Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Keyboard Dynamics: I think it's FAKE. What do others think?


  • Please log in to reply
7 replies to this topic

#1 Guest_Aaron_Warrior_*

Guest_Aaron_Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 28 May 2017 - 03:58 PM

https://en.wikipedia.org/wiki/Keystroke_dynamics

 

I followed a link to a YouTube video where the narrator guy was throwing out techie buzz-words left and right, without giving any evidence that he actually understood any of them.  So while I'm in the middle of that feelz where you think you are paying attention to a BS-er or a scammer, he throws out this idea that "they" can identify you based on your "keyboard dynamics", i.e. the manner in which you type, specifically how fast you can type one key to the next, comparing speeds of left and right hands, which words type faster or slower, do you have problems with certain words that (statistically) others do not, etc...

 

So he's saying this like it's a THING, like they can do it now.  He didn't offer any context, which is one thing I want to talk about, but as I think of it, so maybe if you are typing directly to someone's website where they can record not only which buttons you pressed on your keyboard, but also the "dwell times" and the time from one key to the next, the total time of specific words etc..., something has to be measuring these speeds in real time, as they are being done and if the software isn't on your computer, then it has to be on the "target" computer (where you are sending the text TO), and all I can think of is a website where you can type text into a box.  For example, Bleeping Computer isn't going to get any other data from my computer in this post except the characters I've typed, as it's all going to be sent as a complete block of text only (and not any extra data such as how long it takes me, on average to type from a "g" to an "e".

 

So I think the guy is full of it, and I tell him so, and so he comes back at me with a possibly spam link to a commercial website selling software that claims to be able to identify people based on their keystroke dynamics and so now my thinking is divided.

 

Either I'm wrong, it's really a legitimate "thing" and a company is making money on it, or I'm right, it's a scam, and a company is scamming people into believing that it's a "thing".  So I want to know and am soliciting the opinions and knowledge of others here, is this a legit means of identifying people, a scam or something in between, i.e. a new technology that may someday turn into something real, but isn't there yet.

 

And also I'm curious about how it is that people that believe that keystroke dynamics is legit, how do they think this "extra" information is acquired and transmitted.  Would YOU volunteer for this?  I wouldn't.  If it were a "thing", I'm certain there'd be software to install to make certain that nothing is collecting any data on your keystroke dynamics.

 

Do I understand all of this correctly, or am I wrong somewhere?

 

EDIT***

Oh and the wikipedia article (link above) feels very weak, which to me indicates that this is a lot of fluff and hype and not a lot of substance.


Edited by Aaron_Warrior, 28 May 2017 - 04:01 PM.


BC AdBot (Login to Remove)

 


#2 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling

Posted 28 May 2017 - 04:11 PM

I don't truly know how much validity there is to it, but I would assume there is some.

I know that my typing style is different from others. I have my own set of idiosyncrasies when I type that likely most other people don't have.

Is it enough to narrow down to a single person all the time? I dunno. It is possible that there is no one else with the same idiosyncrasies but maybe there is.

The other issue is I just don't know how well any particular site might be able to get the data needed (i.e. time between keys typed, etc). For example, I just don't know for here on the BC forums if all that I type in a replay field just effectively "sits" locally on just on my computer without being sent to the BC servers UNTIL I hit the "Post" button...or is there some why that they are "seeing" my realtime typing. If they can "see" my realtime typing, then I can see it as at least little bit feasible.

#3 MDD1963

MDD1963

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 28 May 2017 - 05:35 PM

What is the potential usefulness of it, I wonder?

 

Are we going to develop/install software that blocks/locks out users if they do not type at what the software consider's their normal pace? :)


Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060


#4 unopie

unopie

  • Malware Study Hall Senior
  • 301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:11:41 AM

Posted 28 May 2017 - 06:36 PM

There is probably no chance that anyone could find you exactly from a group of people just based on the way you type.

 

However, there is a good chance that they could narrow down the group, based on things like typing speed, pauses between "phrases of typing", or even if you use caps lock to make uppercase letter then using the shift key like most people.

 

Whoever is narrowing down the group will have to know what your keyboard habits are, to find you in the group in the first place. Some possible ways of doing this are some types of advertising program installed on the person's computer that record seemingly random information such as this. 



#5 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:41 PM

Posted 28 May 2017 - 07:25 PM

What is the potential usefulness of it, I wonder?
 
Are we going to develop/install software that blocks/locks out users if they do not type at what the software consider's their normal pace? :)


Could be another way to "fingerprint" you for the purposes of advertising/marketing tracking stuff.

#6 Guest_Aaron_Warrior_*

Guest_Aaron_Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 28 May 2017 - 08:34 PM

Crazy Paranoid Thought of the Day:

Since Windows 10 is now "Software as a Service" (meaning Microsoft can do anything it wants to with it, since it's now a "service" and not a license to use an Operating System), what if Microsoft installed a keyboard dynamics "recording software" on your computer, and then share (sold) that data to....

Advertisers?
Your Government?
The NSA (if you aren't in the US)

Some political party?

A foreign government?

 

Microsoft is uniquely situated to associate your keyboard dynamic "profile" with YOU, the human being.



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 PM

Posted 30 May 2017 - 01:48 PM

The first reference in the Wikipedia link you posted is a paper that was presented at the 2009 IEEE conference.

 

They report a method with 97% accuracy for 14 characters.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Guest_Aaron_Warrior_*

Guest_Aaron_Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 30 May 2017 - 05:10 PM

The first reference in the Wikipedia link you posted is a paper that was presented at the 2009 IEEE conference.

 

They report a method with 97% accuracy for 14 characters.

 

 Right so I read stuff like that in the Wikipedia article and on the surface I'm sure that impresses some people, but in practical terms, what does that really even MEAN?  How does one measure "accuracy" with regard to an analog activity like typing?

 

I thought about it for about an entire 5 seconds and decided the entire article was at best, weak, and at worst pure, 100% unadulterated spam marketing BS.  I've seen these articles in other areas of computing where some company stakes-out a place on Wikipedia and makes some lofty assertion that only a very few people in the world could even understand, much less effectively challenge with any credibility, and until such a time as the highly respected media such as CNN does an in depth study of the subject ("Byline:  CNN Reporter thinks ABC Anti-Virus smells like lemons and reduces impotency"), there's no one that can challenge the article based on sources, because there are no sources from highly respected and technologically competent sources like MSNBC, who you can trust to get the technical details on the recent advances in biometric software 100% correct, with no bias whatsoever.

 

Anyways, you posted, but you didn't say anything about what you thought.  Do YOU think "Keyboard Dynamics" is legit, with a 97% guaranteed accuracy rating in the first 14 characters, according to Deep State NSA sources who's only concern is to keep the american people SAFE from the horrors of international terrorism?  Because if so then I'm all in favor of it.  Anyone that can know who I am in 14 characters or less is worthy of my submission, ESPECIALLY if they can do it with a 97.4294% accuracy rating.  Hellfire missiles in Iraq aren't even that accurate.  It causes me to shudder with fear and delight when I wonder how accurate "they" are in 15, or even 16 characters.  In fact, I think I'm done posting my opinions online, as there's no overcoming this technology.  First thing to do is uninstall whatever software they are using on my computer to measure my "Keyboard Dynamics", well maybe I shouldn't after all you never know what they might do to me in response.

 

And also I need to figure out the telemetry aspect of this little neurotic notion that "they" are paying close attention to my every finger wiggle.  Even those times I make a mistae, I mean a mistap, a mistakep I mean a m i s t a k e and have to use the back-= back button.  They've got ALL of that baked-in to their 97.539210% accuracy rating. So let's just forget it, and worry.  Or better yet, let's pay someone some money to keep us safe from all of this keyboard surveillance.

 

Anyone else feel me here?  Or am I all A (75ms) L (158ms) O (224ms) N (94ms)E (43ms) out here?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users