Introduce randommess in keypress timings
oshwm
oshwm at openmailbox.org
Tue Oct 6 07:20:37 PDT 2015
On 06/10/15 14:57, Michał 'czesiek' Czyżewski wrote:
> On 10/06/2015 02:55 PM, Travis Biehn wrote:
>> It's sort of like voice biometrics - two people can share the same
>> 'feature set' but you and your attacker (the person who has your banking
>> password) are 'unlikely' to.
>>
>> It's not useful for positive identification by itself, out of that large
>> database there would be many collisions.
> True. But that's only one scenario in which such biometrics profiling
> could be used. I don't know of any bank that uses that, though. Anywhoo…
>
> Another worrying scenario is using keypress timings to profile netizens
> in addition to other ways of recognizing them (be it User-agent string,
> Adobe Flash player + system font list, HTML5 <canvas> element). I thing
> we should try to think of ways to mitigate this attack.
>
> Thoughts?
>
keypress timings?
I'd modify the keyboard firmware to collate keys and feed them to the
OpSys with random time intervals between each key.
This would create a constantly changing profile of your keyboard usage
and prevent pinning it down to any one particular user.
The reason I'd go for the keyboard firmware is because it *may* stand
less chance of being modified by an "interested third party" than the
OpSys or Browser.
In terms of word timing and grammar, that's likely impossible to
mitigate at keyboard firmware level due to the time that a user would be
willing to wait for feedback from their typing and lack of grammatical
awareness of the keyboard firmware :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151006/eecdf812/attachment-0002.sig>
More information about the cypherpunks
mailing list