Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Extension Thwarts User Profiling Based On Typing Behavior

Posted by timothy on from the b-ut-Iuss^hually-type-liek-this dept.

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.

36 of 61 comments (clear)

  1. I dunno? by KGIII · · Score: 2

    Seems like a theoretical problem with a theoretical solution. Just because they found one mechanism does not mean that there is not another. Just because they were able to do it in a controlled environment does not mean that others can or will. It seems a lot of effort to actually get fairly trivial information. Most browsers are fairly uniquely fingerprinted anyhow. There are easier ways to track (and likely more certain ways) so this seems like a non-starter without more information and more prevalence.

    --
    "So long and thanks for all the fish."
    1. Re:I dunno? by The+MAZZTer · · Score: 1

      It's been proven a browser exposes a lot of personalized data. Low value data, such as, for example, the fonts installed on a machine, but it can be used to digitally fingerprint you.

    2. Re:I dunno? by martas · · Score: 4, Insightful

      this does not fingerprint the browser, it fingerprints the user. it doesn't matter if you switch browsers, or even computers, your typing patters remain the same, and potentially identifiable.

      --
      weinersmith
    3. Re:I dunno? by Anonymous Coward · · Score: 1

      https://panopticlick.eff.org/ shows you a few data points that can be used to profile browsers (fonts being one of them).

      Seems like Javascript is one giant profiling tool and the only way to even start fighting profiling is to disable it by default. Even then browsers still broadcast lots of data.

    4. Re:I dunno? by thorsheim · · Score: 1

      Lots of companies have products that allows you to do keystroke dynamics on their websites, and we've heard of several UK banks as an example actively using this today. Browsers are fairly uniquely fingerprinted. Keystroke dynamics fingerprints the HUMAN, so if you wipe all your cookies, change browser, change computer and change (IP) location, keystroke dynamics will still identify you.

    5. Re:I dunno? by thorsheim · · Score: 1

      Doesn't have to be Javascript, but being a very common thing around, its obviously the easy choice. Anything that can & will record & process your typing inside the DOM could to this afaik.

    6. Re:I dunno? by aaron4801 · · Score: 1

      "the Tor browser, which is supposed to guarantee anonymity."
      Dangerously incorrect. In fact, the start page makes this quite clear: "Tor is NOT all you need to browse anonymously! You may need to change some of your browsing habits to ensure your identity stays safe." The Tor Browser allows you to be anonymous, IF you follow some basic principles. Nothing is guaranteed.

    7. Re:I dunno? by fustakrakich · · Score: 1

      Yeah, I think they notice when I zoom in the page all the time. I keep getting ads for new reading glasses.

      --
      “He’s not deformed, he’s just drunk!”
    8. Re:I dunno? by KGIII · · Score: 1

      Those seem well and *potentially* good if you want to match a metric but they seem trivial to defeat in anything with any noise associated with it. I pause at random points and will sometimes return a half hour later and delete stuff. I am not saying that I can not be fingerprinted but I am saying that it would be difficult and there are much easier ways that are much more likely to succeed.

      --
      "So long and thanks for all the fish."
    9. Re:I dunno? by KGIII · · Score: 1

      You are on TOR. Turn off scripting.

      --
      "So long and thanks for all the fish."
    10. Re:I dunno? by KGIII · · Score: 1

      This still seems unlikely to be useful with the noise floor it would have. At least not by itself - maybe that is the intent.

      --
      "So long and thanks for all the fish."
    11. Re:I dunno? by thorsheim · · Score: 1

      Yeah, implementations do not operate with FAR/FRR rates, they focus on giving a confidence score to you, the operator. Based on that you decide what to do. Typically you won't deny access to anyone punch drunk typing in username + password correctly, but you will flag all transactions for manual control as an example. Coursera, an online training provider uses it when you signup for an account, and when you hand in any tests you've done for scoring.

    12. Re:I dunno? by thorsheim · · Score: 1

      Sure, and what we show is this technology specifically, not everything else.

  2. Complex signal analysis by Impy+the+Impiuos+Imp · · Score: 1

    That's mechanical use of keyboard, but you're also gonna need a phrase anyzer and commonizer. Grammar and phrases used by writers should be unique enough to identify the same anonymous writers on different sites, at least over the long run.

    If you can tie a controversial anon to a known account like facebook, you can then go all SJW on him, outing them to their employer and getting them fired.

    I am less concerned about racist assholes than more general political opinions and so on.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:Complex signal analysis by ArcadeMan · · Score: 3, Funny

      Grammar and phrases used by writers should be unique enough to identify the same anonymous writers on different sites, at least over the long run.

      thats one more reason too never use capital letters or punctuation and too write with as many misteaks as u can including us1ng l33tsp34k

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:Complex signal analysis by thorsheim · · Score: 1

      Valid points, lots of other features from your way of typing may aid in building an anonymous profile. Keystroke dynamics is just an addition to that, and the plugin blocks keystroke dynamics from being used to build & identify people (not browsers).

  3. A Chrome privacy extension by Anonymous Coward · · Score: 4, Funny

    The term "pissing in the ocean" comes to mind.

    1. Re:A Chrome privacy extension by thorsheim · · Score: 1

      Everybody does it, so why not be part of the movement?

  4. You typed too slow today by Anonymous Coward · · Score: 1

    Locked out of everything, hooray!

  5. Doing it wrong by wbr1 · · Score: 1
    If you have scripts running inside Tor so that something can profile how you access the DOM (keystrokes or otherwise) you are doing it wrong.

    Am I surprised that this can be done? No. But DO-NOT-ALLOW-SCRIPTS in your browser if you are truly attempting to be secure.

    --
    Silence is a state of mime.
    1. Re:Doing it wrong by PvtVoid · · Score: 2

      If you have scripts running inside Tor so that something can profile how you access the DOM (keystrokes or otherwise) you are doing it wrong.

      I don't think that Thorsheim was using Tor in an attempt at any actual security, but simply to isolate the effect of keyboard timings from other potential means of identifying the user. He was using Tor to create a controlled experiment.
       

    2. Re:Doing it wrong by thorsheim · · Score: 1

      Correct. There are also so many websites around where Javascript is required for the site to work. I wouldn't be surprised if quite a few Tor users allowed Javascript here and there. And it doesn't have to be done using Javascript either.

  6. Who cares by Anonymous Coward · · Score: 1

    Why would anyone use this spyware anyway? Just use Firefox, or even modern versions of IE is better

  7. Not random, constant timing by Anonymous Coward · · Score: 1

    Reading the article the extension does the right thing and actually modifies the timings to be constant (50ms between key presses by default). By setting the timings to always be the same, all users of the extension look identical. Adding random noise as it sounded like the summary was describing tends to be ineffective against timing attacks because it averages out.

    1. Re:Not random, constant timing by PvtVoid · · Score: 1

      Reading the article the extension does the right thing and actually modifies the timings to be constant (50ms between key presses by default). By setting the timings to always be the same, all users of the extension look identical.

      Which probably makes them even more identifiable, since it is unlikely that more than a tiny minority of Chrome users will use such an extension. This is a fundamental problem with this sort of thing: if you really want to be hard to identify, you want to make yourself look as much like the rest of the clueless rabble as possible. If only one user in ten thousand is loading themselves up with privacy extensions, it probably makes for an excellent fingerprint in and of itself.

    2. Re:Not random, constant timing by thorsheim · · Score: 2

      True & not true. The plugin randomizes (delays) the keypress inputs into the dom, you can change the values. We did consider doing everything constant as well as randomization. Difficult tradeoff. The main point is to lower/remove the risk of a profile being built and used.

    3. Re:Not random, constant timing by PvtVoid · · Score: 1

      The plugin randomizes (delays) the keypress inputs into the dom, you can change the values.

      This seems more reasonable. However, it's not obvious that this would not itself be a trackable signature, easily distinguished from actual human behavior.

  8. Re: Closed source? by DanJ_UK · · Score: 1

    What the blithering fuck are you on about?

    --
    - Dan
  9. Re: Closed source? by thorsheim · · Score: 1

    martas is correct.

  10. Anti tracking plugin for Chrome?? by Carewolf · · Score: 2

    Why would you make an anti-tracking feature for a browser only made to track you? Whatever you do you are still being tracked by default, that is the point of Chrome.

    1. Re:Anti tracking plugin for Chrome?? by Anonymous Coward · · Score: 1

      Because they also work on Chromium, the OS version which doesn't track you?

      Also, your point makes zero sense, as the adversaries are different: this add-on prevents websites in general from identifying you, not Google in particular.

    2. Re:Anti tracking plugin for Chrome?? by swillden · · Score: 1

      Whatever you do you are still being tracked by default, that is the point of Chrome.

      Do you have any evidence to back that claim up?

      There are a number of features in Chrome that optionally talk to Google. But you can change them all if you prefer. Do you have any proof that it "phones home" in any hidden way? It should be quite easy to prove; Wireshark is all you need.

      FWIW, I know some of the guys who started the Chrome project. Actually, they didn't start Chrome, they started V8. The point was to prove that Javascript engines could be orders of magnitude faster than they were, and to push the rest of the industry to get better, so Google's apps would be able to do more, faster. The rest of Chrome was just to show off V8. Then it became successful, both at pushing Javascript engines to get better, and as a popular browser, and Google started to use it as a test bed for other ideas about how to make the web "platform" better. Security improvements like certificate pinning. Performance (and security) improvements like SPDY and QUIC. UI simplifications like the omnibox (which geeks like to hate, but non-geeks love). Better development tools (though Firebug was and is quite good). And so on.

      I don't think "better tracking of users" has ever been a goal, stated or unstated, of the Chrome project. And, seriously, why would it? It's not like the normal web standards don't offer everything that's required for whatever tracking anyone would like to do.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  11. Re:Well... by thorsheim · · Score: 1

    UK banks, large online training site in the US, as just 2 examples known to use this today.

  12. Re:Or you could just turn off Java. by thorsheim · · Score: 2

    Java & Javascript. NOT the same thing!

  13. That's one solution by tehlinux · · Score: 4, Funny

    > by randomizing the rate at which characters reach the DOM

    Just do what IE11 does and randomly don't send some characters to the DOM.

    --
    Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
  14. Re:Privacy extension provided without source code by thorsheim · · Score: 1

    the source code is right there, in front of your closed eyes.