Not if things don't change management-wise, and attitude-wise, but Ian&co doesn't seem inclined to try another approach. Version 0.7! All those wonderful ideas! But some already suck, like making *two* networks, one open and one darknet with a Gmail-like invite-only system (and insanly presumed to be as succesful), instead of just using a hybrid, like I and others have suggested, and which makes the most sense to everyone exept a few Higher Gods. So, one can already see where this will be going, one bad development-decision after another; to another 4 years of haphazard-development, with not much to show for at the end in a pragmatical sense, again. After months of being dead in the water - apart from some simulations - we are already feeling a weird deja-vue, even before actual coding has began.

But then again, I doubt anything will change in that regard: if you can't code, your viewpoints aren't worth considering, and thus, neither will this blogcomment. Some people just never learn, and the project suffers for it. I've made this blog-entry with the specific hope it would awaken at least some of the people who have the most say in the project, and maybe, finally, make a drastic change in the way things are done, and to help the project out of it's eternal loophole where it has been meandering these last 5 years. In reality, ofcourse, it's quite possible I simply will get banned form the maillist alltogether. Don't listen to the message; kill the messenger: that always has been the prefered way of dealing with unpleasant news, by some - to their own detriment, ultimately.

Outlawing Books

This is a copy of a post I made some time ago, but still is worth mentionning because it directly relates to free speech, of which, you will notice, I am a stark proponent in the finest (cough) libertarian sense :

Well, this may be a bit off topic, but what the heck. I've just been out with some friends, and, as always when we get moderately drunk, we talked about politics, religion, philosophy etc. (when we are real drunk or when no babes are present, we usually talk about sex ;-)

Well, anyhow, being all european, and all friends (birds of a feather) we fully agreed on a lot of topics. Israel, Iraq, USA, etc...opinions didn't differ much there. But then it came to a typical european concept of free speech, which, I presume, may strike USA-citizens as a bit weird. While, seen at large, we have the same concept of free speech as in the USA, this opinion, curiously, always seem to shift to a more restricted idea of free speech when it concerns things as racism. In this respect (one of the few, I might add), I think the usa concept of it is much more honest and fair. This has undoubtably to do with our historic heritage, notably WWII.

I was argumenting that revisionistic books, as an expression of an opinion, should be allowed. Thus, not agreeing with the law(s) in most euro-countries, where such books are forbidden. To my astonishment, many of my friends agreed with this censorship, however. This is something I do not understand; you CAN NOT claim to be for free speech and expression of opinion, and then say "exept when it's *that* opinion". Allowing free speech only if you agree with it, but forbid it when you totally disagree with it, is not allowing free speech at all. I've tried to argument it, but it just didn't seem to get through to them; they started with the premise that it's wrong, and therefor it should be forbidden, whatever. The fact that this leads to hypocrytical contradictions was something they ignored too. One said: 'it's a fact, and thus it shouldn't be disputed' another said 'it hurts the jews'...but, are that, on itself, enough reasons to forbid an opinion? Is there a 'fact' so absolute, it can't be disputed? Can't anyone feel hurt be an opinion of another dude, and should we thus, forbid everything that someone claims is hurting their feelings?

These arguments do not make any sense, and what's more, to forbid an opinion is EXACTLY what ultra-right wing or despotic governments would do with the opinions that my friends (and I myself) hold dear; that of being non-racist, etc. The difference is, they start with the presumtion that they (the idea they have about it) are right, and thus oposing views can be forbidden, while I think people are allowed to have racist opinions, even when I totally disagree with them... After all, that is EXACTLY what a dictator (or ultra-right-winged-government) would do, if he ever got the power: claim something is a 'fact' and forbid oposing views. The REAL difference, thus, between a democracy and a dictatorship is that that the one alows (or should allow) diffirent opinions, while the other does not. Thus, in conclusion, this is a treat, not of democraccy, but of a dictatorship, and unworthy to be used in a democracy, IMHO. It also shows that laws are not always justified, and, again IMHO, should not ALWAYS be regarded as an absolutism, something that should be followed blindly. (Of course, it happens to be my opinion that revisionists are telling crap too, but the point is I think they have a right to express that opinion).

I got a bit worked up about it, really, because, after all, it restricts other people, because of the mere opinion of others, who think they have the right to forbid it (and have the power - which is the dangerous part, because; what if the power shifts?). Why am I writing all this? Well, because it made it clear to me again, why I'm doing all this trouble for a project such as Freenet. Sometimes, with all the tech babble and the problems and all that, I ask myself why I'm doing all this. And I guess, this is the answer. I'm doing this, because everyone has a right to express his opinion, and I can't stand it that others would try to impose their will on others, even with the best of intentions (as with my friends).

This project (Freenet) has the ultimate potential: it deprives people, and, as an extention, governments, of the *power* to impose their will/censorship on others. Are people telling crap? Well, make something that debunks what they say, point. But don't forbid it, because that's exactly what THEY would do if they are in power.

Yes, it's the potential of making the power that the government (and corporations, and, yes, my friends) seem to think they have the perogative of, to become totally obsolete, that made me interested in Freenet. With a system as Freenet (when it will be fully working ;-), they can shout and do all they want, my ideal of a free society with a free flow of opinions will be there (at least in cyberspace). There might be drawbacks, as with any technology (and it's consequences), but all by all, it's worth it.