I love how the cybersecurity community consensus on this story is generally that the company deserved getting compromised for being so abusive and intrusive to their workers. https://www.tomshardware.com/tech-industry/cyber-security/north-korean-infiltrator-caught-working-in-amazon-it-department-thanks-to-lag-110ms-keystroke-input-raises-red-flags-over-true-location
Monitoring keystroke latency is an ADA complaint waiting to happen.
@hacks4pancakes I think it depends on what the data is used for, personally. (And tbh, I’m curious as to exactly what they are measuring). If this is a reliable way to detect someone using a laptop using an IP KVM, given their established attractiveness as a target, they’d be negligent NOT to do it.
However, if they then ALSO use that data to penalise regular workers, and nano-manage them to that extent (which doesn’t seem to be beyond them, given stories from warehouses, etc), then absolutely, terrible practices.
From a technical perspective, what exactly are they meaning by keyboard latency, I wonder? How can they possibly measure time between a physical key being pressed in NK, and it being received on the laptop in the US? If the person is typing fluently, there may be an initial delay (still not measurable, imo), and then the keystrokes should arrive with an approximation of the user’s inter-stroke timing, although things like batching of keystrokes into a single packet might be detectable, I guess.
Yeah, and 110ms is maybe half the latency I'd expect from a trans Pacific connection anyway. So how are they figuring this? What latency are we talking about here?
@BenAveling @lackthereof @hacks4pancakes keeping in mind that a USB keyboard doesn’t receive any confirmation from the host computer that the keystroke was received (other than the host polling for the next event), that seems like a weird thing for the IP KVM software to be doing.
Edit: but you might be onto something - measuring the time between key-down and key-up is feasible and could definitely be materially different between a local user and a KVM. Unfortunately, I’d expect that to be maskable programmatically - KVM client waits for the key-up event and sends them together with inter-stroke timing, KVM receiver emits them with that recorded timing.
@BenAveling @lackthereof @RoganDawes @hacks4pancakes
Yeah, TCP/IP delivery makes it inhumanly bursty. Some KVMs compensate with inhuman smoothing. I posted more info below.
I also reject that this implies bossware spying or ADA violation. There are so many ways to implement this AND leverage it in a way that prevent both. Ways that already fall into the pattern of how these hunts and investigations already go. IP-KVM seems likely here, and it’s been a known problem across the industry for years now. Plenty of time to develop a targeted response.
Attached: 1 image I’m a bit concerned about the non-inquisitive celebration from infosec on this. Where is the “what does keystroke latency even mean?” Without that, you can’t implement it for yourself, nor can you identify weaknesses. ~3yrs I was privately proposing similar options. So, AS SOMEWHAT OF A KEYBOARD EXPERT MYSELF 🤔💅, let’s look…
Lesley Carhart 
Rogan Dawes
The Lack Thereof 
Ben Aveling
MG
Morten Juhl-Johansen
Lesley Lai
DROP\ TABLE Hacker of Earthsea
Jon Roach