Tor Users Can Be Tracked Based On Their Mouse Movements

An anonymous reader writes: The way you move your mouse is unique, like fingerprints, and can be used by dark forces to track you on supposedly anonymous and secure networks like Tor, according to a Barcelona researcher. Because the Tor Project has failed to address a ten-month-old issue regarding "time measurement via JavaScript," there are a series of user fingerprinting techniques that are quite accurate at identifying users based on their mouse movements, scrolling speed, and how their browser and hardware reacts to certain JavaScript code. If a user visits a "fingerprinting" website via Tor and then via a normal browser, an attacker can have a general idea about their identity and can even pinpoint them to real IPs. The data that is usually logged in fingerprinting schemes is not 100% reliable or accurate for that matter, but it provides a starting point for future investigations.

Guess it's time to

[cdsparrow]

Start using a trackpad when you use websites you don't wanna be tracked on. Oh and maybe reduce your browser's processor priority so it reacts differently to their time based snooping. Oh and first post maybe?

Re:Guess it's time to

[bloodhawk]

I would imagine trackpads are vulnerable to the exact same fingerprinting techniques. browser priority is unlikely to have any significant effect on timing and tracking of these events and it would be an absolute pain in the arse.

Re:Guess it's time to

[cdsparrow]

Yeah, not sure if the priority would work unless you also ran something else taking up lots of processor. But if you use a mouse on one set of sites and a trackpad, trackball, or probably just a different DPI setting on your mouse, it would make the pointer tracking hard to pin down...

Re:Guess it's time to

Why not use TrackPoint?

Re:Guess it's time to

[wierd_w]

I'd say the solution is to fight fire with fire.

Javascript is able to catch, and also to trigger, events like mouseclick.

So, just have a plugin that injects a random delay on mouse click, with a slider.

BOOM. Fingerprinting busted.

Re:Guess it's time to

More like it's time to not use JavaScript when trying to preserve a modicum of anonymity. Does Tor Browser still ship with NoScript installed - but totally disabled by default? Because that was the stupidest decision in the history of the Tor project.

Re:Guess it's time to

[ShanghaiBill]

I would imagine trackpads are vulnerable to the exact same fingerprinting techniques.

What Cdsparrow is saying is that you use a trackpad on Tor, and use a mouse for normal browsing. Both can be fingerprinted, but they won't be the same fingerprint. When I want to arrange a major drug deal, or hire an assassin, I use a different computer (a second hand Chromebook that I bought for cash), and I connect through a public WiFi. It has a trackpad, a different browser, and a much slower CPU than my desktop.

Re:Guess it's time to

This attack depends on the cpu cache. Basically, it selectively forces things out of the CPU cache and then watches what happens. The last paper I read on it required some tuning, but I would be surprised if it wasn't possible to monitor keystrokes as well as mouse movements.

The original paper only applied to Intel processors because of details of how the cache worked. I suspect it could be made to apply to AMD processor as well, but I don't know if the same set of code could do both.

Re:Guess it's time to

When I want to arrange a major drug deal, or hire an assassin, I use a different computer (a second hand Chromebook that I bought for cash), and I connect through a public WiFi.

Just so you know, the way you stated that doesn't sound very hypothetical... ;)

Re:Guess it's time to

[Z00L00K]

Or use the other hand, same strategy as when applying "The Stranger".

Re:Guess it's time to

[invictusvoyd]

What about professor Hawking ?

Re:Guess it's time to

[KGIII]

Block scripting and don't use Tor like a proxy? Stay on domain names that end with .onion. Don't use it on "clearnet" for anything. Do not let scripting run unless you're damned sure you can trust them or you really want that access. Tor's actually still really safe so long as the user reasonably smart about practicing safe hex. Just because it blocks some things does not mean it blocks everything. The user still needs to watch out for data spillage.

Re:Guess it's time to

It's just smoke screen. Now the feds will search for a Chromebook when gp actually uses a ipad.

Re:Guess it's time to

Just run it in a VM using a clear GUI focus grabbing script. Mouse events would be be sent using postmessage.

Re:Guess it's time to

I'd say the solution is fight fire with fire, but take the lead.
You know who the organization is that would track you. They do it because they think of you as a potential enemy and if you were to go to the same lengths they do they are probably willing to kill you.
Kill them first, then you don't have to do things that degrades your computer just to avoid being tracked.

Re:Guess it's time to

if you use a trackpad on tor and a mouse on your trackable system how is that important?

Re:Guess it's time to

[Big+Hairy+Ian]

I only use Tor on touch sensitive devices anyway

Re:Guess it's time to

[houghi]

Obviously you need to change the MAC address. The hard part will be not being caught by cameras. Then do it all scripted. e.g. wake up on time X, run the script that changes the mac, connects, sends the messages, recieves the message, shutdown.

For future contact I would use Usenet. Encrypt the message, so it is not readable by everybody. As only the receiver should have the key, he or she will be the only one reading it.
There is no direct link between you and the person receiving it. He could be sitting next to you or on the other side of the world. Post it inside images that others will download for their content in the correct group and they can not follow up on who is downloading it at all. Am I downloading nudes and the hidden message as a result or am I interested in the message and have to download a nude persons image.

Why scripted? That way when you time it correctly, you can have it in your backpack or pocket or anywhere, while you walk around. If it is cheap enough, you could dump it in the trash, where it will activate at time X, do its thing, turn off and be send to the dump.

Not sure what the cheapest wireless device would be that could run a decent script to do this and has an auto-on function in its bios.

Re:Guess it's time to

I would imagine trackpads are vulnerable to the exact same fingerprinting techniques.

What Cdsparrow is saying is that you use a trackpad on Tor, and use a mouse for normal browsing. Both can be fingerprinted, but they won't be the same fingerprint. When I want to arrange a major drug deal, or hire an assassin, I use a different computer (a second hand Chromebook that I bought for cash), and I connect through a public WiFi. It has a trackpad, a different browser, and a much slower CPU than my desktop.

secondhand chromebook bought using pennies filched from give-a-penny-take-a-penny locations with no surveillance cameras, public wifi on a different continent than my home continent, trackpad, different browser, slower cpu and I operate the computer entirely with my left foot wearing an aluminum foil sock and a snowshoe used only for obfuscation purposes. When I'm done I, destroy the snowshoe & sock, thoroughly wash my foot with paprika and wear shoe 3 sizes too small whilst traveling back home.

Noscript.

[sims+2]

This one of the reasons why they should have never left noscript off by default.

Re:Noscript.

[Jack+Griffin]

Makes no difference, we're all fucked. Technology is now reaching a point where humans cannot compete with machines.
Your cell phone provider already has enough info to know everywhere you are at any point in time, who your friends and family are, who you call and how often. Google knows all your web habits, and what you hobbies are, and you bank knows every cent you spend, where and on what. And this info is freely bought and sold to marketing companies and other bad actors. It only takes one slip to connect a name to this data and your life is captured on record forever. We need to start preparing for a non-private reality, than try to hang onto any semblance of privacy we think we still have. Even as I type this some algorithm somewhere has already tied my writing style to all my other web aliases and is connecting me to my real identity.
Privacy is dead.

Re:Noscript.

Dude, you just fucking turn off javascript. Every one of these things results from server code being implicitly trusted and run on the client. STOP THAT fffff

Re:Noscript.

[Aighearach]

According to his user number he was born yesterday, and will continue believing that privacy is dead until he graduates from college and gets his own place to live.

Then there is some small, remote chance of discovering that where you shop was never really private, and that you want your bank to know what you spent money on, or else you'd have used cash. And that if you avoid specific behaviors, you get a lot-lot-lot less junk mail than less paranoid people.

If it is private, don't put it on the internet. If it is private, don't leave it on your porch. Don't give your phone number to a store just because you shopped there. (just say "no thank you" when they ask you for your number)

Google knows a lot about most people, but thankfully they don't sell that information. Or send junk mail. Or call your telephone. Or talk about you. Hopefully for your sake, your bank is also traditional like that.

Re:Noscript.

Well spoken sir....

AC but getting there, september of 87.

Re:Noscript.

This is one of the reasons they profile more than just javascript...

Lets see here... the time it takes to send an ACK for a given SYN... whether the OS uses various patterns of TCP/IP.

You are naive.

Re:Noscript.

Even as I type this some algorithm somewhere has already tied my writing style to all my other web aliases and is connecting me to my real identity. Privacy is dead.

happens if What you it through run translation Google times a few?

Re:Noscript.

[Ace17]

What a load of crap.
Your privacy seems to be dead, yeah. That's your problem ; especially if you did it by stupidly giving away private information to random private corporations.

Just don't believe that we all share your privacy-killing way of life.

Use Tor, disable javascript by default, only use free-software, don't bring your cellphone everywhere you go (and keep it turned off most of the time), use email encryption, and don't stay logged in gmail/google when you browse the web!

But maybe, you would prefer that privacy were actually dead, because that would allow you to rationalize that you made the right choices accepting these intrusive behaviours from private corporations, now that you have become dependent on the convenience they provide..

Re:Noscript.

But maybe, you would prefer that privacy were actually dead, because that would allow you to rationalize that you made the right choices accepting these intrusive behaviours from private corporations, now that you have become dependent on the convenience they provide..

This. This all day.

Re:Noscript.

Have you ever tried to find a needle in a haystack?
Now i know what you're going to say. "But anonymous coward, computers are fast!"
Well yes they are, sonny jim. But searching takes time and knowing that something is relevant isn't something you get for free. What all the intelligence agencies inevitably find after their massive, all encroaching data collection binges is that no matter how much data they collect, none of it contains the magic 'bad guy' flag they were hoping would give them all a medal and a parade and return time to the 1950s when Brill cream was all you needed to get laid*.

Truth is, If such a thing could exist, they'd be out of a job in seconds.

* possibly just your grandfather's Alzheimers playing up. Also it just occurred to me that Axe body spray is the Brill cream of the 2000s.

Re:Noscript.

[dbIII]

According to his user number he was born yesterday

A real name as a login is a bit of a major clue for that as well.

Why do kids do that today?

Unless you are a public figure that treats stuff you write here as carefully as a press release it is a very bad move to use your real name as a login.

Re:Noscript.

[jandersen]

Use Tor, disable javascript by default, only use free-software, don't bring your cellphone everywhere you go (and keep it turned off most of the time), use email encryption, and don't stay logged in gmail/google when you browse the web!

All of which may seem good advice, but then again, being invisible on the net is such an unusual thing nowadays that this in itself may attract unwelcome attention.

Re:Noscript.

[BlackPignouf]

Your cell phone provider already has enough info to know everywhere you are at any point in time, who your friends and family are, who you call and how often. Google knows all your web habits, and what you hobbies are, and you bank knows every cent you spend, where and on what.

Actually, if you have an Android phone or if you use Gmail, Google knows all of this.

Re:Noscript.

[Jack+Griffin]

Use X, disable Y, only use Z, don't bring A everywhere, use B, and don't stay C

Oh right, that's freedom right there...

But maybe, you would prefer that privacy were actually dead, because that would allow you to rationalize that you made the right choices accepting these intrusive behaviours from private corporations, now that you have become dependent on the convenience they provide..

Oh ok then. Ignore the facts, blame me instead...

Re:Noscript.

[drinkypoo]

Privacy is dead.

You're absolutely right, and this is why I (after others) have been railing about how we need to build a society where it doesn't matter if your information comes out rather than worrying about how to keep it private. There's no putting the cat back in the bag, and we're going to either build that society or fail miserably because the tech eliminates all other possibilities.

Re:Noscript.

Ah, but who's to say that's his real name? It may sound like, or even be, a real name, but how could we know it's his?

- Jonathan Gary Humphreys

Re:Noscript.

[Falos]

You can't win, but you can muck it up. Fortunately, the involved systems will usually be indirectly connected at best, or outright competitors, or the data certainly exists in two piles but the draw'able conclusions from their overlap can't be made because the two data dumps aren't compatible (yet).

It's kind of like how the last bastion for commoners is the supercompanies (and governments) holding each other back. Or kind of like living with an incurable disease, but one of symptoms you can somewhat respond to.

As time passes, yes, these lines will blur. It's bad now, it'll be worse later. And culture won't adapt at the same pace, culture tends to need generations to repropagate.

Re:Noscript.

I have no cell phone and type URLs directly, don't use ISP or Google DNS

Gee Fucking Whiz

"time measurement via JavaScript,"

There's like a dozen betters ways to track someone using javascript.

If a tor user has javascript on, they should assume they're not anonymous.

Re:Gee Fucking Whiz

Absolutely right. I keep seeing stories about how TOR users can be tracked . . . and they always involve javascript . . . what gives? Perhaps the headline should read "javascript users can be tracked by mouse movements?"

If there was a story about people being tracked by network analysis of TOR traffic, or some other novel means, that would be news.

1. Use the Tor Browser Bundle to access .onion sites
2. Check that noscript is set to block all javascript in the Tor Browser. (it might not default to block all)
3. Don't use the Tor browser to access any site other than .onion sites.

Re:Gee Fucking Whiz

[Sarten-X]

That's really the crux of the issue.

Frankly, TFS sounds like an anonymous reader's pet bug hasn't gotten the attention he feels it deserves, so he submitted it to Slashdot to make it a bigger deal. Ultimately, though, it boils down to user error.

Fixing an information leak is effectively making a blacklist for particular attack vectors. It's never going to be complete. The only way to actually ensure that an anonymizing method works is for the user to ensure that he's behaving anonymously. If that means using a different input mechanism, then do that. If it means a different browser, and ensure you only visit different sites, then do that. There's no software that can replace good opsec practices.

Re:Gee Fucking Whiz

[Aighearach]

There's like a dozen betters ways to track someone using javascript.

It depends if you're tracking them as they browse, or by analyzing the logs afterwards.

Re:Gee Fucking Whiz

[Aighearach]

Yeah but if you're not on Tor, you're not doing anything illegal and you're not worried about tracking of that sort because normally of course the remote server knows your IP and everything, and there are a zillion potential logs or whatever in the middle.

If you're on Tor for free speech, of course you don't care because you're not there for privacy; you're there to disguise your activities from local observation of the network. You already have to trust the remote server not to tattle to your government in that case.

Re:Gee Fucking Whiz

[Raenex]

If you're on Tor for free speech, of course you don't care because you're not there for privacy; you're there to disguise your activities from local observation of the network. You already have to trust the remote server not to tattle to your government in that case.

This comment makes no sense. Of course you want privacy for free speech if you're using TOR, and the whole point of TOR is to prevent the server or anybody else from identifying you.

Re:Gee Fucking Whiz

[Aighearach]

... the whole point of TOR is to prevent the server or anybody else from identifying you.

Nope, complete fail. You can just google tor and find out what it is, who funded it, what it is for, all that stuff. You don't have to just go with whatever somebody told you in a chat room.

Re:Gee Fucking Whiz

[Raenex]

The "complete fail" is on your part. First you misunderstand TOR, then you come back with conspiracy theories. You're all over the map.

Re:Gee Fucking Whiz

[Aighearach]

It is a US government-funded thing, sorry. That was the whole point; people who wish they had our laws, can get on Tor and their network experience happens as if they live here. So that they can engage in free speech for political and creative purposes that are banned in their countries.

It was not invented to hide from the US Gubermint. It was invented for people who wish they had our Freedoms, and all it does is hide their activities from their ISP and State-sponsored firewall. It is up to them to hide their face from the video surveillance at their web cafe. The server would be using for these speech activities would generally be located in some western country in the offices of some ex-pat group from their country, except for where they're just using it to access mainstream international news.

There is no conspiracy theory involved. This is all stuff you would find out if you went and looked it up .

As for the technical details of where the logs are expected to be and where not, you didn't actually say anything other than "hurr durr ur wrong."

Re:Gee Fucking Whiz

[Raenex]

The server would be using for these speech activities would generally be located in some western country in the offices of some ex-pat group from their country, except for where they're just using it to access mainstream international news.

But the whole point of TOR is that the server doesn't know who the real TOR user is. So your original statement "You already have to trust the remote server not to tattle to your government in that case." doesn't make any sense.

There is no conspiracy theory involved. This is all stuff you would find out if you went and looked it up .

I didn't need to look it up because I already knew the origins of TOR. What you don't understand is that while it may have come out of the US government, it's a neutral protocol.

As for the technical details of where the logs are expected to be and where not, you didn't actually say anything other than "hurr durr ur wrong."

Then follow your own advice and look it up. This is basic info. But here, let me spoon feed you: https://www.torproject.org/abo...

"Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it's going."

Re:Gee Fucking Whiz

[Aighearach]

No no no, you have to go read technical documents first, since you don't understand the subject in detail already. Then, after having done that, you'll know which servers to expect to have which information.

Where you say "the server doesn't know," you didn't even just reference a specific server. Lets put this in logical terms:

Some servers know who Tor users are. Some servers do not know who Tor users are. Therefore, "the server" doesn't know who the Tor user is. T/F

Yes, you really do need to look things up before attempting to tell sysadmins they are wrong about network infrastructure. They might be wrong, it happens; but if you didn't just look it up, you don't even know. A sysadmin faced with a technical dispute would look it up, and you can be sure that I have.

So your only source of information is whatever it says on the about page of the project? You didn't bother even with wikipedia? You know an "about" page isn't technical details, right? Everything on that page is consistent with what I said, but it isn't technical; it uses broad generalities that do not attempt to uncover the actual detail of the semantics of who knows what. You don't consider that everybody they mention as groups using it are the same people that I mention as the groups the government built it to support. ;) You got lost in the phrasing of the PR, instead of looking up the technical, non-PR explanations of how it works, where it came from, why, etc.

Re:Gee Fucking Whiz

[Raenex]

Holy shit, dude, just admit you don't know what the fuck you are talking about. You've got the fog machine on full blast. You made a mistake, you were corrected, deal with it.

...a starting point for future investigations...

[turkeydance]

internet access.

Re:...a starting point for future investigations..

They should close the internet and put up a for sale sign.

I don't see it.

[h33t+l4x0r]

Good luck catching pedophiles with that.

Re:I don't see it.

They don't have to. They just have to parade some "experts" in front of a jury and say they're pretty sure they matched your mouse movement to a pedo. Sort of like how the FBI handles hair analysis. If the government wants you gone, this is just another tool in the toolbox.

Re:I don't see it.

[Z00L00K]

If the government wants you gone they just use the IRS (or whatever the local variant is called where you live).

That's how they took down Al Capone.

Re:Crouching Microsoft, Hidden Patents

[wierd_w]

APK is that you?

By the way you keep cross posting this, one would think that MS has patented the HOSTS file or something.

Paranoia Will Distrory Ya...

[Frosty+Piss]

You know, there are LOTS of little things that are particular to a particular person that can ID you if tracked. You can be tracked by your farts is the peroper telemitry is in place. Mouse movments? I choose not to be that paranoid.

Re:Paranoia Will Distrory Ya...

and after the wikileaks spyfiles release and all of the software/hardware shown being sold to governments around the world TO BUG US ALL, hey you're right, it's just tin foil paranoia.

bullshit.

NoScript?

[orledrat]

I know nothing, but doesn't The Official Tor Browser have NoScript enabled by default?

Re:NoScript?

Freenet is a bit more paranoid than that. They don't even let the JS tags hit the browser.

Re:NoScript?

The Tor Browser has four "security levels". At the default (low) level, NoScript is set to "allow scripts globally". Now you know.

Possible solutions

[93+Escort+Wagon]

- Change hands every so often
- Manually alter your mouse's tracking and acceleration settings to different values before starting Tor

Re:Possible solutions

[killkillkill]

- Change hands every so often

I do, but I find it too difficult to use the mouse while I'm using my right had.

Re:Possible solutions

[Z00L00K]

Foot-control of the mouse maybe? Oh! Never mind, it will be a sticky mouse!

Re:Possible solutions

I recommend ambidexterity for both your problems here.

(Captcha: Gigantic)

Re:Possible solutions

- Change hands every so often

Yea, That's it! That is the reason I use the mouse with my left hand when I am watching porn.

Re:Possible solutions

Possible solutions: don't use the mouse at all?

Am I the only one who scrolls with the arrow keys and PgUp/PgDn? Uses the tab key to focus a textbox?

Low tech solution

[TapeCutter]

Replace your mouse pad with rough sandpaper, randomly rotate sandpaper before a new session. The spooks will be looking for a group of terrorists with Parkinson's disease, plus it keeps your mouse feet clean!

Re:Low tech solution

Simpler solution - Always use TOR with your non-dominant hand.

Re:Low tech solution

[x0ra]

my dominant hand is busy doing something else...

I have a Dell laptop...

so this probably won't work on me! The mouse movement is so jerky and unreliable that there's no way the readings could be reliable.

Re:I have a Dell laptop...

It forces us to buy service contracts since they're so unreliable and wear out so quickly.

Yes but so what?

[goombah99]

So i don't understand yet why one cares about this attack. I can see edge cases but I'm not sure I see the main threat but this may be due to my ignorance about how ToR works.

Here's the issue. Suppose the user visits the following three web sites.
1. Mao Mao Mao, via tor, a site secretly run by the chinese military that fingerprints Tor User
2. Falun Gong Spy Network using tor, but not controlled by the chinese miltary
3. Communist party phone directory, not on Tor but using fingerprinting.

So clearly they can connect 1 and 3. But how can they spot 2? And it's only 2 they care about.

The edge case would be if they were to run some entrapment site that was offering illicit reading material that would attract Falun Gong curious people. Then they could ID these wanna-be thought crimminals. But I don't see how they are going to spot the people visiting the hard core (site 2) site.
   

Re:Yes but so what?

[Aighearach]

Who cares? Perverts trying to hide from the FBI after they bust a child porn server and are trying to identify people from the logs.

And, and people who want to see the perverts burn also care.

You're right, for freedom of speech under oppressive regimes (the main purpose of Tor) it is not a big deal.

In your scenario though, you'd care a lot if #2 got busted and they had the server logs. But that is true anyways, the content needs to be in a safe country. That is the whole Tor system. So it is only people doing things that are illegal in "western" countries that are at significant risk.

Re:Yes but so what?

So clearly they can connect 1 and 3. But how can they spot 2? And it's only 2 they care about.

I assume it would be easy if they monitor some mid point between the exit node and the Falun Gong site. If the connection is unencrypted an injected script would be enough.

Re:Yes but so what?

Hopefully #2 wont be keeping mouse movement logs?! The only reasonable way for them to catch people would be to keep the website going in a compromised state

Silly paranoia

The likelihood of this being used in any real life situation/court seems pretty low. Technically it is an exploit, but for practical purposes it's not really an exploit.

Poor results

[manu0601]

Ubercookie did a poor job as reconnecting my identities when surfing in normal and private modes. Only two numbers in clientRect match, everything else is different.

Jitter Plugin

[brian.stinar]

Well, I guess it's time to write a jitter plugin for Chrome. It's going to make using the browser with jitter enabled sort of like trying to perform a delicate operation after five or six beers, but without the false confidence, or everything's-funny, added benefits of beer...

The one guy using Tor with Parkinson's is going to have a lot of problems pretty soon.

Just Leave A 2nd Mouse Plugged In.

[zenlessyank]

Problem solved.

Tor browser uses NoScript 'On' as default.

Only an idiot would activate javascript white using tor.

nonsense

[slashmydots]

The Tor Browser, by default, does not use any form of javascript.

Oh just use Windows 10.

I heard it's hella tite.

There are no silver bullets

[Lally+Singh]

I don't know who's dumb enough to be surprised that any technology can singularly solve a problem as large as privacy.
Tor solves the network connection problem, moderately well. There's more to privacy than that, and it's ridiculous to expect Tor to solve that all by itself.

Big surprise! If you use tor to log into facebook, facebook knows who you are! Where's the outrage?!?!

Re:There are no silver bullets

[Aighearach]

If you ... log into facebook, facebook knows who you are! Where's the outrage?!?!

Actually, I hear people belly-aching about that all the time!

not that great at identification

While mouse movements (and typing speed, and word length statistics, and a variety of other things) are not too bad for authentication (e.g. verifying you are who you say you are), they're not very good for identifying a person from a database of a lot of people.

For authentication, mouse dynamics, typing dynamics, prosody, etc. are all about 80% for "equal error rate".. that is about 10% of the time it will authenticate someone else as you, and about 10% it will reject you. So they work great for stuff like preventing you from "loaning" your porn password to your friends. They don't mouse or type like you, most of the time.

But if you're doing "who is this", against a database of thousands of people, you're going to get tons of false hits.

Yeah, not so much

[Snotnose]

I use a laptop. I like my laptop in my lap, my mouse movements probably have 2-3 patterns (just got up, working on the first coffee, been up a while). Then my cat discovers my lap and the laptop moves to some combination of my right leg (stupid cat insists my left leg is the only one worth sleeping on) and my right armchair leg. It changes every time the cat jumps up, as I'm reminded every time I use fingerprint recognition to login.

When in the office, did I ride my bike to work or drive? Cafeteria opens at 8, have I had breakfast yet or not? Did I push myself climbing Lusk or just put my head down and grind? Did I drink too much last night and drove like grandma, or drive like normal?

And yeah, in my web browsers JS is disabled by default, ads are blocked, and Java isn't installed.

No script

[invictusvoyd]

and how their browser and hardware reacts to certain JavaScript code

perlin noise

You just need a browser plug-in to inject perlin noise into the coordinates that javascript sees.

Oh god damn it

At a previous job I worked on mouse prediction for precaching and thought "There's no way this can ever be used for evil!"

In further news

i know it was you, you're the only left handed badger fetishist in the office!

What do you mean there are others?!

Okay

[JustAnotherOldGuy]

Okay, now that's just creepy and more than a little unsettling.

Not worried

Until a court rules that a subpoena can be granted based on an algorithmic computation of a fingerprint based on mouse movements, cpu behaviours and.... by this time the judge has tuned out and thrown your geek ass out of court.

It is all subject to court interpretation. And judges (unless you shop them well) tread lightly on technical stuff they do not understand. Who wants a record of granting warrants which are later overturned.

Even if he did grant this, you would likely toss the warrant on appeal and all the fruit from this search will be thrown out as you can argue the mouse movement "fingerprint" is not personal identifying information.

use mouse with other hand

[roc97007]

just sayin'...

same as masturbation

some ibbs users complain about using certain images, maybe imaging robots seek specific topics by a given type of image.

Javascript in Tor...

Why are people running javascript in their tor browsers again? That shit should be disabled, there are too many vectors to reveal your identity to ever "safely" use javascript whilst attempting to achieve anonymity.

Re:Javascript in Tor...

[is7s]

Tor comes with NoScript turned on, but that breaks almost all sites these days.

Looking at it the wrong way

[dbIII]

That was needed because the FBI at the time was corrupt but Capone had not thought of bribing the IRS.
Others such as the scientologists have taken care of that angle as well as the law enforcement angle.

use the other hand

use mouse on the other hand to when using tor.

right handed use left hand when using tor.

nein!

i knew drawing imaginary swasticas while browsing web pages would be my undoing!

also signing off with

hitler did nothing wrong

is probably problematic aswell

Vim plugin

I thought the Tor browser's default state had javascript disabled by default, so this vulnerability should only affect Tor users who deviate from the default settings (or use a different browser). Perhaps one mitigation would be to use a vim-like plugin that lets you follow links from the keyboard, though this would only be effective if a lot of people did it.

I imagine I would be identified by...

[John+Allsup]

I imagine I would be identified by my hardly using the mouse. I tend to use the keyboard unless I have to use the pointer. In addition, if I had a touchscreen, I would be using that where possible. But the basic fix in the browser is something like we see with Android, but on a per-site basis: if your javascript wants access to timing information, it needs explicit permission.

Noscript

How about us geeks who always browse the TOR network using "Noscript"?

Hasn't been addressed?

[dantose]

You realize that "noscript" thing that's on by default keeps javascript from running, which in turn keeps javascript from tracking you this way. If requiring intentional disabling of that feature wasn't enough, as i recall, there is a warning about scripts on startup. It's about as well addressed as a vulnerability can be.

Don't shit in your kitchen

Also, don't visit the same sites with and without tor. And disable javascript wherever possible. The FBI has injected javacsript malware into many sites (including slashdot!) to exploit browser bugs and break security. Actually, slashdot works better without javascript!

Randomize Mouse Sensitivity

Just write a script that randomizes your mluses sensitivity every second or so. That shksho hld throw off your style enough to not allow tracking.

no

Tor users can be identified by the way they walk

use the other hand

you know one for poop, the other for food and hand shacking

just keep in mind that they can still relate your anonymous sessions