Keystroke fingerprinting is a thing apparently

15 replies [Last post]
t3g
t3g
Offline
Joined: 05/15/2011

https://www.phoronix.com/scan.php?page=news_item&px=Anti-Keystroke-FP-Wayland-Kern

I was reading this story about how advertisers, Google, and other providers are tracking users according to how they use their keyboard (how long they press and time inbetween) and it has raised a concern among those who don't want to be tracked for everything they do. I came across this story due to future kernel and Wayland integration.

So what do you think about this? Something like keystroke fingerprinting is very scary, but I'm not surprised a company like Google would want to track more of what you do.

onpon4
Offline
Joined: 05/30/2012

I've said it before: the whole design of automatically loading third-party programs at the request of that third party, then immediately executing them, is stupid. But we accepted it for a very tiny amount of convenience and flashy effects (no pun intended). Of course that's going to leave us vulnerable to attacks like this, so of course malicious entities are going to use these attacks.

t3g
t3g
Offline
Joined: 05/15/2011

Yeah, I can see where the loading of non-free JavaScript can allow this without us knowing.

Jabjabs
Offline
Joined: 07/05/2014

It doesn't even have to be non-free, non-free just makes it easier to hide it's functionality. Just having any program load without users knowledge is a very bad trait to have.

LibreJS is okay but can still allow malicious code to run provided it has the right license, I mean how many people would actually check that code before running that specific instance? No-script at least allows you to control it with a fine grain.

I'm sure as you would know, this is a very extreme case that free JS would actually be looking to be LibreJS compatible but it is not an impossibility either.

J.B. Nicholson-Owens
Offline
Joined: 06/09/2014

name at domain wrote:
> So what do you think about this? Something like keystroke fingerprinting is
> very scary, but I'm not surprised a company like Google would want to track
> more of what you do.

Sounds like the kind of thing one is exposed to by running Javascript and
plugins; software designed to run arbitrary code pointed to by a webpage
(even more dangerous when one considers how many unencrypted sites there
are and how easy it is for intermediaries to inject data in that download).
Related to this is tracking user's edits as they type them into text boxes
(particularly JS-driven text boxes) and surreptitiously submitting that
edit log somewhere so the site can see what people were going to put into
their text but edited out. Imagine how scary it would be for a novice
computer user to find that some text they purposefully edited out and did
not submit to a website was still available to someone.

I've found it difficult to justify running JS and browser plugins precisely
for these reasons; I find it's not a good tradeoff to give sites so much
power over my computing, and the sites I visit I mostly read not submit
data to. I'm also comfortable saying 'no' to sites that frustrate my
attempt to avoid JS. I can either do without or go somewhere else to get
comparable coverage without any JS. Finally, I get faster browser rendering
time by having my browser only deal with the HTML and CSS (which helps make
for snappier browsing except for CSS being ever more animated). Sure I
don't get some features JS provides, but I don't miss them.

I think more companies are into tracking users than will admit to being in
that business. Spying on users is not only profitable for selling data to
others, it also helps build powerful relations with monied interests. I
believe business managers believe they can get useful data to improve their
businesses based on spying or tracking data novice users don't know they
were giving to the service.

onpon4
Offline
Joined: 05/30/2012

Browser plugins do not as a general rule have the same problem as JavaScript. Gnash and IcedTea do, because they too facilitate execution of arbitrary code sent by a third party (ActionScript and Java code, respectively). But, for example, the GNOME Shell integration plugin doesn't raise this issue.

Jabjabs
Offline
Joined: 07/05/2014

Same here, NoScript is your friend. It is also the reason why I can't read anything of Forbes. :P

hack and hack
Offline
Joined: 04/02/2015

As a NoScript user like 99.9% of my browsing time (makes me think I need to figure out how to sandbox Abrowser, and not only with Apparmor),
I was trying to figure out how to access these websites anyway. I tried the mobile version, but it doesn't seem there's one.

It seems this is how it's done: No Js? Then here's a blank page served. The page is refreshed after 0 seconds (=instantly), and is redirected to the empty php page.
This is written on server side. So I don't even think it's possible to modify the CSS or even js that hides the content. Maybe not allowing cookies, but I doubt it would work.

So besides being able to send bullshit data in some way (including fake keystrokes), and for it to be natural enough, I don't see how I could access such a website without Js.

onpon4
Offline
Joined: 05/30/2012

I wonder what effect sending messages like this would be:

"Mr. X, I see that your website refuses to show me anything while I have JavaScript disabled. This is puzzling to me. I can only presume that you are so ashamed of your writing that you refuse to show it unless it's accompanied by distracting visual effects, but if that's the case, I would suggest you shouldn't publish your writing at all."

Of course, this practice is quite uncommon. I think the main reason it's done is because the webmaster is more concerned with whether you see ads than whether you see the website's own content.

hack and hack
Offline
Joined: 04/02/2015

I've also seen on stackoverflow that some do it out of laziness (not starting with progressive enhancement because the website is supposed to be JavaScript-heavy, so they feel building it backwards is too much work).

But yeah, more often than not, it's probably about ads.

I've also read about some not understanding those who don't use JS, often completely missing the point of privacy/executing external (non-free) programs.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>As a NoScript user like 99.9% of my browsing time (makes me think I need to figure out how to sandbox Abrowser, and not only with Apparmor),

I sandbox several applications with heavy internet use (Iceweasel, TorBB, Icedove, Pidgin etc) with firejail.

https://firejail.wordpress.com/

I also use aparmor, the two are compatible.

hack and hack
Offline
Joined: 04/02/2015

This looks wonderful, thank you SuperTramp83 !

It should fit right in the .i3config, or if there's a syntax issue, I can still put it in the path inside a .desktop file and launch the program normally. Looks super easy to use.

Thank you too root_vegetable, it seems that kernel patching works at core level (DUH!), which makes it in theory a closer protection.

That represents some serious reading to answer questions like what's the most important, where do they overlap (if they do), and what are the consequences.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

hack_hack yw! Indeed an extremely user friendly sandbox. I placed all my launchers in a folder and made links on the plank dock, I just need to click on the icon to launch it :)

pragmatist

I am a member!

Offline
Joined: 03/03/2016

lynx is a text-browser and I find it sometimes helps me to circumvent the javascript problem of some websites. Many sites create a 'text-only' way of using their website for accessibility reasons. It only works some of the time, so it is just one more tool in the war against nonfree javascript!

There are only a few commands you need to know to get started. (q = quit; g = go to url; right-arrow means follow a link; up and down arrows navigate the page). Read the man page for further details.

onpon4
Offline
Joined: 05/30/2012

I prefer elinks, personally.

pragmatist

I am a member!

Offline
Joined: 03/03/2016

Thanks onpon4! I just downloaded it and I'm playing around with it. That is one of the things I love about GNU/Linux--there are so many choices!
Early assessment: Pros: faster, nice dialog system, nice default colors, searching is more intuitive. Cons: Doesn't prompt for cookies and stores cookies by default.
Conclusion: I would consider elinks (with the cookie caveat) if I were using a text-browser on a daily basis, or using it for several hours at a time. It seems a little more user friendly. Of course, it is also a matter of taste.