Has there been any discussion regarding behavioral profiling using javascript which creates behvioral profiling using websites?
There is a plugin for chrome which attempts to inject random data into these javascript DOM functions:
but it’s not available for Tor unless Chrome store on Firefox is installed.
Syonyk
June 14, 2023, 7:07pm
2
opened 04:36PM - 17 Mar 16 UTC
T: enhancement
help wanted
C: gui-virtualization
privacy
C: Whonix
P: default
Keystroke fingerprinting works by measuring how long keys are pressed and the ti… me between presses. Its very high accuracy poses a serious threat to anonymous users.[1]
This tracking technology has been deployed by major advertisers (Google, Facebook), banks and massive online courses. Its also happening at a massive scale because just using an interactive JS application in presence of a network adversary that records all traffic allows them to construct biometric models for virtually everyone (think Google suggestions) even if the website does not record these biometric stats itself.[2] They have this data from everyone's clearnet browsing and by comparing this to data exiting the Tor network they will unmask users.
As a countermeasure security researcher Paul Moore created a prototype Chrome plugin known as KeyboardPrivacy. It works by caching keystrokes and introducing a random delay before passing them on to a webpage.[3] Unfortunately there is no source code available for the add-on and the planned Firefox version has not surfaced so far. There are hints that the author wants to create a closed hardware solution that implements this which does not help our cause.
A very much needed project would be to write a program that mimics the functionality of the this add-on but on the display server / OS level. Ideally the solution would be compatible with Wayland for the upcoming transition in the near future.
[1] http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/
[2] http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7358795
[3] https://archive.is/vCvWb
This is tracking the state of the issues on Qubes. It doesn’t appear to be working currently.
One could always use a hardware dongle to inject keystroke randomization. A basic Arduino would manage it.
2 Likes
There aren’t any Linux packages that could be installed in sys-usb? Something like interception-tools - ArchWiki
A Raspi 4 should also work: GitHub - viggofalster/kiri: KIRI - Keyboard Interception, Remapping, and Injection using Raspberry Pi as an HID Proxy.
If you have some C skills, you should also be able to insert some random delay here:
/*
* Copyright 2007 Peter Hutterer
* Copyright 2009 Przemysław Firszt
*
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without
* fee, provided that the above copyright notice appear in all copies
* and that both that copyright notice and this permission notice
* appear in supporting documentation, and that the name of Red Hat
* not be used in advertising or publicity pertaining to distribution
* of the software without specific, written prior permission. Red
* Hat makes no representations about the suitability of this software
* for any purpose. It is provided "as is" without express or implied
* warranty.
*
* THE AUTHORS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN
* NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
* CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
* OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
show original
(that should be qubes_drv mentioned in GUI virtualization | Qubes OS )
Is the Qubes GUI-VM available on R4.1? It’s not available on my version.
The GUI VM is available, but not by default. GUI domain | Qubes OS
Another option:
Use a USB keyboard with sys-usb to dom0 forwarding via qrexec.
[1] GitHub - 3hhh/qubes-qrexec-proxy: Intransparent and modular Qubes OS qrexec proxy
Which plugin do you recommend using?
Does the qrexec with a plugin option require the GUI domain? How would this be implemented in the GUI domain?
Which way is simpler to setup? qrexec-proxy with a plugin or SYS-GUI?
No, qrexec-proxy is unrelated to the GUI domain.
You’ll probably want to look into the streamline plugin.
solene
August 28, 2023, 9:01am
14
A bit related to the topic, OpenSSH added support for keystroke time obfuscation
2 Likes
Quben
August 29, 2023, 5:02pm
15
Caveman solution: have you considered doing all of your typing in your vault qube notepad and then just pasting it in? I do this for performance/reliability reasons but I guess it doubles as behavior profiling protection.
Damn police getting way too crafty ain’t they
1 Like