Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday August 01 2015, @02:54AM   Printer-friendly
from the way-I-type-I'm-not-surprised dept.

Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online.

The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner's identity.

The prospect of widely available databases that identify users based on subtle differences in their typing was unsettling enough to researchers Per Thorsheim and Paul Moore that they have created a Chrome browser plugin that's designed to blunt the threat. The plugin caches the input keystrokes and after a brief delay relays them to the website in at a pseudo-random rate. Thorsheim, a security expert who organizes the annual PasswordsCon conference, and Moore, an information security consultant at UK-based Urity Group, conceived the plugin after thinking through all the ways the typing profiles could be used to compromise online anonymity.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by Ethanol-fueled on Saturday August 01 2015, @03:04AM

    by Ethanol-fueled (2792) on Saturday August 01 2015, @03:04AM (#216619) Homepage

    " After a training session that typically takes less than 10 minutes, "

    Bahaha.

    " Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner's identity. "

    Yeah, what is getting drunk, getting high, drinking too much coffee, not drinking enough coffee, being stressed-out, waking up first thing in the morning? People type exactly the same way at all times?

    "...they have created a Chrome browser plugin that's designed to blunt the threat. "

    If somebody's running Chrome then they have bigger surveillance problems than keystrokes. Why not write for a browser that matters?

  • (Score: 4, Informative) by kadal on Saturday August 01 2015, @03:04AM

    by kadal (4731) on Saturday August 01 2015, @03:04AM (#216620)

    Chrome Extension here: https://chrome.google.com/webstore/detail/keyboard-privacy/aoeboeflhhnobfjkafamelopfeojdohk/related [google.com]

    More description here: https://paul.reviews/behavioral-profiling-the-password-you-cant-change/ [paul.reviews]

    Firefox extension coming soon apparently.

    --

    This was typed with the extension enabled. Woot! SN can't track me now! Woot!

  • (Score: 5, Insightful) by Anonymous Coward on Saturday August 01 2015, @03:05AM

    by Anonymous Coward on Saturday August 01 2015, @03:05AM (#216622)

    Of course, the website has no way to actually get that information unless the user has enabled javascript, which is a terrible idea with Tor anyway. So if you were already being smart and not enabling any javascript while using Tor, this attack would be completely useless.

    • (Score: 2) by Marand on Saturday August 01 2015, @03:42AM

      by Marand (1081) on Saturday August 01 2015, @03:42AM (#216632) Journal

      Came to say the same thing. Yet another reason to start with something like NoScript and a blacklist-by-default policy, as if advertiser misuse and various other JS abuses weren't already enough.

      • (Score: 2) by mtrycz on Saturday August 01 2015, @03:05PM

        by mtrycz (60) on Saturday August 01 2015, @03:05PM (#216768)

        Is "blacklist-by-default" an elaborate way to say "whitelist"?

        --
        In capitalist America, ads view YOU!
        • (Score: 2) by Marand on Saturday August 01 2015, @06:01PM

          by Marand (1081) on Saturday August 01 2015, @06:01PM (#216801) Journal

          Is "blacklist-by-default" an elaborate way to say "whitelist"?

          Not exactly. I'm not sure about other blockers, but NoScript's only method of operation is a whitelist. However, it also has settings to automatically whitelist certain domains, such as "temporarily allow top-level sites by default" and "allow sites opened through bookmarks". The last time I checked, NoScript's default settings were very lenient, sacrificing security for convenience by starting with those options checked.

          So, by saying "blacklist by default", I was suggesting that NoScript be used with those convenience settings disabled so that it blacklists all JS on all sites by default. That way, it only allows JS if the user has explicitly whitelisted the domain. The user then takes full control (and responsibility) for JS execution, rather than risk being surprised later.

    • (Score: 0) by Anonymous Coward on Saturday August 01 2015, @06:42AM

      by Anonymous Coward on Saturday August 01 2015, @06:42AM (#216674)

      Tor really should default to no JavaScript. It's crazy it doesn't. Now using tor only flags yourself interesting while still leaving you open for attack... And if you disable it yourself, you stick out like a sore thumb. I wonder if this is by design considering the origin...

      This is a powerful argument for a no js default, so is the older Rowhammer story here https://soylentnews.org/article.pl?sid=15/07/28/1350234 [soylentnews.org] and e.g. https://panopticlick.eff.org/. [eff.org] I bet these are just the tip of the iceberg.

      • (Score: 0) by Anonymous Coward on Sunday August 02 2015, @12:56AM

        by Anonymous Coward on Sunday August 02 2015, @12:56AM (#216901)

        Recent versions of the tor browser have Javascript controlled on a site-by-site basis through the noscript extension. By default, it's disabled.

        (it hasn't always [wilderssecurity.com] been that way)

    • (Score: 2) by Justin Case on Saturday August 01 2015, @11:36AM

      by Justin Case (4239) on Saturday August 01 2015, @11:36AM (#216724) Journal

      Yes. This is ridiculous. If you have Javascript enabled for all websites, you are either clueless, or you don't care.

      Tor will not save people who are clueless or don't care. Neither will anything else. There are no silver bullets in privacy / security.

  • (Score: 1, Funny) by Anonymous Coward on Saturday August 01 2015, @03:07AM

    by Anonymous Coward on Saturday August 01 2015, @03:07AM (#216623)

    Anonymous Sam I am

  • (Score: 3, Interesting) by K_benzoate on Saturday August 01 2015, @03:14AM

    by K_benzoate (5036) on Saturday August 01 2015, @03:14AM (#216626)

    I don't doubt that there's some very weak signal hidden in all that noise, nor do I doubt that it could be extracted under ideal conditions. Many techniques which work in a laboratory setting (or equivalent) aren't useful "in the field". And this could be thwarted by typing a message into a text editor first, and then copypasting the entire thing at once and submitting it. Also, I'm not sure how you're going to get your timing measurement code to work without any form of script running in the webpage--disabling scripting is SOP for using Tor.

    Prose analyses is probably a better bet if you're hot to deanonymize people in this style. Anyone who has read a lot of work from one author knows that there are certain words, phrases, and sentence structures which come up over and over again. Some authors are more susceptible than others (I'm looking at you, Neal Stephenson) but everyone does it to some extent. We all have a unique subset vocabulary out of the space of possible words in our language.

    --
    Climate change is real and primarily caused by human activity.
    • (Score: 0) by Anonymous Coward on Saturday August 01 2015, @04:20AM

      by Anonymous Coward on Saturday August 01 2015, @04:20AM (#216639)

      Prose analyses is probably a better bet if you're hot to deanonymize people in this style. Anyone who has read a lot of work from one author knows that there are certain words, phrases, and sentence structures which come up over and over again. Some authors are more susceptible than others (I'm looking at you, Neal Stephenson) but everyone does it to some extent. We all have a unique subset vocabulary out of the space of possible words in our language.

      Not every message will reflect that, especially simple ones. And people often copy phrases and text from others. Furthermore, it would be easy enough to fix this and perhaps randomize your messages in certain ways to fool it.

      • (Score: 2) by K_benzoate on Saturday August 01 2015, @04:40AM

        by K_benzoate (5036) on Saturday August 01 2015, @04:40AM (#216645)

        Vulnerability to prose analyses increases as the corpus of text increases in size. So if there's an anonymous account that's been posting ISIS propaganda, for example, and you've got several thousand words you can then try to match that up with public profiles and see if there are any people with that writing style. It's more beneficial if you already have narrowed down a list of suspects. It's also useful to determine if more than one person is contributing under the same anonymous profile.

        --
        Climate change is real and primarily caused by human activity.
        • (Score: 0) by Anonymous Coward on Saturday August 01 2015, @03:22PM

          by Anonymous Coward on Saturday August 01 2015, @03:22PM (#216769)

          Vulnerability to prose analyses increases as the corpus of text increases in size.

          Again, trivially bypassed.

          Many things affect people's minds. Are they drunk? Are they tired? Are they angry? Are they sad? Any number of things could reduce the effectiveness of "prose analysis". How much scientific consensus is there that prose analysis is even effective?

        • (Score: 2) by Phoenix666 on Saturday August 01 2015, @05:58PM

          by Phoenix666 (552) on Saturday August 01 2015, @05:58PM (#216799) Journal

          You have made some really good points, but I would say that prose style is easily copied. It's like actors who do impressions of famous people. When they're good at it you know exactly who they're aping. Same thing for prose. I've heard David Sedaris do it well, and others too.

          It's not likely that somebody would bother learning your style unless you were famous, but if someone, an agency, wanted to frame you it wouldn't be all that hard.

          --
          Washington DC delenda est.
    • (Score: 3, Informative) by MichaelDavidCrawford on Saturday August 01 2015, @07:00AM

      by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Saturday August 01 2015, @07:00AM (#216679) Homepage Journal

      My father - who had a Top Secret clearance - once told me that the Soviets knew how to transcribe your text if you typed it with an IBM Selectric. He was permitted to use them but only in a windowless, soundproof room.

      He preferred to write by hand with a pen then get his secretary to type it up.

      The delay between the keypress and the type ball striking the paper is distinctly different for each character.

      If the Soviets could do that by bouncing a low-intensity infrared laser off his office window so as to "hear" his typing by the vibrations of the glass, I figure I myself could write the code described in this article in about a day.

      --
      Yes I Have No Bananas. [gofundme.com]
  • (Score: 2, Insightful) by unzombied on Saturday August 01 2015, @04:20AM

    by unzombied (4572) on Saturday August 01 2015, @04:20AM (#216638)

    can then determine with a high degree of certainty

    That's the first red flag.

    profiles act as a sort of digital fingerprint

    And there's #2. Those are vague marketing phrases trying to convince, not specific research terms to inform.

    • (Score: 0) by Anonymous Coward on Saturday August 01 2015, @04:38AM

      by Anonymous Coward on Saturday August 01 2015, @04:38AM (#216642)

      I have at least 5 different typing styles. Probably more.

      It depends on my posture. Am I sitting up, laying on the couch. On my laptop? On my desktop? On my tablet?

    • (Score: 0) by Anonymous Coward on Saturday August 01 2015, @09:20AM

      by Anonymous Coward on Saturday August 01 2015, @09:20AM (#216712)
  • (Score: 2) by kurenai.tsubasa on Saturday August 01 2015, @04:43AM

    by kurenai.tsubasa (5227) on Saturday August 01 2015, @04:43AM (#216647) Journal

    Well, fsck. But we already knew this. This is just a more in-depth method. How else did the various Federalist and Anti-Federalist papers get matched to their various authors?

    I am Publuis!

  • (Score: 2) by FakeBeldin on Saturday August 01 2015, @06:39AM

    by FakeBeldin (3360) on Saturday August 01 2015, @06:39AM (#216673) Journal

    However, if you use Tor to connect to Facebook and then login, rumour has it that Facebook will know who you are!!
    </sarcasm>

    If you give the web site you're visiting personal information (username and password, or typing rhythm, or an iris scan, etc.), don't be surprised if they can use that to re-identify you another time. Nothing Tor can do about that.

  • (Score: 2) by hendrikboom on Sunday August 02 2015, @09:21PM

    by hendrikboom (1125) Subscriber Badge on Sunday August 02 2015, @09:21PM (#217110) Homepage Journal

    For my passwords, I'd want the timing measurements transmitted unchanged, so it would be a little harder for someone else to impersonate me. For people I want to impersonate, please turn it off.