Mastodawn

I love how the cybersecurity community consensus on this story is generally that the company deserved getting compromised for being so abusive and intrusive to their workers. https://www.tomshardware.com/tech-industry/cyber-security/north-korean-infiltrator-caught-working-in-amazon-it-department-thanks-to-lag-110ms-keystroke-input-raises-red-flags-over-true-location

Monitoring keystroke latency is an ADA complaint waiting to happen.

North Korean infiltrator caught working in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location

A barely perceptible keystroke delay was the smoking gun that led to the uncovering of a malign imposter.

Tom's Hardware

Show thread

Rogan Dawes Dec 19

@hacks4pancakes I think it depends on what the data is used for, personally. (And tbh, I’m curious as to exactly what they are measuring). If this is a reliable way to detect someone using a laptop using an IP KVM, given their established attractiveness as a target, they’d be negligent NOT to do it.

However, if they then ALSO use that data to penalise regular workers, and nano-manage them to that extent (which doesn’t seem to be beyond them, given stories from warehouses, etc), then absolutely, terrible practices.

From a technical perspective, what exactly are they meaning by keyboard latency, I wonder? How can they possibly measure time between a physical key being pressed in NK, and it being received on the laptop in the US? If the person is typing fluently, there may be an initial delay (still not measurable, imo), and then the keystrokes should arrive with an approximation of the user’s inter-stroke timing, although things like batching of keystrokes into a single packet might be detectable, I guess.

Show thread

The Lack Thereof

Dec 19

@RoganDawes @hacks4pancakes

Yeah, and 110ms is maybe half the latency I'd expect from a trans Pacific connection anyway. So how are they figuring this? What latency are we talking about here?

Show thread

Ben Aveling Dec 19

They're using words like "keystroke input lag". My only guess at what they mean is that the remote keyboard software might be waiting for confirmation that (for eg) each keydown event is received before sending the next event, producing a low per second polling rate and delaying the following keyup event. If so, that's going to make it look like each keystroke takes a lot longer than it normally would. OTOH, that behaviour would make a mouse pretty unusable, so IDK.
@lackthereof @RoganDawes @hacks4pancakes

Show thread

@BenAveling @lackthereof @RoganDawes @hacks4pancakes
Yeah, TCP/IP delivery makes it inhumanly bursty. Some KVMs compensate with inhuman smoothing. I posted more info below.

I also reject that this implies bossware spying or ADA violation. There are so many ways to implement this AND leverage it in a way that prevent both. Ways that already fall into the pattern of how these hunts and investigations already go. IP-KVM seems likely here, and it’s been a known problem across the industry for years now. Plenty of time to develop a targeted response.

https://infosec.exchange/@mg/115748004655503420

MG (@[email protected])

Attached: 1 image I’m a bit concerned about the non-inquisitive celebration from infosec on this. Where is the “what does keystroke latency even mean?” Without that, you can’t implement it for yourself, nor can you identify weaknesses. ~3yrs I was privately proposing similar options. So, AS SOMEWHAT OF A KEYBOARD EXPERT MYSELF 🤔💅, let’s look…

Infosec Exchange