RE: [PHP] php behind firewall
At 3:37 PM -0500 8/4/06, Richard Lynch wrote: > http://www.caida.org/publications/papers/2005/fingerprinting/ Just to be pedantic... It's using the clock skew of the user's computer, and I don't think that has anything to do with PC-NIC-CABLE-FIREWALL combination communication. Rather, it is the error margin of the internal clock chip within the device, as I understand it... Or not, as I don't claim to understand that article 100%... Richard: As I read it, and I don't claim to understand the article 100% either, it's more than the margin of error of the internal clock, but rather how the user's computer responds do to the skew -- the timing in sending packets of information to a server. The fingerprint is not instant, but derived from the performance of the computer over time. The more information gathered, the more unique the fingerprint becomes. A sort of stacking (sum) of the events to increase the fold (confidence) and as a result, computer respond times fall into different identifiable groups. Any temporal series of data can be thought of as a waveform that can be analyzed via a FFT, as they mention in their article and add that the FFT may not be a solution. However, they fail to acknowledge that a time series can be analyzed via many different techniques other than FFT. However, barring that, they have posed an interesting idea (but not proved) that every computer currently made can be identified by the way it responds -- each computer is unique. Their sample size was relatively small, several hundred computers, and the time to distinguish individual computers took several hours. If their technique was applied to net, I would think it would take a great deal of time (perhaps prohibitively so) to gather enough data to clearly distinguish and identify individual computers visiting a server. On the other hand, a set visiting a specific server would be much smaller than the entire net-set. In any event, the confidence level for identifying each computer would depend upon how many times the user's computer visited the site in question, which in the real world would lead to a vast range of confidence levels. IF their claim is true and IF they could cut the analysis time required, then the ramifications of the technique could be significant in terms of Internet security, spam, law enforcement, software registrations, and so on. The article presents a possible answer for those wanting to uniquely identify computers -- kind of an unintended built-in V chip for computers. Interesting research. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php behind firewall
On Fri, August 4, 2006 1:08 pm, Jim Moseby wrote: >> >> Jim Moseby wrote: >> > >> > I recently read an article about IP fingerprinting. The >> concept is that >> > every PC-NIC-CABLE-FIREWALL combination has subtle, but measurable >> > differences in the way they communicate. It was very >> in-depth, but it >> > worked amazingly well. If I can find the article, I'll post it. >> >> Please do. >> >> I can imagine that the concept goes to the wall with wireless >> users, but >> even so, should be a good read. >> > > Found it: > > http://www.caida.org/publications/papers/2005/fingerprinting/ Just to be pedantic... It's using the clock skew of the user's computer, and I don't think that has anything to do with PC-NIC-CABLE-FIREWALL combination communication. Rather, it is the error margin of the internal clock chip within the device, as I understand it... Or not, as I don't claim to understand that article 100%... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
On Fri, August 4, 2006 10:25 am, Andrew Senyshyn wrote: > I need to get local user IP, but server with apache and php is in > another subnetwork. > So from server environment I can get only router's IP. > The only solution that I see - is getting with some magic algorithm > local IP from brouser and sending it to server. > My application is for intranet, so I don't see any reason to make > users > authorization. > Any ideas for this? Don't. If it's a transparent proxy, you can get their IP. If it's NOT a transparent proxy, you can't get their IP, by design, and nothing you can do will change that, at least in PHP. That's the whole point of a transparent proxy. Suppose you wrote some JS to send you the 'local' IP -- Even if that works, which I suspect not, it would be pointless, since you'd end up with a few hundred people with IP addresses such as 192.168.1.100, which is a meaningful IP address only in their subnet, not in the larger network in general. Now, to your specific case: If you can get the browser to send you the IP, then a Bad Guy can write their browser to send you whatever IP they want, thus defeating your so-called authentication. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php behind firewall
> > Jim Moseby wrote: > > > > Found it: > > > > http://www.caida.org/publications/papers/2005/fingerprinting/ > > Thanks! Interesting stuff... > > Regards, > Austin. No problem. My recollection of the technique was a bit off, but the concept was still there. ;-) JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
Jim Moseby wrote: > > Found it: > > http://www.caida.org/publications/papers/2005/fingerprinting/ Thanks! Interesting stuff... Regards, Austin. signature.asc Description: OpenPGP digital signature
Re: [PHP] php behind firewall
Austin Denyer wrote: > Jochem Maas wrote: >> John Nichel wrote: >>> Well, if you would stop using the Vic20, and upgrade! >> how dare you call my altair a vic20. new-fangled rubbish. ;-) >> you want real authentication? get some carrier pidgeons like us real >> programmers. > > So, how many different tunes did you get your Altair to play over the > radio? #;-D > > My first machine wasn't quite an Altair, but it did make the Vic look > space-age - I started with a ZX81. I was only joking about the altair - the closest I have got to one of those is a documentary on the Discovery channel :-P I do remember having a Spectrum48, although it was only ever used to play 'Horace goes Skiing' > > The carrier pigeon trick only works for IP though. And packet traces > can be a tad messy... seperates the men from the boys ;-) > > Regards, > Austin. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
tedd wrote: At 1:26 PM -0400 8/4/06, John Nichel wrote: tedd wrote: At 12:55 PM -0400 8/4/06, John Nichel wrote: Wait, are you telling me that I can't auth my customers based on IP alone? Great, now how do I let them view their sensitive data? ;) Okay, how do you? Retina scan, and DNA sample. Seriously though, not by IP in any way, shape or form. The only 'sensitive' data I keep for customers to view is their order history. Credit card numbers are trashed the moment I get a response back from the cc gateway. To get to that they just need their username and password. If they want the system to 'remember' their login, I use a hash of quite a few variables that I place into a cookie on their browser. The only place I use IP to help identify a user (not really a user, but a particular computer) is on our Intranet...and I can only safely (for the most part) rely on this because I control the network and the IP addresses. Thanks. Not that I have done this on the net, but has anyone thought about using a fuzzy logic approach to the problem? While it wouldn't be a perfect solution, you could set a threshold you're comfortable with. Also while your DNA comment was meant to be humorous, it's not a bad idea to build a "trust-index" via user actions that would be similar to a DNA-like reasoning solution. Just food for thought. tedd Either account-based authentication, or a unique ID stored in a cookie, that's how I've done it. Regards, Adam Zey. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
Jochem Maas wrote: > John Nichel wrote: >> >>Well, if you would stop using the Vic20, and upgrade! > > how dare you call my altair a vic20. new-fangled rubbish. ;-) > you want real authentication? get some carrier pidgeons like us real > programmers. So, how many different tunes did you get your Altair to play over the radio? #;-D My first machine wasn't quite an Altair, but it did make the Vic look space-age - I started with a ZX81. The carrier pigeon trick only works for IP though. And packet traces can be a tad messy... Regards, Austin. signature.asc Description: OpenPGP digital signature
Re: [PHP] php behind firewall
John Nichel wrote: > Jochem Maas wrote: >> Jim Moseby wrote: Jim Moseby wrote: > I recently read an article about IP fingerprinting. The concept is that > every PC-NIC-CABLE-FIREWALL combination has subtle, but measurable > differences in the way they communicate. It was very in-depth, but it > worked amazingly well. If I can find the article, I'll post it. Please do. >> >> I had read about this before, will read it again. >> but I suspect that my current server will probably have a >> hard time calculating the finger print for each connection. :-) >> > > Well, if you would stop using the Vic20, and upgrade! how dare you call my altair a vic20. new-fangled rubbish. ;-) you want real authentication? get some carrier pidgeons like us real programmers. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
Jochem Maas wrote: Jim Moseby wrote: Jim Moseby wrote: I recently read an article about IP fingerprinting. The concept is that every PC-NIC-CABLE-FIREWALL combination has subtle, but measurable differences in the way they communicate. It was very in-depth, but it worked amazingly well. If I can find the article, I'll post it. Please do. I had read about this before, will read it again. but I suspect that my current server will probably have a hard time calculating the finger print for each connection. :-) Well, if you would stop using the Vic20, and upgrade! -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
Jim Moseby wrote: >> Jim Moseby wrote: >>> I recently read an article about IP fingerprinting. The >> concept is that >>> every PC-NIC-CABLE-FIREWALL combination has subtle, but measurable >>> differences in the way they communicate. It was very >> in-depth, but it >>> worked amazingly well. If I can find the article, I'll post it. >> Please do. I had read about this before, will read it again. but I suspect that my current server will probably have a hard time calculating the finger print for each connection. :-) >> >> I can imagine that the concept goes to the wall with wireless >> users, but >> even so, should be a good read. >> > > Found it: > > http://www.caida.org/publications/papers/2005/fingerprinting/ > > JM > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php behind firewall
> > Jim Moseby wrote: > > > > I recently read an article about IP fingerprinting. The > concept is that > > every PC-NIC-CABLE-FIREWALL combination has subtle, but measurable > > differences in the way they communicate. It was very > in-depth, but it > > worked amazingly well. If I can find the article, I'll post it. > > Please do. > > I can imagine that the concept goes to the wall with wireless > users, but > even so, should be a good read. > Found it: http://www.caida.org/publications/papers/2005/fingerprinting/ JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
Jim Moseby wrote: > > I recently read an article about IP fingerprinting. The concept is that > every PC-NIC-CABLE-FIREWALL combination has subtle, but measurable > differences in the way they communicate. It was very in-depth, but it > worked amazingly well. If I can find the article, I'll post it. Please do. I can imagine that the concept goes to the wall with wireless users, but even so, should be a good read. Regards, Austin. signature.asc Description: OpenPGP digital signature
RE: [PHP] php behind firewall
> > Thanks. > > Not that I have done this on the net, but has anyone thought about > using a fuzzy logic approach to the problem? While it wouldn't be a > perfect solution, you could set a threshold you're comfortable with. > > Also while your DNA comment was meant to be humorous, it's not a bad > idea to build a "trust-index" via user actions that would be similar > to a DNA-like reasoning solution. > > Just food for thought. > > tedd I recently read an article about IP fingerprinting. The concept is that every PC-NIC-CABLE-FIREWALL combination has subtle, but measurable differences in the way they communicate. It was very in-depth, but it worked amazingly well. If I can find the article, I'll post it. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
At 1:26 PM -0400 8/4/06, John Nichel wrote: tedd wrote: At 12:55 PM -0400 8/4/06, John Nichel wrote: Wait, are you telling me that I can't auth my customers based on IP alone? Great, now how do I let them view their sensitive data? ;) Okay, how do you? Retina scan, and DNA sample. Seriously though, not by IP in any way, shape or form. The only 'sensitive' data I keep for customers to view is their order history. Credit card numbers are trashed the moment I get a response back from the cc gateway. To get to that they just need their username and password. If they want the system to 'remember' their login, I use a hash of quite a few variables that I place into a cookie on their browser. The only place I use IP to help identify a user (not really a user, but a particular computer) is on our Intranet...and I can only safely (for the most part) rely on this because I control the network and the IP addresses. Thanks. Not that I have done this on the net, but has anyone thought about using a fuzzy logic approach to the problem? While it wouldn't be a perfect solution, you could set a threshold you're comfortable with. Also while your DNA comment was meant to be humorous, it's not a bad idea to build a "trust-index" via user actions that would be similar to a DNA-like reasoning solution. Just food for thought. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
Jochem Maas wrote: Andrew Senyshyn wrote: Hi all, I need to get local user IP, but server with apache and php is in another subnetwork. So from server environment I can get only router's IP. The only solution that I see - is getting with some magic algorithm local IP from brouser and sending it to server. My application is for intranet, so I don't see any reason to make users authorization. Any ideas for this? you can't always get the real users IP because of proxies, anonimizers, firewalls/gateways [on the user end] (and don't bother using an IP as an absolute indicator when validating a Wait, are you telling me that I can't auth my customers based on IP alone? Great, now how do I let them view their sensitive data? ;) session - you can use it as one of a number of metrics - for instance AOL users have their IP addresses changed roughly every 300 milliseconds). Gawd, AOL causes us so many headaches with that crap. -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
tedd wrote: At 12:55 PM -0400 8/4/06, John Nichel wrote: Wait, are you telling me that I can't auth my customers based on IP alone? Great, now how do I let them view their sensitive data? ;) Okay, how do you? Retina scan, and DNA sample. Seriously though, not by IP in any way, shape or form. The only 'sensitive' data I keep for customers to view is their order history. Credit card numbers are trashed the moment I get a response back from the cc gateway. To get to that they just need their username and password. If they want the system to 'remember' their login, I use a hash of quite a few variables that I place into a cookie on their browser. The only place I use IP to help identify a user (not really a user, but a particular computer) is on our Intranet...and I can only safely (for the most part) rely on this because I control the network and the IP addresses. -- John C. Nichel IV Programmer/System Admin (ÜberGeek) Dot Com Holdings of Buffalo 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
At 12:55 PM -0400 8/4/06, John Nichel wrote: Wait, are you telling me that I can't auth my customers based on IP alone? Great, now how do I let them view their sensitive data? ;) Okay, how do you? tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php behind firewall
Andrew Senyshyn wrote:
> Hi all,
>
> I need to get local user IP, but server with apache and php is in
> another subnetwork.
> So from server environment I can get only router's IP.
> The only solution that I see - is getting with some magic algorithm
> local IP from brouser and sending it to server.
> My application is for intranet, so I don't see any reason to make users
> authorization.
> Any ideas for this?
you can't always get the real users IP because of proxies, anonimizers,
firewalls/gateways
[on the user end] (and don't bother using an IP as an absolute indicator when
validating a
session - you can use it as one of a number of metrics - for instance AOL users
have their
IP addresses changed roughly every 300 milliseconds).
nonetheless here are a couple of funcs that might help you (at least to
understand
what is possible it terms of trying to determine a users IP):
/* Determine if an ip is in a net.
* E.G. 120.120.120.120 in 120.120.0.0/16
*/
function isIPInSubnet($ip, $net, $mask)
{
$firstpart = substr(str_pad(decbin(ip2long($net)), 32, "0", STR_PAD_LEFT)
,0 , $mask);
$firstip= substr(str_pad(decbin(ip2long($ip)), 32, "0", STR_PAD_LEFT),
0, $mask);
return (strcmp($firstpart, $firstip) == 0);
}
/* This function check if a ip is in an array of nets (ip and mask) */
function isPrivateIP($theip)
{
foreach (array("10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16") as $subnet)
{
list($net, $mask) = explode('/', $subnet);
if(isIPInSubnet($theip,$net,$mask)) {
return true;
}
}
return false;
}
/* Building the ip array with the HTTP_X_FORWARDED_FOR and REMOTE_ADDR HTTP
vars.
* With this function we get an array where first are the ip's listed in
* HTTP_X_FORWARDED_FOR and the last ip is the REMOTE_ADDR
*/
function getRequestIPs()
{
$ipList = array();
foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_FORWARDED_FOR', 'REMOTE_ADDR')
as $key) {
if (isset($_SERVER[$key]) && $_SERVER[$key]) {
$ipList = array_merge($ipList, explode(',', $_SERVER[$key]));
break;
}
}
return $ipList;
}
/* try hard to determine whAt the users/clients public IP address is */
function getRequestIP($allowPrivIPs = false)
{
foreach (getRequestIPs() as $ip) {
if($ip && ($allowPrivIPs === true || !isPrivateIP($ip))) {
return $ip;
}
}
return 'unknown';
}
> thanks beforehand
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
