Introduce randommess in keypress timings

Michał 'czesiek' Czyżewski czesiek at hackerspace.pl
Tue Oct 6 06:57:47 PDT 2015


On 10/06/2015 02:55 PM, Travis Biehn wrote:
> It's sort of like voice biometrics - two people can share the same
> 'feature set' but you and your attacker (the person who has your banking
> password) are 'unlikely' to.
> 
> It's not useful for positive identification by itself, out of that large
> database there would be many collisions.

True. But that's only one scenario in which such biometrics profiling
could be used. I don't know of any bank that uses that, though. Anywhoo…

Another worrying scenario is using keypress timings to profile netizens
in addition to other ways of recognizing them (be it User-agent string,
Adobe Flash player + system font list, HTML5 <canvas> element). I thing
we should try to think of ways to mitigate this attack.

Thoughts?

-- 
czesiek

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20151006/aaa17674/attachment-0003.sig>


More information about the cypherpunks mailing list