I’ve come across two of these in the last few years of running interviews.
All you have to do is ask about where they live and what they like about it. One, when asked about living in a dead-flat suburb of Houston, said he liked the mountains.
Easy workaround, AI & LLMS can generate you a random area you live and a simple profile from the perspective of people
What do you like about New Jersey?
"I like New Jersey for its proximity to NYC and Philadelphia, the huge variety of food (from diners to boardwalk pizza), and the great beaches and boardwalks like Asbury Park and Cape May."[1]
According to the article (and therefore Amazon, so take it with a grain of salt), they’ve “foiled more than 1,800 DPRK infiltration attempts since April 2024.”
Company laptops are company property, and employees are warned prominently about the privacy implications of this. Endpoint security is the most critical protection against insider threats, which are the highest leverage attack vectors. One bad actor inside your infrastructure can do untold damage to company finances, reputation, trade secrets, etc. Add to this the sensitive data Amazon processes on behalf of clients, and protecting against these threats becomes necessary for survival.
Also, this detection method doesn’t require full key logging. It just requires measuring the latency between some sample of keystrokes and receiving them on the server. It could be implemented in JavaScript on the login page. In fact it’s actually a clever technique that could be used for VPN detection by normal websites… in the case of Amazon it’s probably more complicated since the “client” may be behind a KVM/VNC server, but the same concept works.
I fail to understand how you can measure keystroke latency coming from a KVM. Everything behind the KVM is invisible to you, assuming that it is spoofing a legitimate logitech dongle and emulating a legitimate screen edid.
The KVM uses buffering and queues the keystrokes. So the net time between them is the same as if I would type them locally.
What you could measure is the fingerprint of USB initialization and enumeration of keyboard, mouse etc when connecting and starting up.
It's actually the buffering in this case that will get you dinged. The stated 110ms "lag" is probably the minimum time between keystrokes ever. If you have ever recorded data on the mean time between keystrokes you get a nice even distribution but for someone on a KVM it will look very skewed with most being under 110ms and zero below 110ms which is impossible for a normal human at a machine to replicate
Furthermore, there are a number of other side channel attacks here you could use to make things really inconvenient. Something super powerful would-be having a fido2 key such as a YubiKey and recording the mean time to human press keypress. Your average person who is present at the machine will touch the button in a number of seconds. A remote operator in NK will have to summon the homeowner which could take significantly longer.
Another technique you could use is look at the mouse movement data. You would also see the same truncated. distribution, I think a few people have put together a PoC for detecting cheaters in games based on mouse movements.
I do wonder also if the KVM devices they are using support HDCP. Showing media over HDCP on the screen that instructs the user to write an email or make a phone call instantly would be pretty cool.
This is a dystopian consequence of an already dystopian fact that "you" might be a bot or someone completely different from what "you" purport to be.
In such a world, impersonation becomes too easy. It would be nigh impossible in the "all back to office" scenario, but people don't like that scenario either.
This is kind of dystopian if you think about it — they’re collecting all kinds of data from their workers. They probably can clock you in and out of your bathroom breaks automagically at some point soon.
All you have to do is ask about where they live and what they like about it. One, when asked about living in a dead-flat suburb of Houston, said he liked the mountains.
What do you like about New Jersey?
"I like New Jersey for its proximity to NYC and Philadelphia, the huge variety of food (from diners to boardwalk pizza), and the great beaches and boardwalks like Asbury Park and Cape May."[1]
[1]: gpt5-mini on duck duck ai chat
Pretty fascinating stuff.
https://codegolf.stackexchange.com/questions/41417/michael-c...
So if I'm reading this right, all the NK perpetrators have to do "next time", is to have a local remote-desktop as a proxy?
Company laptops are company property, and employees are warned prominently about the privacy implications of this. Endpoint security is the most critical protection against insider threats, which are the highest leverage attack vectors. One bad actor inside your infrastructure can do untold damage to company finances, reputation, trade secrets, etc. Add to this the sensitive data Amazon processes on behalf of clients, and protecting against these threats becomes necessary for survival.
Also, this detection method doesn’t require full key logging. It just requires measuring the latency between some sample of keystrokes and receiving them on the server. It could be implemented in JavaScript on the login page. In fact it’s actually a clever technique that could be used for VPN detection by normal websites… in the case of Amazon it’s probably more complicated since the “client” may be behind a KVM/VNC server, but the same concept works.
The KVM uses buffering and queues the keystrokes. So the net time between them is the same as if I would type them locally.
What you could measure is the fingerprint of USB initialization and enumeration of keyboard, mouse etc when connecting and starting up.
Furthermore, there are a number of other side channel attacks here you could use to make things really inconvenient. Something super powerful would-be having a fido2 key such as a YubiKey and recording the mean time to human press keypress. Your average person who is present at the machine will touch the button in a number of seconds. A remote operator in NK will have to summon the homeowner which could take significantly longer.
Another technique you could use is look at the mouse movement data. You would also see the same truncated. distribution, I think a few people have put together a PoC for detecting cheaters in games based on mouse movements.
I do wonder also if the KVM devices they are using support HDCP. Showing media over HDCP on the screen that instructs the user to write an email or make a phone call instantly would be pretty cool.
In such a world, impersonation becomes too easy. It would be nigh impossible in the "all back to office" scenario, but people don't like that scenario either.
Article is clear as mud, and its sourcing Bloomberg, on who has sketchy reputation on this type of stories.