Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Users Can Be Tracked Based On Their Mouse Movements (softpedia.com)

Posted by BeauHD on from the click-bait dept.

An anonymous reader writes: The way you move your mouse is unique, like fingerprints, and can be used by dark forces to track you on supposedly anonymous and secure networks like Tor, according to a Barcelona researcher. Because the Tor Project has failed to address a ten-month-old issue regarding "time measurement via JavaScript," there are a series of user fingerprinting techniques that are quite accurate at identifying users based on their mouse movements, scrolling speed, and how their browser and hardware reacts to certain JavaScript code. If a user visits a "fingerprinting" website via Tor and then via a normal browser, an attacker can have a general idea about their identity and can even pinpoint them to real IPs. The data that is usually logged in fingerprinting schemes is not 100% reliable or accurate for that matter, but it provides a starting point for future investigations.

17 of 109 comments (clear)

  1. Guess it's time to by cdsparrow · · Score: 3, Interesting

    Start using a trackpad when you use websites you don't wanna be tracked on. Oh and maybe reduce your browser's processor priority so it reacts differently to their time based snooping. Oh and first post maybe?

    1. Re:Guess it's time to by bloodhawk · · Score: 4, Interesting

      I would imagine trackpads are vulnerable to the exact same fingerprinting techniques. browser priority is unlikely to have any significant effect on timing and tracking of these events and it would be an absolute pain in the arse.

    2. Re:Guess it's time to by ShanghaiBill · · Score: 4, Informative

      I would imagine trackpads are vulnerable to the exact same fingerprinting techniques.

      What Cdsparrow is saying is that you use a trackpad on Tor, and use a mouse for normal browsing. Both can be fingerprinted, but they won't be the same fingerprint. When I want to arrange a major drug deal, or hire an assassin, I use a different computer (a second hand Chromebook that I bought for cash), and I connect through a public WiFi. It has a trackpad, a different browser, and a much slower CPU than my desktop.

    3. Re:Guess it's time to by KGIII · · Score: 2

      Block scripting and don't use Tor like a proxy? Stay on domain names that end with .onion. Don't use it on "clearnet" for anything. Do not let scripting run unless you're damned sure you can trust them or you really want that access. Tor's actually still really safe so long as the user reasonably smart about practicing safe hex. Just because it blocks some things does not mean it blocks everything. The user still needs to watch out for data spillage.

      --
      "So long and thanks for all the fish."
    4. Re:Guess it's time to by houghi · · Score: 3, Insightful

      Obviously you need to change the MAC address. The hard part will be not being caught by cameras. Then do it all scripted. e.g. wake up on time X, run the script that changes the mac, connects, sends the messages, recieves the message, shutdown.

      For future contact I would use Usenet. Encrypt the message, so it is not readable by everybody. As only the receiver should have the key, he or she will be the only one reading it.
      There is no direct link between you and the person receiving it. He could be sitting next to you or on the other side of the world. Post it inside images that others will download for their content in the correct group and they can not follow up on who is downloading it at all. Am I downloading nudes and the hidden message as a result or am I interested in the message and have to download a nude persons image.

      Why scripted? That way when you time it correctly, you can have it in your backpack or pocket or anywhere, while you walk around. If it is cheap enough, you could dump it in the trash, where it will activate at time X, do its thing, turn off and be send to the dump.

      Not sure what the cheapest wireless device would be that could run a decent script to do this and has an auto-on function in its bios.

      --
      Don't fight for your country, if your country does not fight for you.
  2. Noscript. by sims+2 · · Score: 5, Interesting

    This one of the reasons why they should have never left noscript off by default.

    --
    Minimum threshold fixed. Thanks!
    1. Re:Noscript. by Jack+Griffin · · Score: 5, Insightful

      Makes no difference, we're all fucked. Technology is now reaching a point where humans cannot compete with machines.
      Your cell phone provider already has enough info to know everywhere you are at any point in time, who your friends and family are, who you call and how often. Google knows all your web habits, and what you hobbies are, and you bank knows every cent you spend, where and on what. And this info is freely bought and sold to marketing companies and other bad actors. It only takes one slip to connect a name to this data and your life is captured on record forever. We need to start preparing for a non-private reality, than try to hang onto any semblance of privacy we think we still have. Even as I type this some algorithm somewhere has already tied my writing style to all my other web aliases and is connecting me to my real identity.
      Privacy is dead.

    2. Re:Noscript. by Aighearach · · Score: 3, Interesting

      According to his user number he was born yesterday, and will continue believing that privacy is dead until he graduates from college and gets his own place to live.

      Then there is some small, remote chance of discovering that where you shop was never really private, and that you want your bank to know what you spent money on, or else you'd have used cash. And that if you avoid specific behaviors, you get a lot-lot-lot less junk mail than less paranoid people.

      If it is private, don't put it on the internet. If it is private, don't leave it on your porch. Don't give your phone number to a store just because you shopped there. (just say "no thank you" when they ask you for your number)

      Google knows a lot about most people, but thankfully they don't sell that information. Or send junk mail. Or call your telephone. Or talk about you. Hopefully for your sake, your bank is also traditional like that.

    3. Re:Noscript. by Ace17 · · Score: 2

      What a load of crap.
      Your privacy seems to be dead, yeah. That's your problem ; especially if you did it by stupidly giving away private information to random private corporations.

      Just don't believe that we all share your privacy-killing way of life.

      Use Tor, disable javascript by default, only use free-software, don't bring your cellphone everywhere you go (and keep it turned off most of the time), use email encryption, and don't stay logged in gmail/google when you browse the web!

      But maybe, you would prefer that privacy were actually dead, because that would allow you to rationalize that you made the right choices accepting these intrusive behaviours from private corporations, now that you have become dependent on the convenience they provide..

    4. Re:Noscript. by dbIII · · Score: 4, Informative

      According to his user number he was born yesterday

      A real name as a login is a bit of a major clue for that as well.

      Why do kids do that today?

      Unless you are a public figure that treats stuff you write here as carefully as a press release it is a very bad move to use your real name as a login.

  3. Re:Crouching Microsoft, Hidden Patents by wierd_w · · Score: 2

    APK is that you?

    By the way you keep cross posting this, one would think that MS has patented the HOSTS file or something.

  4. Possible solutions by 93+Escort+Wagon · · Score: 2

    - Change hands every so often
    - Manually alter your mouse's tracking and acceleration settings to different values before starting Tor

    --
    #DeleteChrome
  5. Low tech solution by TapeCutter · · Score: 2

    Replace your mouse pad with rough sandpaper, randomly rotate sandpaper before a new session. The spooks will be looking for a group of terrorists with Parkinson's disease, plus it keeps your mouse feet clean!

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    1. Re:Low tech solution by x0ra · · Score: 3, Funny

      my dominant hand is busy doing something else...

  6. Re:Gee Fucking Whiz by Anonymous Coward · · Score: 2, Interesting

    Absolutely right. I keep seeing stories about how TOR users can be tracked . . . and they always involve javascript . . . what gives? Perhaps the headline should read "javascript users can be tracked by mouse movements?"

    If there was a story about people being tracked by network analysis of TOR traffic, or some other novel means, that would be news.

    1. Use the Tor Browser Bundle to access .onion sites
    2. Check that noscript is set to block all javascript in the Tor Browser. (it might not default to block all)
    3. Don't use the Tor browser to access any site other than .onion sites.

  7. Re:I don't see it. by Anonymous Coward · · Score: 4, Insightful

    They don't have to. They just have to parade some "experts" in front of a jury and say they're pretty sure they matched your mouse movement to a pedo. Sort of like how the FBI handles hair analysis. If the government wants you gone, this is just another tool in the toolbox.

  8. Re:Gee Fucking Whiz by Aighearach · · Score: 4, Interesting

    Yeah but if you're not on Tor, you're not doing anything illegal and you're not worried about tracking of that sort because normally of course the remote server knows your IP and everything, and there are a zillion potential logs or whatever in the middle.

    If you're on Tor for free speech, of course you don't care because you're not there for privacy; you're there to disguise your activities from local observation of the network. You already have to trust the remote server not to tattle to your government in that case.