Introduce randommess in keypress timings
Michał 'czesiek' Czyżewski
czesiek at hackerspace.pl
Tue Oct 6 06:57:47 PDT 2015
On 10/06/2015 02:55 PM, Travis Biehn wrote:
> It's sort of like voice biometrics - two people can share the same
> 'feature set' but you and your attacker (the person who has your banking
> password) are 'unlikely' to.
>
> It's not useful for positive identification by itself, out of that large
> database there would be many collisions.
True. But that's only one scenario in which such biometrics profiling
could be used. I don't know of any bank that uses that, though. Anywhoo…
Another worrying scenario is using keypress timings to profile netizens
in addition to other ways of recognizing them (be it User-agent string,
Adobe Flash player + system font list, HTML5 <canvas> element). I thing
we should try to think of ways to mitigate this attack.
Thoughts?
--
czesiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20151006/aaa17674/attachment-0003.sig>
More information about the cypherpunks
mailing list