click click, clickclick click
September 6, 2015 9:05 PM   Subscribe

How the way you type can shatter anonymity—even on Tor

The Privacy Risk Of Behavioral Profiling
So I did. I also learned about “plain old biometrics”, which is “something you are”. That’s stuff like your fingerprint, blood vein patterns in your palm (used in japanese ATMs for many years now), retina patterns etc. Then you have behavioral biometrics, which is described as “something you do”, like speaking, singing, walking, moving etc… and for this blog post: HOW YOU TYPE ON A KEYBOARD. Bruce Schneier actually mentioned keystroke biometrics back in April, 2007.
Paul Moore, Behavioral Profiling: The password you can't change.
As opposed to traditional authentication which is only interested in what you type, behavioral biometric systems collect & profile how you type too. By actively monitoring how you type, the system is able to build a profile on you.

In order to achieve this, the system monitors how long each key is depressed (dwell time), how long between each key press (gap time), how long to type a known string and hundreds of other metrics.
You can register and see how unique your profile is here. If you use Chrome, you can install this widget to randomize your keystrokes.

Anomaly intrusion detection based on biometrics - "In this work we introduce the idea of using behavioral biometrics in intrusion detection applications. We propose a new approach to user profiling, which can be used to detect intrusion without the need for any special hardware implementation and without forcing the user to perform any special actions. The technique is based on using "keystroke dynamics" and "mouse dynamics" biometrics."

Enhanced User Authentication Through Keystroke Biometrics [PDF]
A Survey of Keystroke Dynamics Biometrics
Keystroke Dynamics for User Authentication [PDF]
posted by the man of twists and turns (64 comments total) 38 users marked this as a favorite
 
whay if I stopi correcting my typso? WEould that work?
posted by double block and bleed at 10:09 PM on September 6, 2015 [4 favorites]


even on Tor

...while javascript is enabled.

Isn't that a biggish caveat, for people who are actually trying to be anonymous?
posted by pompomtom at 10:18 PM on September 6, 2015 [3 favorites]


I think Clifford Stoll tried unsuccessfully do do something like this in the Cuckoos Egg.
posted by onya at 10:22 PM on September 6, 2015 [1 favorite]


People who don't know better assume I type with my nose, so this sounds legit to me.
posted by louche mustachio at 10:28 PM on September 6, 2015


If you're just using for authentication, I think I buy it. You don't need something that uniquely identifies the user, just a filter that is easier for the user to pass.

When you are trying to pick a single target out of thousands or millions of possibles, most or all of whom have studied the same typing system, many of whom will be using the same keyboard, etc.?

I mean, I'm curious enough to look at the articles now. It just seems so unlikely!

(And, this seems like an attack that won't work in an adversarial context. The Chrome extension should defeat it, and in a pinch a user could just anonymize their keystrokes by hand -- hunt and peck, or type according to a regular rhythm. So, if it woeks, yet another tool that can de-anonymize normal people going about their business that will be useless against someone being careful.)

Maybe I'm super-wrong about all of this though!
posted by grobstein at 10:30 PM on September 6, 2015


All sorts of sites are probably using these methods. I was told by a university official at the university where I work that this is one of the ways they protect against cheaters on MOOCs. If you try to take a final exam for another student but you type in their password without using their usual cadence, you'll be flagged. I was really surprised. It was an authentication method I had never heard of and it seemed like really high-level security. This was a while back, too.
posted by painquale at 10:36 PM on September 6, 2015 [20 favorites]


I think this really needs to have some vigorous testing. Let's start off by seeing if it can track down the people in GamerGate/8-Chan doing the harassment campaigns
posted by happyroach at 10:41 PM on September 6, 2015 [1 favorite]


I don't quite understand how to parse the demo results.
posted by teponaztli at 11:04 PM on September 6, 2015


I have Jarvis. my valet, enter all my text for me. He was trained at the Sorbonne Ecole de la Servitude and has impeccable cadence. [Thank you, sir]

This is the sort of attack that - well, say it's true. It's going to be about as admissible in court as graphology, which cuts no ice in the UK. It's going to be very hard to use for anything on a per-site basis: perhaps you could use it to identify 'anonymous' users if they're not already identifiable via cookies or IP address, but you won't get anything you're not getting from their more obvious behaviour. This is going to be of use only for co-operating sites with a mutual interest in correlating users.

The Ars article doesn't say how well it works with large numbers of users. it doesn't say how well it works across a network without the local monitoring (since the timing seems to rely on microsecond resolution, that's going add a lot of noise). It's certainly going to be non-trivial to implement in a useful way, and is that going to add much to other cheaper, extant ways?

The best you can probably hope for, if you see a use for this for yourself, is to provide one more signal to a multivariant analytics package which provides a confidence indication that user X is on a particular session.

Using a fuzzer to add pseudo-random or otherwise regulate keystroke spacing (or just cut and pasting from a local buffer) will stand out to the monitoring, but if enough people use it (where 'enough' is probably quite small) it'll again diminish the signal, quite strongly. As this is the sort of thing that can (and will) be built into the standard Tor bundles and distros, and these are the sort of tools that people who really care about anonymity use, I'd think the practical implication of this tool will be minimal. Either it'll provide a signal where there are already many other strong signals, or it'll add minimal information in situations where there's already high noise.

Could be wrong - making many assumptions here. There could well be particular cases where it's useful, and it's good to know about the research. Wouldn't lose more than five-ten seconds sleep per night over it, though.

Good job, Jarvis. [Thank you again, sir]
posted by Devonian at 11:58 PM on September 6, 2015 [9 favorites]


You could obsfucate this by entering text on a robotic keyboard which then physically types the real keys for you at a constant rate and distributing it to anyone paranoid enough to want one. You'd still get flagged as suspicious but at least the cadence of your typing would be less unique. If you're going against a sophisticated adversary a Chrome extension might not be enough.
posted by Small Dollar at 12:31 AM on September 7, 2015


click click, clickclick click
Two bits?
posted by J.K. Seazer at 12:36 AM on September 7, 2015 [23 favorites]


Now remember, type without rhythm, and we won't attract the worm.
posted by Barking Frog at 12:37 AM on September 7, 2015 [74 favorites]


Or it could even collect keystroke cadence data and spoof someone instead!
posted by Small Dollar at 12:44 AM on September 7, 2015


This is the sort of attack that - well, say it's true. It's going to be about as admissible in court as graphology

The NSA doesn’t give a toss for legal definitions of admissibility. They simply care whether something works or not.

Not that you should be using Tor if your definition of adversary is “The NSA” because they’re probably one of the few agencies in the world that can de-anonymise Tor traffic if they really, really want to via global traffic analysis of Tor node data traffic.

This is simply another nail in the coffin of permitting Javascript to run if you want any kind of anonymity on the net.
posted by pharm at 12:54 AM on September 7, 2015


If I understand correctly, you could subvert this by typing into a text editor then copy+paste to the site in question, couldn't you?
It seems a little like those stories about a laser reading the humm of a hard drive off a pane of glass and from that extrapolating the contents of the drive... Maybe in the ideal set-up, but how flexible is it really?
Equally dangerous would be to train a parrot to remember what you type, then fly back to base to convey... Wait, better still, you attach acoustic sensors to cockroaches and then a recording...
I mean, there's a step missing in all this - a little bit like 'fusion is only ten years away!' It might (edit: It seems to) be proof of concept for one facet of a program that would realize this goal of telling what you had for breakfast by how you tweet, "I need more coffee..." and then determining if you are a threat to the state.
posted by From Bklyn at 1:09 AM on September 7, 2015


Walk without rhythm and we won't attract the worm.
posted by PenDevil at 1:25 AM on September 7, 2015 [6 favorites]


One thing to keep in mind is that a healthy dose of paranoia is the basis of all good security: If this thing can be shown to work *in principle*, it has to be factored into your security considerations to some extent. Doesn't mean you have to take every claim at face value, or bust out the tinfoil just yet, but you also don't dismiss something as an avenue of attack because it is not currently known to work with 100% reliability all of the time.
posted by Dr Dracator at 1:29 AM on September 7, 2015 [5 favorites]


in dystopian reality, only pianists will be truly anonymous

gonna have to get profiles on how we type left-handed, right-handed, both-handed, single finger (we can use all 10 singly), combos of other fingers, muhahaha that's not even accounting for purposefully typing differently (you want Brahms or Joplin or Monk or...?)
posted by MarionnetteFilleDeChaussette at 2:00 AM on September 7, 2015 [1 favorite]


My sister is a pianist, and has a very distinctive typing rhythm - it's crazy fast but uneven, and all the pauses sound *wrong*: drives me nuts to hear her type, I could probably pick her out of a room full of regular people typing.
posted by Dr Dracator at 2:07 AM on September 7, 2015


I'm on my phone otherwise I would do better research, but isn't this kind of thing old news? I recall a WWII story where women would listen to encoded messages over the wire, and couldn't say what the messages contained, but could track troop movements based on the cadence of the message being sent. Women became experts at identifying different message senders and would follow their message trail to confirm where a certain platoon was and where they were before.
posted by Suffocating Kitty at 2:38 AM on September 7, 2015 [11 favorites]


Kitty - yes, very old news. The characteristic sound of a manual Morse code sender is called their 'fist', and it can be very obvious even to a relatively unskilled listener. A good one can recognise it as easily as handwriting, and indeed the Y Service interceptors and SOE operators in the UK became very skilled in the art during WW2. It was useful both for tracking the enemy, and for telling when an agent had been compromised.
posted by Devonian at 2:51 AM on September 7, 2015 [14 favorites]


My sister is a pianist, and has a very distinctive typing rhythm

Weirdly, i went to music school for piano and have been told this too. I wonder how common it is. Some keyboards also totally jam my hands up, it's like there isn't enough travel or resistance or... something. I have to pay way too much attention to type quickly on them and that autopilot part of my brain just can't sync with it.

I guess the moral of the story is i should never hack the gibson unless i'm behind 7 proxies?
posted by emptythought at 2:52 AM on September 7, 2015


I type to the themesong of dueling banjos - left hand banjo 1 right hand banjo 2. When I have more to write than what I can do on one hand, I have my dog write it for me.
posted by Nanukthedog at 4:11 AM on September 7, 2015


you can install this widget to randomize your keystrokes.

I suspect that being one of the handful of people to use the widget would make you easier to identify than would just typing your normal way.

My wife types with a totally different rhythm (and much faster) than I do, so it would be effortless for the NSA to tell who was typing at a given moment in our house. With more casual browsing and communication shifting to phones and tablets, though, I wonder if there is a parallel way to track thumb-typing there.
posted by Dip Flash at 4:38 AM on September 7, 2015 [2 favorites]


Keystroke profiling was a plot device in Douglas Coupland's Miss Wyoming - published back in 2001.
posted by KirkpatrickMac at 4:43 AM on September 7, 2015 [3 favorites]


Now that they know everything about me, what are they going to do about it? Will they swoop in with a drone when i shoot my mouth off online, opinionating?
posted by infini at 4:57 AM on September 7, 2015


This will be like those location thingies which peep up and go "hey, someone's trying to log in to your account from the other side of the world because nobody we know travels"
posted by infini at 5:01 AM on September 7, 2015


If you are really worried about this, you could type what you want to type an on off-line machine then sneaker net the files to your connected machine & copy/paste using menus so that you never even touch a keyboard.

Or you could buy a manual typewriter, type what you want, scan the pages, then upload them anonymously to imgur. Then bury the typewriter in the woods.
posted by Devils Rancher at 5:19 AM on September 7, 2015 [6 favorites]


Cute idea but typewriter sniffing dogs, man.
posted by From Bklyn at 5:28 AM on September 7, 2015 [7 favorites]


We have to come to terms with the fact that we are very leaky creatures, and technology makes true anonymity less and less possible every day. If we want to preserve the anonymity, we must do so with legal and social tools. Everyone thinks about smartphones tracking us, but everything leaves traces, and our tools only get better at reading those traces. The pattern of water and electricity usage in our homes tells who is home and who is awake. The routes we take are recorded in a hundred small ways, from traffic cameras to the computers in our cars and the GPS in our phones and the locations where we use our credit cards to buy gas. The amount of time between presses can reveal our pin numbers after just a few samples.
posted by Nothing at 5:42 AM on September 7, 2015 [4 favorites]


What's a typewriter?
posted by Brandon Blatcher at 5:44 AM on September 7, 2015 [1 favorite]


I had a go at the demo, trained it on the ten transactions it requires, and then got my husband to do one. It could definitely tell it wasn't me that 11th time. But the ten training transactions involved typing exactly the same digits in each field every time, so of course I developed a specific cadence for doing so, and probably a speed and confidence that he then lacked. I'd be more interested to see what happened if he had also done it ten times and then only tried it against my account the 11th time, but he wasn't game to spend that much of his evening typing numbers into a fake database.
posted by lollusc at 5:51 AM on September 7, 2015


When I've been climbing too much, and my fingertips are raw, I type differently. (ouch!). Similarly if I'm eating while typing, or anything else. I wonder how different these patterns are, versus the difference between my typing and anyone else's?

I'm less worried about anonymity, and much more worried false negatives. (Put down that sandwich and type your password again, ma'am.)
posted by nat at 6:01 AM on September 7, 2015 [1 favorite]


I would expect various substances to have a much greater effect than a sandwich, so my solution will be to henceforth type all important secret communications while falling down drunk.
posted by Dr Dracator at 6:19 AM on September 7, 2015


Ooh that could be a useful application. "You're typing like you're drunk, dude. Are you sure you really want to send this email? [y/n]"
posted by nat at 6:29 AM on September 7, 2015 [8 favorites]


I have a friend who uses a virtual keyboard for many reasons, this among them. I think, apart from disabling js, writing on a plaintext file and then copy/pasting your text into fields would be a sufficient way around this. On the other hand, if the feds want you, they'll get you.
posted by Aya Hirano on the Astral Plane at 6:48 AM on September 7, 2015


Well, I tried it, then switched tabs for a minute after 4 "training" transactions, and couldn't remember the example password that I was supposed to login with 6 more times. Oh well. I assume they can track my typing, but can they tell that Im doing the test from my tiny laptop which can barely fit my giant person's hands? Because I type much differently on this, basically with 5-6 fingers, than I do on my full sized desktop keyboard.
posted by T.D. Strange at 7:10 AM on September 7, 2015


Doesn't latency play a huge role in this? I imagine the differences in people's typing amount to milliseconds. If a few keys are lagged then it would seem like a different person, no?
posted by pravit at 7:33 AM on September 7, 2015


Use voice to create text, then put text in a file, paste to the past, let people make of it what they will. Radicals will blow up your ancient temple complexes, four thousand years from the post dated text, oh wait, I mean yesterday.
posted by Oyéah at 7:37 AM on September 7, 2015


Doesn't latency play a huge role in this?

I'd imagine that the browser can run enough JavaScript to timestamp each keystroke with the system clock. It should be able to determine timing with sub-millisecond accuracy.
posted by RobotVoodooPower at 7:55 AM on September 7, 2015 [2 favorites]


I was also thinking about the morse code "fist," but it seems that keystroke dynamics are as old as the telegraph:
By the 1860s the telegraph revolution was in full swing and telegraph operators were a valuable resource. With experience, each operator developed their unique "signature" and was able to be identified simply by their tapping rhythm.
posted by filthy light thief at 8:17 AM on September 7, 2015 [1 favorite]


So if you are heavy into cryptography and want to start dating, a 'must have' for your dating profile has to be a specific WPM requirement - no faster and no slower.
posted by Nanukthedog at 8:20 AM on September 7, 2015


I think the deal though is that most users are habitual enough that they may type certain combinations of characters (like "the") with sufficient accuracy to make the algorithm work.

If you had access to, say, a message board, you'd have a large sample of data to work with. This could be useful for determining if people have multiple accounts or are impersonating other people, which I understand happens a lot based on some hacker memoirs I've read.
posted by RobotVoodooPower at 8:27 AM on September 7, 2015 [1 favorite]


This is why almost all of my textual output is filtered through a custom Markov-based process that I keep running in the background of our discontent, made glorious summer by this sun of York
posted by cortex at 8:42 AM on September 7, 2015 [9 favorites]


Now that they know everything about me, what are they going to do about it? Will they swoop in with a drone when i shoot my mouth off online, opinionating?

Imagine there is a Big Database somewhere in, oh I don't know, let's say Utah. Databases being what they are, there is a row for each and every person. They try to make these things comprehensive and there is enough power now to be comprehensive. So they know a lot about what rows there are and each row has lots of info even if it's just metadata (and it isn't just metadata).

Now they ask some questions like, who is going to win X election? When they know everything about each row, it is a lot easier to predict an election than taking some messy poll. Hey's that's useful!

Now they ask themselves, if we would prefer candidate Y to win election X, because she's a supporter of the Big Database and her opponent asks tough questions, but she's behind, what would it take to get her across the finish line? Why some propaganda of course!

Then they ask themselves, which lines of propaganda are the most effective at getting Y across the finish line? So they start A/B testing propaganda and measuring the results. When the find the right combination they give their media minions their talking points and send their troll armies out to battle with their new memes. Hey this actually works!

And of course some candidates or issues are hopeless so they cut their losses and focus their resources precisely where they will get the most traction and don't get distracted where it won't matter. And their shit gets better and better each year so if it's not quite feasible today just wait because exponential. Thanks, Moore!

And pretty soon they are winning just the right amount of elections to get just the right amount of electoral votes or committee seats and it all looks just like it used to except some groups always seem to just barely win, but these elections sure look just like elections. Hey, does anyone remember democracy?
posted by BentFranklin at 9:15 AM on September 7, 2015 [8 favorites]


Seems like you could set up a keystroke buffer with something like a Teensy/Arduino board in between a keyboard and your computer's USB port. Add in a cheap screen so you can see what keystrokes you have buffered, and then just hit a dump button when it's time to actually fill the form.

Of course, you still have to worry about your mouse, and put your computer in a faraday cage in case BADBIOS is phoning the NSA with some crazy bitbanged SDR. Or just disable javascript and be damn sure your computer has no rootkits or hardware keyloggers.

What's creepy about this is not really the idea of it getting used in court. This isn't much proof, and I could see an evil person profiling another person's keystrokes and writing an extension/script to frame the victim with emulated cadence. The real problem is that it can create suspicion for dragnet surveillance operations and lead to more targeted surveillance/attacks, and with parallel reconstruction, law enforcement would never have to admit their investigation involved the technique.
posted by mccarty.tim at 9:32 AM on September 7, 2015 [3 favorites]


You have no idea how grateful I am for this thread and for comments like the few above. It saves me from worries and I can take the tinfoil hat off, I don't need it anymore. What was science fiction is believably feasible and most likely in viable use. Come, lets dance to their tune on the roller piano.
posted by infini at 9:39 AM on September 7, 2015 [2 favorites]


I don't understand the demo. So I did the whole thing and the tenth time, I think it told me that it's 87% sure that it's me, which seems like a good number to choose if I were basically setting up a Barnum-Effect-or-something-related based test. And it showed me a line graph with confidence on the Y-axis and an unlabeled and thus useless X-axis. And it didn't tell me what anything meant.

So umm..yeah, I know have data that seems to say there's a 87% chance I'm me.

If anyone else wants to go in and try to be me, use username testy and password tawu07. I'd be curious to see how likely it is that you are me.
posted by If only I had a penguin... at 10:07 AM on September 7, 2015 [1 favorite]


Oh, and I did the commerce demo. Apparently the banking demo is trained separately. So if you want to be me, choose commerce.
posted by If only I had a penguin... at 10:11 AM on September 7, 2015


everybody sign my petition to ban parrots
posted by Wolfdog at 10:44 AM on September 7, 2015


If anyone else wants to go in and try to be me, use username testy and password tawu07. I'd be curious to see how likely it is that you are me.
Score: 0.01, confidence: 81.52. Despite the lack of information on what that actually means, I assume it detected that I'm not testy with pretty high confidence. Looks like it worked reasonably well in this case. (The ratio of goofy clipart to quantitative analysis on their website does not convince me the company is capable of evaluating whether the same is true in realistic scenarios. But, it's a fun concept.)

Sadly, I suspect "uses an extension that opens textareas in a text editor" is an even better unique fingerprint.

I wonder what the market would be for a small USB adapter plug that sits between your keyboard and computer and adds random 100 ms-scale delays to every keystroke. Not even your OS will be able to keystroke fingerprint you.

I suppose that even if the market is tiny, the opportunity to make money by selling backdoor access to government spy agencies, in the form of uniquely identified psuedorandom keystroke statistics tied to specific mailing addresses, would certainly pay for a large fabrication run. And possibly even a retirement filled with sleepless nights.
posted by eotvos at 11:14 AM on September 7, 2015 [3 favorites]


I was told by a university official at the university where I work that this is one of the ways they protect against cheaters on MOOCs. If you try to take a final exam for another student but you type in their password without using their usual cadence, you'll be flagged. I was really surprised. It was an authentication method I had never heard of and it seemed like really high-level security. This was a while back, too.

That university official was probably just lying to scare you out of cheating. Might as well have said, "He knows if you've been bad or good, so be good for goodness' sake."

Is cadence detection possible? Sure. Is it remotely useful for that application? Not at all. First of all, it relies on every user knowing beforehand that their cadence will be part of the password, and ensuring it never varies from the first time the password is entered. Think about that: When you're entering a password for the first time, do you use your usual typing cadence? Doubtful. You're probably being extra deliberate with each keystroke. Even the thousandth time isn't going to match your usual cadence, since by that point it's all muscle memory and your hands are just doing a little automated dance that's a jillion times your usual typing speed. And what if you just plain fuck up and have to re-enter your password? Do you get "flagged" for fat-fingering?

—even on Tor

Shocking! Who'd've thought your anonymity might be compromised in US Navy-developed software that the FBI (and/or the three-letter agency of your choice) has a backdoor into?
posted by Sys Rq at 11:43 AM on September 7, 2015 [2 favorites]


Was there ever any concrete evidence of a Tor backdoor? The biggest busts I've heard of come down to browser-side malware tailored for the bundle (with FreedomMail if I recall), and raiding datacenters that host Tor hidden services. I'm not saying it doesn't exist, it definitely could, but at the same time, it's an open source project with widely audited code.
posted by mccarty.tim at 11:54 AM on September 7, 2015 [1 favorite]


The real problem is that it can create suspicion for dragnet surveillance operations and lead to more targeted surveillance/attacks, and with parallel reconstruction, law enforcement would never have to admit their investigation involved the technique.

I wouldn't worry too much, even after this goes into full use. If you need help with internet-based attacks or harassment, especially if you're a woman or person of color, then the police will be completely baffled by how this intarwebs thing works. It has a web of tubes, right?
posted by happyroach at 12:46 PM on September 7, 2015 [1 favorite]


Yeah I'm not sure there's evidence of a coded backdoor in Tor. Not that means there isn't one of course. But its anonymization model may just not stand up against an organization that can pay for a lot of computers and play the long game. And there are tons of attacks through other channels (like this one).
posted by atoxyl at 1:55 PM on September 7, 2015 [1 favorite]


I wouldn't worry too much, even after this goes into full use. If you need help with internet-based attacks or harassment, especially if you're a woman or person of color, then the police will be completely baffled by how this intarwebs thing works. It has a web of tubes, right?

Don'tcha know we got terrorists to catch?
posted by atoxyl at 1:58 PM on September 7, 2015 [1 favorite]


Seems like you could set up a keystroke buffer with something like a Teensy/Arduino board in between a keyboard and your computer's USB port. Add in a cheap screen so you can see what keystrokes you have buffered, and then just hit a dump button when it's time to actually fill the form.


...or save some effort and use a text editor.
posted by pompomtom at 5:50 PM on September 7, 2015


Was there ever any concrete evidence of a Tor backdoor? The biggest busts I've heard of come down to browser-side malware tailored for the bundle (with FreedomMail if I recall), and raiding datacenters that host Tor hidden services. I'm not saying it doesn't exist, it definitely could, but at the same time, it's an open source project with widely audited code.

Yeah, this accords with what I have read. The US government (and others) has some attacks it can use against Tor users but nothing like a backdoor. The FBI has had some success serving malware over Tor (e.g. users do not disable Javascript), and sometimes a target carelessly signs into the same service using Tor and non-Tor connections.

In leaked presentations, NSA operatives claim that they are pessimistic about their ability to de-anonymize most Tor traffic. Now, perhaps this is just what they want us to believe -- this seems crazy to me, but maybe you think the Snowden leaks are primarily a channel for NSA disinformation. Still, Tor is composed of a huge number of nodes, most run by private actors running thoroughly audited open source software. A backdoor seems like a remote possibility.

There may be better attacks than we're currently aware of, out there. But I don't think there's any basis for thinking the whole thing's a scam. The Navy thing is a red herring IMO.
posted by grobstein at 6:59 PM on September 7, 2015


painquale: I was told by a university official at the university where I work that this is one of the ways they protect against cheaters on MOOCs.

Sys Rq: That university official was probably just lying to scare you out of cheating. Might as well have said, "He knows if you've been bad or good, so be good for goodness' sake."

I wasn't a student. I was on the inside, developing the MOOC. I suppose they could have been lying in order to convince me that cheating wasn't a problem, but given that I wasn't expressing much concern over cheating, they didn't have much reason to lie. And I think there could have been legal issues had someone been intentionally misrepresenting the systems being purchased.
posted by painquale at 7:54 PM on September 7, 2015 [1 favorite]


you tell us this now, AFTER we have filled in the xkcd survey?
posted by fistynuts at 12:46 AM on September 8, 2015 [1 favorite]


Shocking! Who'd've thought your anonymity might be compromised in US Navy-developed software that the FBI (and/or the three-letter agency of your choice) has a backdoor into?

There’s no need for a backdoor into Tor. The NSA taps every major internet communications pathway - if they really, really want to, they can cross correlate packets in the Tor network & de-anonymise individual users. This is not surprising - Tor was never designed to be secure against a global adversary like the NSA in the first place.

The flip side is that doing such cross-correlation is very resource intensive & requires storing huge amounts of traffic data in the hope of being able to statistically identify individual packet flows. It’s only ever going to be a percentage game at best & even then it’s only really effective if you can control the packet flow in some way. Again, the NSA having hacked into (or been given direct access to) a sizeable chunk of the world’s routers potentially gives them this power, but doing it on any kind of scale is still very, very hard. Of course, the NSA likes very, very hard - pouring more capital than most people would think reasonable into very, very hard problems is how they operate.

ISo wouldn’t be at all surprised if the NSA could de-anonymise a small fraction of Tor traffic, some of the time. But all of it, at will? I think that’s unlikely at the current time. Of course, the ability to de-anonymise Tor traffic would be one of those things they’d keep very quiet about if they could do it...
posted by pharm at 6:16 AM on September 8, 2015 [1 favorite]


pharm's comment reminds me of a software company that later evaporated into the mists of acquired time. the boys can do all of the above.
posted by infini at 7:15 AM on September 8, 2015


When you are trying to pick a single target out of thousands or millions of possibles, most or all of whom have studied the same typing system, many of whom will be using the same keyboard, etc.?

I wonder about this too, but this just becomes another data point. It's like Target knowing you're pregnant. Now when you go on your family Amazon account, they know if it's the person who buys the household goods or if it's the person who buys movies. And the recommendations at the bottom of the page change to try and steer your buying habits. You don't need a perfect match if you can correlate enough commonalities together to get a reasonable probability it's the same person. (For the record: I do not actually know if Amazon uses this technology)


That university official was probably just lying to scare you out of cheating. Might as well have said, "He knows if you've been bad or good, so be good for goodness' sake."

The first case I heard of this tech being used in the wild was a few years ago by academic journals wanting to make sure universities don't share licenses between multiple users. This isn't new tech and it doesn't have to be perfect.

Think about that: When you're entering a password for the first time, do you use your usual typing cadence? Doubtful.

A lot of times yes. Because despite knowing better, I'm still like the vast majority of people and use like 3 or 4 passwords over and over again.
posted by mayonnaises at 9:53 AM on September 8, 2015




« Older Slipping Away   |   Chocolatey, a package manager for Windows Newer »


This thread has been archived and is closed to new comments