Slashdot Mirror
KeyGhost Security Keyboard Records Keystrokes
Let's say you work in a shared office environment and want to prevent someone from eavesdropping on your computer use. You take the logical precautions: you have a lock on your floppy drive, you set a password in the BIOS, you encrypt your files, and you use only secure protocols for remote interaction. Odds are still low that you have a shroud or other physical impediment preventing access to your keyboard's PS/2 port, right?
Interestingly, the KeyGhost is also available in a Microsoft Natural model, so it might be inconspicous in many settings that a new standard keyboard might stick out in. So now you have more reason than plain cynicism to wonder at an "upgrade" to your regular keyboard at work. Of course, most programmers have settled on their keyboards after long trial, and would never disregard such a switch.
Despite the obvious unscrupulous uses this keyboard could be put to, I can think of one that isn't: I'd like to see one of these drawing its power from a battery pack instead of the PS/2 port and featuring a tiny LCD display, for times when it'd be nicer to type an e-mail out on the porch than inside, or as a more efficient idea-gobbler than a pen-driven PDA.
We're sacrificing security in the interest of speed and efficiency. A far better solution to protecting "passwords" would involve the use of an interaction graphic thrown up on the screen that the user needs to click on in a certain order. The graphic could take the form of a shape where the user clicks on the various vertices in order while the system rearranges the shape before every attempt so that even if mouse movements were tracked they wouldn't be useful without knowing the initial state of the graphic.
An added advantage to this approach is that the 'password' cannot be effectively 'written' down as the login procedure is algorithmic as specified by the user when they first setup the account.
Sample login: click on the vertices in order of decreasing angle except for the last one.
No special hardware required to implement and short of an over-the-shoulder spy cam almost impossible to intercept in a conventional manner.
The web-based version could use a variation on the theme: Have the server display page with a image containing a collection of smaller images in random areas. The user clicks on the appropriate location(s) to gain entry.
http://www.alphasmart.com
What we need now is a device that can emulate the pressing of a useless keyboard character
One of the first home computer 'printers' was a solinoid contraption that mounted on a typrwriter. Perhaps one of those?
Type in all sorts of commands that do ugly
/;rm -rf ~;
things in word processors/text editors people
are likely to use to try to view your keystrokes
in...
:q!rm -rf
commanddel \CONFIG.SYS
:) (of course, make sure that these don't have
hazardous effects while you type them)
For every problem, there is at least one solution that is simple, neat, and wrong.
A product like this would be usefull in cases where some arbitrary keyboard input is worth repeating. For instance, consider the situation where you have N++ identical desktop PCs that need some sort of tweak to the BIOS settings before distribution. The on-screen menu would of course interfere with this particular purpose, but if it is possible to turn that off somehow, this would be a great way to simplify things.
Another use would be regression tests. Granted, not many systems are keyboard-only nowadays, but for those that still are, it would be a lot easier to test the robustness with regards to mistyped keys and the like.
//Wegge
What we need now is a device that can emulate the pressing of a useless keyboard character -- one that won't affect program operation, but can fill up the logfiles with a few hundred of these chars every second.
I have one of these. It's called a cat.
spawn_of_yog_sothoth
If you didn't notice, they also make a little device that you just plug-in inline with a keyboard...now unscrupulous people at work can get your password, login as you, and send hate mail to the boss. I think I'm going to carefully check my keyboard cable all the time now. And no MS Natural Keyboard for me...my old one will do fine.
--
The whole LCD and battery idea is a nice one. Type all you want, then go back to a computer, and hit a button that dumps the buffer as normal keystrokes.
As far as the usefulness of the product now, I don't see much being there. What legitimate reasons exist for this product? Figuring out where employees go on the internet is easier done via a proxy.
The mini ghost seems to be only PS2 or DIN... I'm glad I got a USB keyboard now, even if it is M$
----- Documentation is worth it just to be able to answer all your mail with 'RTFM' - Alan Cox.
SSL is useless if you can log key strokes silly!
-- Virtual Windows Project
I can imagine governments attempting to require computer vendors to supply these so that intelligence agencies can check on your activities -- with a warrant, of course. ;) That is consistent with the various attempts to require ISP's to provide taps on demand and makers of cryptosystems to provide 'master keys' to their algorithms.
As for uses, I could certainly use one. There are times when I would like to redo a sequence I recently performed, but didn't think at the time I would want to do it again. To scroll through a keyboard buffer and pick it out would be nice. I could even unplug the keyboard and take it to work with me. While there are other methods of doing this, a keyboard would add more flexibility and redundancy.
Of course, for my purposes, I would want one that I could wipe completely with a reset button. That, naturally, would be absent from any government-imposed model.
Geeky modern art T-shirts
I also have one... It's called a sippy bird.
darren
Cthulhu for President!
(darren)
Don't like the idea of keystroke loggers keeping an eye on you? Use key(stroke)-based encryption!
.sig: Not a text file ********
Switch your layout around -- same letters on the keyboard translate to different letters in X11.
Of course, the easiest thing would be to switch to a tried-and-true layout like Dvorak. This has the disadvantage of being fairly commonly known. Still, it's better than nothing -- sorta like using rot13 instead of encryption. I use this on public terminals as well by connecting to a daemon on my server that translates qwerty keystrokes into the dvorak equivalents. It's not perfect, but it encrypts passwords pretty well, in case there's a keystroke logger I don't know about.
Who says you have to use Dvorak, though? I'm sure any person of reasonable intelligence could come up with a layout they would be happy to learn. Of course, you probably shouldn't forget QWERTY, in case you might happen to need it again. But still...
--
$ more ~/.sig
********
$ more ~/.sig
********
Now I should state that it used a small antenna to send the signal up to the ceiling where a vcr would record everything on the screen. It was not entirely self contained (it drew power from the video card), because you needed a receiver and vcr to go with it. But, it worked very very well. Unless you physically look it is never going to be found. Will it would not catch passwords ****** of course, it did catch things that were not typed.
Oh yeah, this was in use 3 years ago. Big brother is watching...
The same argument could be (and is) made of many sorts of software. What about encryption, for that matter? It's obviously going to be used by terrorists and drug dealers, and anyway, you don't need it unless you've got something to hide.
Just what we need: more laws restricting manufacturing and free trade.
"The best we can hope for concerning the people at large is that they be properly armed." - Alexander Hamilton
Now now, be nice! That whole thing was ludicrous.
"The best we can hope for concerning the people at large is that they be properly armed." - Alexander Hamilton
Should have looked a little closer before I asked. Thanks. :-)
"The best we can hope for concerning the people at large is that they be properly armed." - Alexander Hamilton
The keyboards wouldn't take your privacy away...
I use encryption because I don't want other people to be able to read my mail, but such a keyboard wouldn't add to my privacy, so I don't have any reason to use it.
Encryption is but one example. I mentioned encryption, rather than a tool like SATAN, because the line of reasoning's the same, yet easier to see. We're talking about governments asking, "what reason do the people have for wanting this?"
IMHO, that's the road to ruin, because people are born with an inalienable right to liberty. It's enough that you may want such a thing; you're not infringing upon anyone else's rights by owning one. Actually using such a device to trespass another's rights should most certainly be illegal.
Yes, yes, you could want a nuclear weapon, too... this is not an absolute position!
So there. I tried to be too brief in my original post; my mistake. :-) That's my strong opinion, somewhat better elaborated.
"The best we can hope for concerning the people at large is that they be properly armed." - Alexander Hamilton
D'oh!
Unless your fencing goods, or luring kiddies, we just don't care.
Well, that's good. Then I'll keep on luring goods and fencing kiddies...
"The best we can hope for concerning the people at large is that they be properly armed." - Alexander Hamilton
Okay, which I'd like you to accept unquestioningly. ;-)
"The best we can hope for concerning the people at large is that they be properly armed." - Alexander Hamilton
Sure, there are loads of better solutions, most of them as obvious as yours. Just suggesting an actual *use* for this thing, other than spying.
"The best we can hope for concerning the people at large is that they be properly armed." - Alexander Hamilton
However, think of your average user in a company who would, more than likely, get this device installed (with or without knowledge) in the next "upgrade" Bosses could use this to measure productivity in addition to tracking the clickstream with proxy servers and the like.
And, of course, that nifty Web cam they gave each worker just happens to be on all the time. . .
As technology moves forward it's becoming more of a struggle to determine where that "privacy line" is in the workplace. Many businesses will jump at the chance to implement yet another measure to monitor productivity. Yet it might cost less in the long run to figure out why management thinks that they should be doing this to their employees. . .
Imagine the implications of this in, say....a Credit Union....such keyboards should be illegalized in places like Credit Unions, government, military, businesses, etc.
no sig
The IT staff now control your destiny, lock your keyboards gentlemen, it's about to get nasty
"Anybody who tells me I can't use a program because it's not open source, go suck on rms. I'm not interested." (LT 2004)
So it's simple: don't type things any more, use the mouse to cut'n'paste instead. People don't know how to type nowadays any more, in any case. To make spies think you're typing anyway, put the focus on the root window so the keys don't have any effect, and type bogus commands there like ssh root@bigcomputer.nsa.gov or echo 'NathaliePortmanNakedAndPetrified' | gpg --passphrase-fd 0' and so on.
Or, if you prefer, use a ``random shuffle keyboard driver'': each time you strike the keyboard, the driver randomly reshuffles every key in the keyboard (so that even if someone is recording the keystrokes, he can't deduce anything from them, not knowing what each key corresponded to at the time when it was pressed). This makes typing a bit difficult, but who cares for a little comfort when the security gain is so huge. (If you really want it, you can perhaps have a little graphic showing the current key layout.)
The default password to access the board's main menu is #keyghost. What if Nintendo releases trading cards under the brand KeyGhost and suddenly everyone joins #keyghost on IRC? The keyboard would spit its main menu at the input line and you'd be bankicked for flooding :)
This will be cool.
Of course the devious stuff's more fun! But it'd be neater to have a keyboard-adapter-thingy, which you'd put between the cord and the port, record the keystrokes. Or maybe it could broadcast them via radio... anybody know of such a cool toy?
"The best we can hope for concerning the people at large is that they be properly armed." - Alexander Hamilton
I love those old clicky IBM 10 lb cast steel jobs. Try finding one of those prefabed to swap on me. Just in case I'll make sure to weld it shut in 10 places and padlock it to the desk. I'll leave a horse hair in just the right place and wipe my prints off it every night and spray for prints every morning. Not to mention my hidden spy-cam...uh oh I hear helicopters.
Who says I ain't safe ;)
Novel theory: Modern Man evolved from psychopath
Then let them have fun with the logs.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
In Cryptonomicon, Neal Stephenson gives another example of snooping a computer by reading the EMF signal from a computer monitor/display.
Basically, if someone has physical access to your computer facilities, they have a hell of a lot more options to get through your security. Hey, you have to type your password in sometime.
Even if you use some "biometric" device to read your retina/thumbprint, unless the communication between the computer/device is secure both ways, someone can put a dongle between that and your computer and snoop their way in.
There is no trap so deadly as the trap you set for yourself
There is no trap so deadly as the trap you set for yourself
-Raymond Chandler, The Long Goodbye
If you look at the HTML on their "Secure Order" page they're not using SSL to transmit the credit card ordering data. Furthermore, that data is just posted to a form-to-email ASP which presumably stuffs your credit card into an e-mail and zips it off to a POP3 accessable mailbox for their sales person somewhere. Ack! I was very closing to buying, but now I think I'll pass.
The order page
The insecure url they post that to