Introduce randommess in keypress timings
Hi all, so, as we all know, Big Brothers tend to use keypress timings to identify users on the Net. This of course leads to a question: are there ways to introduce randomness in keypress timings? I imagine a Linux kernel module that could be doing this, for instance. Anybody heard of anything like this? There are things like All is Text: https://addons.mozilla.org/pl/firefox/addon/its-all-text/ But this is not really a solution, rather a work-around (for instance it does not solve the problem for multiple browsers). -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
Rysiek, https://en.wikipedia.org/wiki/Keystroke_dynamics We may first want to understand the minimum resolution that timing requires. Keypress events can be randomized within this interval. Another track: 170WPM ~= 42000 KPH ~= 11 KPS So, maybe we have 90ms delay on average between keystrokes for a speed typist. I didn't realize you could use keystroke analysis to identify one person out of a pool of millions, rather, that a certain keystroke pattern matches as best a certain subset of users but it wouldn't be valuable/practical for positive identification. Text analysis is probably a way more useful signal. In for more details, -Travis On Mon, Oct 5, 2015 at 11:50 AM, rysiek <rysiek@hackerspace.pl> wrote:
Hi all,
so, as we all know, Big Brothers tend to use keypress timings to identify users on the Net. This of course leads to a question: are there ways to introduce randomness in keypress timings?
I imagine a Linux kernel module that could be doing this, for instance. Anybody heard of anything like this?
There are things like All is Text: https://addons.mozilla.org/pl/firefox/addon/its-all-text/
But this is not really a solution, rather a work-around (for instance it does not solve the problem for multiple browsers).
-- Pozdrawiam, Michał "rysiek" Woźniak
Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
-- Twitter <https://twitter.com/tbiehn> | LinkedIn <http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn> | TravisBiehn.com <http://www.travisbiehn.com> | Google Plus <https://plus.google.com/+TravisBiehn>
Dnia poniedziałek, 5 października 2015 12:26:17 piszesz:
Rysiek, https://en.wikipedia.org/wiki/Keystroke_dynamics
We may first want to understand the minimum resolution that timing requires. Keypress events can be randomized within this interval.
Another track: 170WPM ~= 42000 KPH ~= 11 KPS
So, maybe we have 90ms delay on average between keystrokes for a speed typist.
Right.
I didn't realize you could use keystroke analysis to identify one person out of a pool of millions, rather, that a certain keystroke pattern matches as best a certain subset of users but it wouldn't be valuable/practical for positive identification. Text analysis is probably a way more useful signal.
In for more details,
https://paul.reviews/behavioral-profiling-the-password-you-cant-change/ http://www.behaviosec.com/technology/demos/ I am still trying to wrap my head around it. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
It's sort of like voice biometrics - two people can share the same 'feature set' but you and your attacker (the person who has your banking password) are 'unlikely' to. It's not useful for positive identification by itself, out of that large database there would be many collisions. The content of text that you type, the words you use and your grammatical structure contain more identifying bits. -Travis On Tue, Oct 6, 2015 at 8:03 AM, rysiek <rysiek@hackerspace.pl> wrote:
Dnia poniedziałek, 5 października 2015 12:26:17 piszesz:
Rysiek, https://en.wikipedia.org/wiki/Keystroke_dynamics
We may first want to understand the minimum resolution that timing requires. Keypress events can be randomized within this interval.
Another track: 170WPM ~= 42000 KPH ~= 11 KPS
So, maybe we have 90ms delay on average between keystrokes for a speed typist.
Right.
I didn't realize you could use keystroke analysis to identify one person out of a pool of millions, rather, that a certain keystroke pattern matches as best a certain subset of users but it wouldn't be valuable/practical for positive identification. Text analysis is probably a way more useful signal.
In for more details,
https://paul.reviews/behavioral-profiling-the-password-you-cant-change/ http://www.behaviosec.com/technology/demos/
I am still trying to wrap my head around it.
-- Pozdrawiam, Michał "rysiek" Woźniak
Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
-- Twitter <https://twitter.com/tbiehn> | LinkedIn <http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn> | TravisBiehn.com <http://www.travisbiehn.com> | Google Plus <https://plus.google.com/+TravisBiehn>
On Tue, Oct 06, 2015 at 08:55:58AM -0400, Travis Biehn wrote:
It's sort of like voice biometrics - two people can share the same 'feature set' but you and your attacker (the person who has your banking password) are 'unlikely' to.
It's not useful for positive identification by itself, out of that large database there would be many collisions.
The content of text that you type, the words you use and your grammatical structure contain more identifying bits.
Agreed. This might deserve another thread, but is there "English obfuscation for dummies for non-native speakers/writers?" In my native language I suspect can spoof at least one dialect, but in English I am pretty sure I make linkable to me Tpelling/Arammar mistakes. Possible solution might be using relatively small set of words and some Normal Form, but this shows you are using it.
On 10/06/2015 02:55 PM, Travis Biehn wrote:
It's sort of like voice biometrics - two people can share the same 'feature set' but you and your attacker (the person who has your banking password) are 'unlikely' to.
It's not useful for positive identification by itself, out of that large database there would be many collisions.
True. But that's only one scenario in which such biometrics profiling could be used. I don't know of any bank that uses that, though. Anywhoo… Another worrying scenario is using keypress timings to profile netizens in addition to other ways of recognizing them (be it User-agent string, Adobe Flash player + system font list, HTML5 <canvas> element). I thing we should try to think of ways to mitigate this attack. Thoughts? -- czesiek
On 06/10/15 14:57, Michał 'czesiek' Czyżewski wrote:
On 10/06/2015 02:55 PM, Travis Biehn wrote:
It's sort of like voice biometrics - two people can share the same 'feature set' but you and your attacker (the person who has your banking password) are 'unlikely' to.
It's not useful for positive identification by itself, out of that large database there would be many collisions. True. But that's only one scenario in which such biometrics profiling could be used. I don't know of any bank that uses that, though. Anywhoo…
Another worrying scenario is using keypress timings to profile netizens in addition to other ways of recognizing them (be it User-agent string, Adobe Flash player + system font list, HTML5 <canvas> element). I thing we should try to think of ways to mitigate this attack.
Thoughts?
keypress timings? I'd modify the keyboard firmware to collate keys and feed them to the OpSys with random time intervals between each key. This would create a constantly changing profile of your keyboard usage and prevent pinning it down to any one particular user. The reason I'd go for the keyboard firmware is because it *may* stand less chance of being modified by an "interested third party" than the OpSys or Browser. In terms of word timing and grammar, that's likely impossible to mitigate at keyboard firmware level due to the time that a user would be willing to wait for feedback from their typing and lack of grammatical awareness of the keyboard firmware :)
On Mon, Oct 05, 2015 at 05:50:08PM +0200, rysiek wrote:
Hi all,
so, as we all know, Big Brothers tend to use keypress timings to identify users on the Net. This of course leads to a question: are there ways to introduce randomness in keypress timings?
Very partial mitigation might be to type the text in editor, select and copy it and then paste or middle click. This likely will leak info about your hardware and the fact you use it. IIRC I read paper about analyzing the way users use their mice. Probably this leaks more info about the user, not sure.
On 10/06/2015 09:44 AM, Georgi Guninski wrote:
Very partial mitigation might be to type the text in editor, select and copy it and then paste or middle click.
There are browser extensions that do that, although they probably were meant solve another problem (ie. let's use my fav text editor to write this long piece in a form). rysiek was linking to: https://addons.mozilla.org/pl/firefox/addon/its-all-text/ (also "set editor=…" setting in ~/.vimperatorrc)
This likely will leak info about your hardware
How so?
IIRC I read paper about analyzing the way users use their mice. Probably this leaks more info about the user, not sure.
Vimprator is king, I agree. Unfortunately not a viable option for many. -- czesiek
participants (5)
-
Georgi Guninski -
Michał 'czesiek' Czyżewski -
oshwm -
rysiek -
Travis Biehn