Re: [Tails-dev] [Secure Desktops] Proposal for Anti-Keystrok…

Delete this message

Reply to this message
Autore: ★ STMAN ★
Data:  
To: bancfc
CC: desktops, tails-dev
Oggetto: Re: [Tails-dev] [Secure Desktops] Proposal for Anti-Keystroke Fingerprinting Tool
Hello.

Mouse Fingerprinting, Keyboard Fingerprinting, Device Fingerprinting (Active collection modes, using hidden channel in the legit TCP/IP trafic going through TOR) are specialities that have NO SOLUTION with "software only » approaches.
These problems cannot be solved by software only. The can be fixed definitely through 100% Free Integrated Circuits based computers that solve these issue through hardware changes.

To me, any attempt to « solve » these issues by software can only be a fraud.

I’m open to debate.

Le 17 mars 2016 à 18:31, bancfc@??? a écrit :

> == Attack Description ==
>
> Keystroke fingerprinting works by measuring how long keys are pressed and the time between presses. Its very high accuracy poses a serious threat to anonymous users.[1]
>
> This tracking technology has been deployed by major advertisers (Google, Facebook), banks and massive online courses. Its also happening at a massive scale because just using a JS application (or SSH in interactive mode) in presence of a network adversary that records all traffic allows them to construct biometric models for virtually everyone (think Google suggestions) even if the website does not record these biometric stats itself.[2] They have this data from everyone's clearnet browsing and by comparing this to data exiting the Tor network they will unmask users.
>
> == Current Measures and Threat Model ==
>
> While the Tor Browser team is aware of the problem and working on a solution, current measures [6] are not enough. [4][5]
>
> Security distros are designed to protect the user even if an end user application is compromised and provide desfense in depth.
>
> The goal is to protect users even in the event of an attacker taking over an application running ina VM/Container.
>
> This is valid for systems running in VMs or on bare metal.
>
>
> == Existing Work on Countermeasures ==
>
> As a countermeasure security researcher Paul Moore created a prototype Chrome plugin known as KeyboardPrivacy. It works by caching keystrokes and introducing a random delay before passing them on to a webpage.[3] Unfortunately there is no source code available for the add-on and the planned Firefox version has not surfaced so far. There are hints that the author wants to create a closed hardware soltuion that implements this which does not help our cause.
>
>
> == Proposal for a System-wide Solution ==
>
> A very much needed project would be to write a program that mimics the functionality of the this add-on but on the display server / OS level. Ideally the solution would be compatible with Wayland for the upcoming transition in the near future.
>
>
>
>
> [1] http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/
>
> [2] http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7358795
>
> [3] https://archive.is/vCvWb
>
> [4] https://www.lightbluetouchpaper.org/2015/07/30/double-bill-password-hashing-competition-keyboardprivacy/#comment-1288166
>
> [5] https://trac.torproject.org/projects/tor/ticket/16110
>
> [6] https://trac.torproject.org/projects/tor/ticket/1517
>
>
>
> ***
>
> This feature request has been mirrored on each project's bugtrackers respectively:
>
> https://github.com/subgraph/subgraph-os-issues/issues/103
> https://labs.riseup.net/code/issues/11257
> https://github.com/QubesOS/qubes-issues/issues/1850
>
> _______________________________________________
> Desktops mailing list
> Desktops@???
> https://secure-os.org/cgi-bin/mailman/listinfo/desktops