Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Extension Thwarts User Profiling Based On Typing Behavior

Posted by timothy on from the b-ut-Iuss^hually-type-liek-this dept.

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.

61 comments

  1. I dunno? by KGIII · · Score: 2

    Seems like a theoretical problem with a theoretical solution. Just because they found one mechanism does not mean that there is not another. Just because they were able to do it in a controlled environment does not mean that others can or will. It seems a lot of effort to actually get fairly trivial information. Most browsers are fairly uniquely fingerprinted anyhow. There are easier ways to track (and likely more certain ways) so this seems like a non-starter without more information and more prevalence.

    --
    "So long and thanks for all the fish."
    1. Re:I dunno? by The+MAZZTer · · Score: 1

      It's been proven a browser exposes a lot of personalized data. Low value data, such as, for example, the fonts installed on a machine, but it can be used to digitally fingerprint you.

    2. Re:I dunno? by martas · · Score: 4, Insightful

      this does not fingerprint the browser, it fingerprints the user. it doesn't matter if you switch browsers, or even computers, your typing patters remain the same, and potentially identifiable.

      --
      weinersmith
    3. Re:I dunno? by Anonymous Coward · · Score: 1

      https://panopticlick.eff.org/ shows you a few data points that can be used to profile browsers (fonts being one of them).

      Seems like Javascript is one giant profiling tool and the only way to even start fighting profiling is to disable it by default. Even then browsers still broadcast lots of data.

    4. Re:I dunno? by Anonymous Coward · · Score: 0

      https://panopticlick.eff.org/ shows you a few data points that can be used to profile browsers (fonts being one of them).

      Seems like Javascript is one giant profiling tool and the only way to even start fighting profiling is to disable it by default. Even then browsers still broadcast lots of data.

      Ultimately, if you're online, you're exposing yourself.

      No matter how many doors you close, there will always be other ways to find out something about you. It's simply not possible to do anything online without exposing something that could potentially be useful in the wrong hands.

      Sorry to sound fatalistic about it, but it's gone way beyond the point of "turn Javascript off to solve the problem". If you have a problem with this kind of data leaking from your browser, then you probably need to stop using a browser altogether.

    5. Re:I dunno? by Anonymous Coward · · Score: 0

      The guy proved this in the Tor browser, which is supposed to guarantee anonymity. He just figured out a way around the security measures.

      In fact, it is good that he could find it out before this technique is actually being used maliciously, this way no one gets harmed. Actually, we can't guarantee that it is not being used in one way or another silently to monitor people.

    6. Re:I dunno? by thorsheim · · Score: 1

      Lots of companies have products that allows you to do keystroke dynamics on their websites, and we've heard of several UK banks as an example actively using this today. Browsers are fairly uniquely fingerprinted. Keystroke dynamics fingerprints the HUMAN, so if you wipe all your cookies, change browser, change computer and change (IP) location, keystroke dynamics will still identify you.

    7. Re:I dunno? by thorsheim · · Score: 1

      Doesn't have to be Javascript, but being a very common thing around, its obviously the easy choice. Anything that can & will record & process your typing inside the DOM could to this afaik.

    8. Re:I dunno? by aaron4801 · · Score: 1

      "the Tor browser, which is supposed to guarantee anonymity."
      Dangerously incorrect. In fact, the start page makes this quite clear: "Tor is NOT all you need to browse anonymously! You may need to change some of your browsing habits to ensure your identity stays safe." The Tor Browser allows you to be anonymous, IF you follow some basic principles. Nothing is guaranteed.

    9. Re:I dunno? by fustakrakich · · Score: 1

      Yeah, I think they notice when I zoom in the page all the time. I keep getting ads for new reading glasses.

      --
      “He’s not deformed, he’s just drunk!”
    10. Re:I dunno? by Anonymous Coward · · Score: 0

      Doesn't seem like a very theoretical problem. I am no security expert and I thought of this idea well over a decade ago. Only a fool would believe it's not part of the arsenal of anyone remotely interested in the things the NSA is interested in.

    11. Re:I dunno? by KGIII · · Score: 1

      Those seem well and *potentially* good if you want to match a metric but they seem trivial to defeat in anything with any noise associated with it. I pause at random points and will sometimes return a half hour later and delete stuff. I am not saying that I can not be fingerprinted but I am saying that it would be difficult and there are much easier ways that are much more likely to succeed.

      --
      "So long and thanks for all the fish."
    12. Re:I dunno? by KGIII · · Score: 1

      You are on TOR. Turn off scripting.

      --
      "So long and thanks for all the fish."
    13. Re:I dunno? by KGIII · · Score: 1

      This still seems unlikely to be useful with the noise floor it would have. At least not by itself - maybe that is the intent.

      --
      "So long and thanks for all the fish."
    14. Re:I dunno? by thorsheim · · Score: 1

      Yeah, implementations do not operate with FAR/FRR rates, they focus on giving a confidence score to you, the operator. Based on that you decide what to do. Typically you won't deny access to anyone punch drunk typing in username + password correctly, but you will flag all transactions for manual control as an example. Coursera, an online training provider uses it when you signup for an account, and when you hand in any tests you've done for scoring.

    15. Re:I dunno? by thorsheim · · Score: 1

      Sure, and what we show is this technology specifically, not everything else.

  2. Closed source? by Anonymous Coward · · Score: 0

    Where is the licensing agreement?

    1. Re:Closed source? by Anonymous Coward · · Score: 0

      No chrome extension is closed source. go open it you clueless clod.

    2. Re: Closed source? by Anonymous Coward · · Score: 0

      It may not be closed source but it certainly ly is spyware. What ever happened to don't be evil? They threw that one out once they sold their soul to the stock exchange.

    3. Re: Closed source? by DanJ_UK · · Score: 1

      What the blithering fuck are you on about?

      --
      - Dan
    4. Re: Closed source? by thorsheim · · Score: 1

      martas is correct.

    5. Re:Closed source? by Anonymous Coward · · Score: 0

      AC asked about a license, not access to the source code. If you think the availability of source code implies anything about the licensing agreement, you are the problem with open source.

    6. Re: Closed source? by Anonymous Coward · · Score: 0

      1) open up source code
      2) read LICENCE file

  3. Well... by pruedz · · Score: 0

    Smart solution for a problem that actually does not exists?

    1. Re:Well... by thorsheim · · Score: 1

      UK banks, large online training site in the US, as just 2 examples known to use this today.

  4. Complex signal analysis by Impy+the+Impiuos+Imp · · Score: 1

    That's mechanical use of keyboard, but you're also gonna need a phrase anyzer and commonizer. Grammar and phrases used by writers should be unique enough to identify the same anonymous writers on different sites, at least over the long run.

    If you can tie a controversial anon to a known account like facebook, you can then go all SJW on him, outing them to their employer and getting them fired.

    I am less concerned about racist assholes than more general political opinions and so on.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:Complex signal analysis by ArcadeMan · · Score: 3, Funny

      Grammar and phrases used by writers should be unique enough to identify the same anonymous writers on different sites, at least over the long run.

      thats one more reason too never use capital letters or punctuation and too write with as many misteaks as u can including us1ng l33tsp34k

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:Complex signal analysis by Anonymous Coward · · Score: 0

      except then no one will take you seriously.

    3. Re:Complex signal analysis by Anonymous Coward · · Score: 0

      thats one more reason too never use capital letters or punctuation and too write with as many misteaks as u can including us1ng l33tsp34k

      ai tink u missspeld dis. id shud b missteakz.

    4. Re:Complex signal analysis by thorsheim · · Score: 1

      Valid points, lots of other features from your way of typing may aid in building an anonymous profile. Keystroke dynamics is just an addition to that, and the plugin blocks keystroke dynamics from being used to build & identify people (not browsers).

    5. Re: Complex signal analysis by Anonymous Coward · · Score: 0

      Plus having this extension installed adds to your browser fingerprint...

  5. A Chrome privacy extension by Anonymous Coward · · Score: 4, Funny

    The term "pissing in the ocean" comes to mind.

    1. Re:A Chrome privacy extension by thorsheim · · Score: 1

      Everybody does it, so why not be part of the movement?

  6. You typed too slow today by Anonymous Coward · · Score: 1

    Locked out of everything, hooray!

  7. Or you could just turn off Java. by Anonymous Coward · · Score: 0

    Simple problem, simple solution.

    1. Re:Or you could just turn off Java. by thorsheim · · Score: 2

      Java & Javascript. NOT the same thing!

  8. Wouldn't this be better on a Tor browser? by Anonymous Coward · · Score: 0

    I don't order my crack and guns using Chrome.

    1. Re:Wouldn't this be better on a Tor browser? by Anonymous Coward · · Score: 0

      Does seem interesting that the guy started with the Chrome browser, especially considering the business model of that company.

    2. Re:Wouldn't this be better on a Tor browser? by Anonymous Coward · · Score: 0

      I guess my comment about google isn't going to post.

  9. Doing it wrong by wbr1 · · Score: 1
    If you have scripts running inside Tor so that something can profile how you access the DOM (keystrokes or otherwise) you are doing it wrong.

    Am I surprised that this can be done? No. But DO-NOT-ALLOW-SCRIPTS in your browser if you are truly attempting to be secure.

    --
    Silence is a state of mime.
    1. Re:Doing it wrong by PvtVoid · · Score: 2

      If you have scripts running inside Tor so that something can profile how you access the DOM (keystrokes or otherwise) you are doing it wrong.

      I don't think that Thorsheim was using Tor in an attempt at any actual security, but simply to isolate the effect of keyboard timings from other potential means of identifying the user. He was using Tor to create a controlled experiment.
       

    2. Re:Doing it wrong by thorsheim · · Score: 1

      Correct. There are also so many websites around where Javascript is required for the site to work. I wouldn't be surprised if quite a few Tor users allowed Javascript here and there. And it doesn't have to be done using Javascript either.

  10. Who cares by Anonymous Coward · · Score: 1

    Why would anyone use this spyware anyway? Just use Firefox, or even modern versions of IE is better

  11. Good work by Anonymous Coward · · Score: 0

    Instead, sites will be able to identify him as one of the 25 people in the country who use this extension.

    1. Re:Good work by Anonymous Coward · · Score: 0

      Is there an extension for that?

  12. Demo site by Anonymous Coward · · Score: 0

    www.behaviosec.com.

    A little known, little used site is able, after some training, to identify a person from a very small pool of users. I dunno. Employ this on very busy site with thousands of users, and then we can see how accurate it is.

  13. Not random, constant timing by Anonymous Coward · · Score: 1

    Reading the article the extension does the right thing and actually modifies the timings to be constant (50ms between key presses by default). By setting the timings to always be the same, all users of the extension look identical. Adding random noise as it sounded like the summary was describing tends to be ineffective against timing attacks because it averages out.

    1. Re:Not random, constant timing by PvtVoid · · Score: 1

      Reading the article the extension does the right thing and actually modifies the timings to be constant (50ms between key presses by default). By setting the timings to always be the same, all users of the extension look identical.

      Which probably makes them even more identifiable, since it is unlikely that more than a tiny minority of Chrome users will use such an extension. This is a fundamental problem with this sort of thing: if you really want to be hard to identify, you want to make yourself look as much like the rest of the clueless rabble as possible. If only one user in ten thousand is loading themselves up with privacy extensions, it probably makes for an excellent fingerprint in and of itself.

    2. Re:Not random, constant timing by thorsheim · · Score: 2

      True & not true. The plugin randomizes (delays) the keypress inputs into the dom, you can change the values. We did consider doing everything constant as well as randomization. Difficult tradeoff. The main point is to lower/remove the risk of a profile being built and used.

    3. Re:Not random, constant timing by PvtVoid · · Score: 1

      The plugin randomizes (delays) the keypress inputs into the dom, you can change the values.

      This seems more reasonable. However, it's not obvious that this would not itself be a trackable signature, easily distinguished from actual human behavior.

    4. Re:Not random, constant timing by Anonymous Coward · · Score: 0

      Why not simply wait until the text input field loses focus, then deliver all of the text at once, as if it had been pasted into the field?

  14. Nonsensical by Anonymous Coward · · Score: 0

    There's something truly backward about the web if we have to go back to plain old web pages because of all this.

    vive la links!!

  15. Anti tracking plugin for Chrome?? by Carewolf · · Score: 2

    Why would you make an anti-tracking feature for a browser only made to track you? Whatever you do you are still being tracked by default, that is the point of Chrome.

    1. Re:Anti tracking plugin for Chrome?? by Anonymous Coward · · Score: 1

      Because they also work on Chromium, the OS version which doesn't track you?

      Also, your point makes zero sense, as the adversaries are different: this add-on prevents websites in general from identifying you, not Google in particular.

    2. Re:Anti tracking plugin for Chrome?? by Anonymous Coward · · Score: 0

      "prevents websites"
      No, websites in general don't gather any significant data on their own. They don't even need it. Google on the other hand, and other companies like it, have access to millions of websites that help them gather that important data.

    3. Re: Anti tracking plugin for Chrome?? by Anonymous Coward · · Score: 0

      The only plugin chrome needs is the shitcan.

    4. Re:Anti tracking plugin for Chrome?? by swillden · · Score: 1

      Whatever you do you are still being tracked by default, that is the point of Chrome.

      Do you have any evidence to back that claim up?

      There are a number of features in Chrome that optionally talk to Google. But you can change them all if you prefer. Do you have any proof that it "phones home" in any hidden way? It should be quite easy to prove; Wireshark is all you need.

      FWIW, I know some of the guys who started the Chrome project. Actually, they didn't start Chrome, they started V8. The point was to prove that Javascript engines could be orders of magnitude faster than they were, and to push the rest of the industry to get better, so Google's apps would be able to do more, faster. The rest of Chrome was just to show off V8. Then it became successful, both at pushing Javascript engines to get better, and as a popular browser, and Google started to use it as a test bed for other ideas about how to make the web "platform" better. Security improvements like certificate pinning. Performance (and security) improvements like SPDY and QUIC. UI simplifications like the omnibox (which geeks like to hate, but non-geeks love). Better development tools (though Firebug was and is quite good). And so on.

      I don't think "better tracking of users" has ever been a goal, stated or unstated, of the Chrome project. And, seriously, why would it? It's not like the normal web standards don't offer everything that's required for whatever tracking anyone would like to do.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  16. That's one solution by tehlinux · · Score: 4, Funny

    > by randomizing the rate at which characters reach the DOM

    Just do what IE11 does and randomly don't send some characters to the DOM.

    --
    Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
    1. Re:That's one solution by Anonymous Coward · · Score: 0

      I don't tink that's true.

  17. Privacy extension provided without source code by Anonymous Coward · · Score: 0

    The irony...

    1. Re:Privacy extension provided without source code by thorsheim · · Score: 1

      the source code is right there, in front of your closed eyes.