Mandatory Keyloggers in Mumbai's Cyber Cafes

YIAAL writes "Indian journalist Amit Varma reports that Mumbai's police are requiring the city's 500 Internet cafes to install keystroke loggers, which will capture every keystroke by users and turn that information over to the government — nearly in realtime by the sound of it. Buy things online, and the underpaid Indian police will have your credit card number. 'Will these end up getting sold in a black market somewhere? Not unlikely.'"

In other words...

[Veinor]

Likely?

Re:In other words...

[MT628496]

Agreed. There's no reason to use the phrase 'not unlikely'.

Re:In other words...

[sunilbajpai]

It is likely that cyber cafes might vertically separate into two business lines: (a) WiFi service providers, and (b) laptop renting services. This is to be welcomed. Internet cafes forcing you to rent their outdated PC's, or regular cafes renting their expensive WiFi are both unholy economic alliances. On the other hand there are so many easy ways to defeat keyloggers!

It's Time For A Global Revolution

Am I the only one noticing how all the world's major nations are accelerating towards fascism? Perhaps we're headed towards some sort of violent global revolution, I know we here in the US are LONG overdue (what was it Jefferson said? A violent overthrow every decade is vital to the health of a nation?). I'm hoping for a world without borders and a benevolent, corruption-proof, completely transparent government. And abandoning coal and oil for nuclear power. And truly non-evil corporations. And free candy on Fridays for everyone.

Re:It's Time For A Global Revolution

[lastninja]

Surely Jefferson did not want the government violently overthrown every ten years? Does anyone have a link for this? BTW who should pay for the candy in a your utopia?

Re:It's Time For A Global Revolution

All money would come from taxing people who thought money was still needed in Utopia.

Re:It's Time For A Global Revolution

[TheLink]

Usually when a government gets violently overthrown, what replaces it is a Dictatorship that's willing and capable of the most violence.

Violent revolutions should only be reserved for "last resort" - there absolutely is no other choice[1]. Given that India is a democracy, they have a choice, and if you don't like the candidates, get others to stand for election then.

That's why Karl Marx was either an idiot or an evil person because he recommended violence as normal standard procedure.

[1] Even if you're already stuck in a dictatorship, sometimes it's just better to wait till the next generation takes over. See China - things actually got better and most steps after Mao's time, whereas if you had another violent revolution, you'd probably get another Mao in charge.

Violent revolutions are like playing russian roulette with 5 out of 6 bullets loaded in your revolver. You're hoping you get a benevolent dictator who'd set things up properly then peacefully and orderly hand over power to the citizens. This does happen sometimes, but never bet on it.

Would you give up 1 billion dollars if you found it in your bank account due to someone _else_ doing illegal stuff AND you know you can get away with it due to some loophole? There are a few people who'd say "sure, because it is just wrong to keep it". The Dictators you'd want are an even smaller _subset_ of those people (you need them to be competent dictators as well ;) ).

Re:It's Time For A Global Revolution

[fishbowl]

>Violent revolutions should only be reserved for "last resort" - there absolutely is no other choice.

So the colonies should have bit the bullet and waited for the next king to come around?

Re:It's Time For A Global Revolution

[RexRhino]

So the colonies should have bit the bullet and waited for the next king to come around? The colonies had their own governments, which for the most part had very weak ties to the central government in England (and England was several months sea voyage away). The primary government of the colonies wasn't being overthrown, the primary government of the colonies were actively participating in the overthrow of what they realized was a foreign power.

The American Revolution had some very unique circumstances that don't typically exist in most revolutions.

That isn't to say that people facing an oppressive government shouldn't overthrow the government... but most revolutions won't have the very specific advantages that the United States had in its revolution. The United States got VERY VERY VERY lucky with the circumstances of its revolution.

Re:It's Time For A Global Revolution

Treason doth never prosper; what's the reason?
If it doth prosper, none dare call it treason.

Re:It's Time For A Global Revolution

[porcupine8]

When I was in elementary school, second grade I think, our bus driver handed out free candy every Friday. Her name was Pat; you should track her down and put her in charge of that department when you take over the world.

Re:It's Time For A Global Revolution

[Lobster+Quadrille]

The colonies had their own governments, which for the most part had very weak ties to the central government in England (and England was several months sea voyage away). The primary government of the colonies wasn't being overthrown, the primary government of the colonies were actively participating in the overthrow of what they realized was a foreign power.

The American Revolution had some very unique circumstances that don't typically exist in most revolutions.

I beg to differ. That is exactly what most revolutions are fighting. For example the IRA is fighting British control, various groups in Latin America are fighting the control of the imperialist USA, African nations are against more powerful African nations, etc.

Show me a revolutionary group, and I'll show you somebody fighting against either a foreign power or a local power under foreign influence. I may not agree with revolutionary practices (I usually do), but it's hard to argue with the objectives and reasoning.

Re:It's Time For A Global Revolution

[p0tat03]

The way I see it, and from what I've seen through history, violent revolution is inevitable. No government is perfectly stable, and eventually all will fall. I see revolutions as a natural part of a cycle - birth, rise, rule, and collapse of an empire/government/civilization, only to begin anew again. Some countries unfortunately are stuck in a perpetual loop of revolution, which is sad, but that being said I do not think revolutions in general are avoidable. This is not to say I *condone* violent revolution per se, but rather that I think it is inevitable.

Furthermore, revolutions are a critical part of wealth redistribution. No matter how their contemporaries (or even historians!) try to sugar coat it with glitzy values like purity, freedom, liberty, etc, every major revolution that's ever occurred has had their basis in economics. When an oligarchy appears, when the poor and destitute become the majority, and simply when the wealth gap gets ridiculously wide, society will revolt and equalize the wealth (usually by slaughtering the rich). This is why I'm wary of the growing wealth divide in first-world nations, as the wider we get the closer we are to the next big revolution.

Re:It's Time For A Global Revolution

[z0M6]

That's why Karl Marx was either an idiot or an evil person because he recommended violence as normal standard procedure.

Or more likely, you are the idiot. He did not recommend violence as normal procedure. He made a theory stating something along the lines that any thesis would have a antithesis. And these would form a synthesis, which would have its own antithesis.

Way to go describing philosophical activities as warmongering. Karl Marx thought that a change would come through violence because it was most likely.

Re:It's Time For A Global Revolution

[speaker+of+the+truth]

For example the IRA is fighting British control Ireland is several months voyage away from England? No? Then shut the fuck up. The only time a modern government could replicate the distance and situation of the American colonies is if we suddenly lost much of our technology (or the capability to use it) or if the people were on another planet and were self-sustaining.

Re:It's Time For A Global Revolution

Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn that mankind are more disposed to suffer, while evils are sufferable than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security.

Re:It's Time For A Global Revolution

[TheLink]

I'm saying people should not seek or condone violent revolution when there are other options.

Death is inevitable. But that does not mean we should choose options that would reduce the average lifespans AND not improve living conditions either.

Re:It's Time For A Global Revolution

[TheLink]

Assuming the translation is correct, Karl Marx wrote this:

"The Communists disdain to conceal their views and aims. They openly declare that their ends can be attained only by
the forcible overthrow of all existing social conditions. Let the ruling classes tremble at a Communistic revolution. The proletarians have nothing to lose but their chains. They have a world to win."

While I am indeed an idiot, I can still read and understand what "forcible overthrow" means and implies (especially given the context).
"gewaltsamen Umsturz" = Revolution by force.

My claim still stands - a "Communist Revolution" is one of the best ways to create a dictatorship.

India is still a democracy (they don't use Diebold voting machines the last I checked), so they can and should still fix things in nonviolent ways. The many communists in India might prefer the Marx approach but if they choose that they're being ignorant or evil.

Re:It's Time For A Global Revolution

[Bombur]

> That's why Karl Marx was either an idiot or an evil person because he recommended violence as normal standard procedure. Marx recommended nothing. He predicted it, he believed that communism was the inevitable future that would come down on the industrialized nations. But for most nations, the predicted growth of an underpaid and really exploited workforce just did not come into being, and so the socialist revolution was cancelled.

Re:It's Time For A Global Revolution

[dunkelfalke]

exactly how many democracies were there in the year 1847?
exactly. and there are only two ways to end a monarchy:

1) forcible overthrow
2) resignation of the monarch

since the second option is very unlikely...

Re:It's Time For A Global Revolution

So, India, a nation with massive illiteracy, is a democracy? Interesting...tell me more.

Re:It's Time For A Global Revolution

[DeepHurtn!]

Hey, stop that! Reason and facts are *totally* inappropriate when talking about Marx with (most) Americans!

Re:It's Time For A Global Revolution

[VJ42]

The way I see it, and from what I've seen through history, violent revolution is inevitable. Really? You the last time my country had a real violent revolution was in 1066 when we were invaded by the Normans (if that counts as a revolution), since then governments have come and gone, political parties have been founded and disbanded. Our system of government has changed from an absolute monarchy to a parliamentary democracy, we gained an empire and then lost it.

We even tried to have a revolution, but it was more of a civil war, and despite the king getting his head cut off, we decided that a monarchy was preferable to a republic and crowned his son king after the intervening military dictator died. We call our revolution bloodless. I think near on a thousand years without a violent revolution, but instead a series of evolutions, sometimes bloody, at others not proves that it's not "inevitable".

Re:It's Time For A Global Revolution

[VJ42]

exactly how many democracies were there in the year 1847?
exactly. and there are only two ways to end a monarchy:

1) forcible overthrow
2) resignation of the monarch

since the second option is very unlikely... Whilst there was no universal suffrage*, we have had representation in parliament since 1265. So at least one. Indeed we founded many of modern democracies bacic principles pre 18th Century. Admittedly we haven't yet removed our monarchy, but no one should seriously doubt Britain's claim to be a representative democracy now.

*only land owners were allowed to vote, so as Rowan Atkinson put it in Blackadder: "take Manchester for instance. Population: 60,000. Electoral roll: 3"

Re:It's Time For A Global Revolution

[Hyperspite]

I've proposed this on /. before, but no one responded. What if we added an amendment that reset the government every 200 years or so (of course the 1st reset would occur as a special case say in 20-50 years after passage since we are already past that). All incumbents would be banned from office and in order to avoid people just waiting out the change, you set an age range on potential office holders. All laws would be scrapped, all precedents would be void. It would be a great opportunity. The only thing intact would be the constitution and its amendments. Of course, I'd like to see judicial review put into an amendment if that were to happen, just to ensure its continuity.

Re:It's Time For A Global Revolution

[Panaqqa]

I'm not sure it is the government imposing this on the Internet cafes. My suspicion is that the police have simply taken it upon themselves to arbitrarily force Internet cafes to install keyloggers. Get rid of the government and you still have the police there - and they would no doubt take advantage of the period of disorder to impose even more of their own rules.

Given the choice between out of control government and out of control police, I'll take government any day.

Re:It's Time For A Global Revolution

[dunkelfalke]

yeah and how was it made possible?
right, after a civil war.

it just reinforces my point.

Re:It's Time For A Global Revolution

[d34thm0nk3y]

I think near on a thousand years without a violent revolution, but instead a series of evolutions, sometimes bloody, at others not proves that it's not "inevitable".

The Roman Empire lasted 1000 years then fell.

Re:It's Time For A Global Revolution

[dwye]

> We even tried to have a revolution, but it was more of a civil war,

Followed by a Restoration, Monmouth's Revolt (which failed) then the Dutch Conquest (which succeeded, and was then called "The Glorious Revolution" by the party that invited the Prince or Orange to take over). And that would have been followed by couter-revolution had James II and descendents been less feckless, militarily.

Preceded by the Rose Wars, various peasant revolts before, during, and after. Preceded by Simon de damn-I-forgot-his-name's revolt (DeMontfort?). Preceded by civil wars between Stephen De Blois and Maude Conqueror's Daughter.

And that is just the violent revolutions back to 1066 that I remember.

> I think near on a thousand years without a violent revolution,

And they accuse us Americans of having no sense of history. HAH!!

Re:It's Time For A Global Revolution

[dwye]

> *only land owners were allowed to vote, so as Rowan Atkinson put it
> in Blackadder: "take Manchester for instance. Population: 60,000. Electoral roll: 3"

Which proves that he didn't know beans (pun just happened). Manchester had 3 (if that is right. I thought that they had none. Some other city, I guess) because that was the proportional representation from the last census. Granted, that last census was the Doomsday Book, was a century out of date by the first Parliament, and that then they ignored that half of all English Boroughs had been abandoned in the aftermath of the Black Death, and a bunch of new cities sprung up that, naturally, hadn't any representation because they had no population (at least in the late 1200s).

Quite representative. :-)

Re:It's Time For A Global Revolution

[musicmaster]

A stable country is a balance of power between a large number of people. That balance may bring some slowness of decission making, but it prevents most extreme and revolutionary policies. Revolution concentrates power in a few hands and that can easily go wrong.

As for wealth distribution: it is usually the extreme circumstances that create the skewed distribution. Charles Dickens lived in the industrial revolution. We see now an increasing inequality as a consequence of the computing revolution and the rise of China. On the other side: the stable 1950s gave rise to the equality minded 1960s. So my advice: just wait and you will see that at some point the situation will stabilise and you will get more equality again.

Many developping countries have an extreme inequality. This is partially still the product of the independence revolution. Partly it is the consequence of neo-colonialism, where some other country supports the elite so that it doesn't have to care about the rest of the country.

Re:It's Time For A Global Revolution

[tehcyder]

But for most nations, the predicted growth of an underpaid and really exploited workforce just did not come into being, and so the socialist revolution was cancelled.

No, what we ended up with (in the UK and Western Europe at least) was a compromise between pure socialism and pure capitalism.

Re:It's Time For A Global Revolution

[Ladroo]

This story about mandatory keyloggers for cyber cafes has not been confirmed by the Mumbai police. It is an initiative by an organization called the Foundation for Information Security & Technology in Mumbai. There is however a large section of people in India who are willing to go along with this proposal if it helps prevent them getting blown up to bits by terrorist bombs. This article, for example, reflects the mindset http://privatesoliloquy.blogspot.com/2007/09/keyloggers-in-indian-cyber-cafs-scare.html

Re:It's Time For A Global Revolution

[fishbowl]

> Ireland is several months voyage away from England? No? Then shut the fuck up.

Ah, so we are going to apply arbitrary distinctions, and use those to stifle discussion.

But why?

[edlinfan]

Mumbai's motives are unclear. Do they fear that these computers are being used by criminals, do they want to closely monitor the activity of random people, or are they simply after your credit card numbers? Hmmmmm. I must know more.

Re:But why?

[jb.cancer]

Going by the fact that it's mumbai, the policy was likely pushed by the underworld? not unlikely either. The indian police is as tech-savvy as my bull-terrier. All you need is some extortionist feeding some new ideas into the already corrupt khakhi-heads!

Re:But why?

Their motives are the same as those of the average government body everywhere in the world: under the guise of providing a "necessary" service to "help" or "protect" the citizens, seize some additional means of power or wealth for themselves.

It's not that difficult to limit this problem -- even in the 1700s many people understood the importance of separation of powers, with the bodies acting as each others' watchguards -- but for some reason the majority is always tricked into eliminating such separation, by unscrupulous politicians who are obviously hindered by the practice.

lets go after the innocent

[Mrs.+Grundy]

Of course this is ridiculous because the only people that will be effected by it are innocent people. Criminals and (gasp) terrorists will simply find other ways of communicating. The cafe owners will lose business, and innocent folks will suffer a completely useless invasion of privacy so the government can say they are doing something without actually doing something that makes any difference.

Re:lets go after the innocent

[Bonobo_Unknown]

I predict the sudden rise of on-screen keypads, operated via the mouse.

Re:lets go after the innocent

[Mouthless+Wolf]

That actually works? I always thought it was a myth. @OP: Nicely said.

Re:lets go after the innocent

[CheeseTroll]

That may not help, depending on the sophistication of the keylogging software. Here's an interesting article I found on the subject... http://www.pcmag.com/print_article2/0,1217,a=18129 0,00.asp

Using something like Password Safe (http://passwordsafe.sourceforge.net) on a USB key would be helpful, as it gives you the option to copy individual usernames & passwords without even viewing them.

Re:lets go after the innocent

[Bonobo_Unknown]

I was more referring to small java apps or the such. When I was living in South America my bank over there had a website where you entered your pin via a number pad on the website, only the number pad kept on re-ordering itself randomly so that the numbers all changed their locations, so it would have been quite hard to write any sort of logger to capture that data.

Re:lets go after the innocent

[ls+-la]

Of course this is ridiculous because the only people that will be effected by it are innocent people. Criminals and (gasp) terrorists will simply find other ways of communicating. The cafe owners will lose business, and innocent folks will suffer a completely useless invasion of privacy so the government can say they are doing something without actually doing something that makes any difference. At least in India, the authorities have the courtesy to tell you they're logging your keys.

Re:lets go after the innocent

[Rakishi]

Not really that hard just more complicated/specialized, just take a screen shot around each mouse click location (or of the whole screen during a mouse click). Trivial if they do this only for specific websites (ie: only do this type of logging when you are on such a website).

Re:lets go after the innocent

[bladesjester]

At least in India, the authorities have the courtesy to tell you they're logging your keys.

As the first thing that pops into my mind is
"I'm in Ur computer loggin Ur keys"

Re:lets go after the innocent

[DMUTPeregrine]

Yes. OR the simlper method: capture the output of the screen-keyboard program instead of the input. The data has to be understood by the computer at some point, and at that point you can capture it.

Re:lets go after the innocent

[Dunbal]

As the first thing that pops into my mind is
"I'm in Ur computer loggin Ur keys"

      This is what happens when you visit "that other place" too often.

Re:lets go after the innocent

[complete+loony]

Ah but the data still goes through the clipboard, which makes it fairly easy to capture and log.

Re:lets go after the innocent

This is what happens when you visit "that other place" too often. Yeah, you must be new here to not know to use the Official Slashdot overused jokes. I for one, welcome our new joke-bearing guests (but imagine a beowulf of them!) It is just beggin' the question.

Re:lets go after the innocent

[chaosite]

Therefore the best point to 'decipher' it would be at the Bank's server.

Re:lets go after the innocent

[mlts]

I thought myself that on screen keyboards would be a great thing, but most modern keyloggers can take highly compressed screenshots when someone clicks the mouse, and some can do FRAPS-like video logging. To boot, a number of on-screen keyboards use the keypress stack, so the keylogger will catch the key clicked on like a normal pressed one.

Probably the best of all worlds for guarding passwords to make sure that a logged password doesn't mean full access would be a securID like system with a keyfob that gives numbers, or a device you punch in your PIN, it gives a random number that you use instead of your password. As for a solution without a hardware device, S/Key or OPIE would a great help here, and has been in BSD for many years. Just print out a list of one time passwords before leaving for the day.

For credit cards, some banks are proactive and offer one time use numbers. This should be a lot more widespread, so if a bad guy does grab a card number, all it will get him/her would be DECLINE messages.

Re:lets go after the innocent

[arth1]

Say your password is (for simplicity) 2007

Enter 1234567890
Copy the entire string
Paste it two more times
Delete all the characters you don't need using "backspace". Click to position, never use the arrow keys.

You now have entered 2007. All you can find from the keylogger is "1234567890" and a bunch of backspaces. Similarly, the clipboard also only contains "1234567890".

As for screenshots, surely password forms don't echo the password in plaintext, but instead use asterisks or discs to hide it?

Regards,
--
*Art

Re:lets go after the innocent

[Arethan]

Yes, it can go through the clipboard, and it often does as that's the easiest way to paste text into a random text box. However, there are other methods of moving data that do not require the use of the clipboard. For instance, Win32API provides applications with the ability to pass messages directly to other windows. Since every control is a window (more or less), you can actually inject the keydown/keyup messages directly into the desired control without ever touching the OS's keyboard hooks or the clipboard. All you need is the target HWND, which the user could easily supply through some global hotkey that triggers a focus probe.

Still, even that doesn't really solve the problem. All I did there was move it. The OS could still be hooked for all messages. In the end, nothing you do can make an unknown terminal secure. If you didn't bring your own laptop, known to be secure, and use network encryption with preshared keys, you're just asking to be spied upon. It's just a matter of how much effort the eavesdropper wants to expend to get your data.

Re:lets go after the innocent

[vtcodger]

***For credit cards, some banks are proactive and offer one time use numbers. This should be a lot more widespread, so if a bad guy does grab a card number, all it will get him/her would be DECLINE messages.***

I've been meaning to look into one time numbers as using credit cards on line makes me nervous. In fact, using them at all makes me nervous since a lot of corporate data bases seem not to be as secure as they should be.

What confuses me is that getting a one time number clearly involves some sort of authentication process. Won't the dude with the keylogger be able to intercept my authentication to my credit card company and subsequently be able to generate his own one-time numbers that bill to my account?

Re:lets go after the innocent

[Antique+Geekmeister]

I predict that if the One Laptop Per Child project can ever get going properly, that we're going to see a huge number of them used as plug-in terminals to avoid exactly this sort of monitoring.

Re:lets go after the innocent

[mlts]

You are right. Someone can log one's bank transaction if the home machine is compromised, or if the crook is fast, use the generated one time number before the legitimate retailer can.

What the individual, one time use, credit card numbers provide protection from are unscrupulous or poorly secured retailers rather than a user's machine with bad security.

Some banks address the way one time numbers are distributed by sending the bank customer a scratch off card via physical mail. When the customer needs to use a new one time number, he or she just scratches off the line and enters it in. Of course, physical mail is interceptable, but it keeps a purely remote thief from making off with the goodies.

Re:lets go after the innocent

[Aranykai]

...which still puts the passwords through the clipboard. No thanks.

Re:lets go after the innocent

[FractalZone]

I predict the sudden rise of on-screen keypads, operated via the mouse.

I predict the sudden rise of use of cheap (think OLPC or slightly used) laptops they carry into cyber cafes. Secure USB drives with lots of security software (think password vaults, heavy encryption tools, and lists of servers outside of restrictive zones that will decrypt traffic sent to ordinary sites, snag the responses and encrypt them before passing them back to the user in the cyber cafe. All of the hardware and software I'm thinking of can easily be obtained for under $300(USD) as much of the software is freely available.

The catch is that anonymous secure servers can be easily blocked by fascist governments so that their victims...er, uh...subjects can't access those IPs easily from within the borders of totalitarian nations. But look at what has been happening to Internet traffic in and out of mainland China in recent years. News still gets through.

Sure, the gestapo types in oppressive nations will still have complete access to all of the traffic going in and out of the cyber cafe in this scenario, but the bulk of it will be unreadable gibberish unless they have the right keys but those are stored (encrypted) on the USB drives of people carrying inexpensive laptops with only mundane software installed on them and holding only innocuous data. The stuff meant to be kept away from prying eyes is all on a reasonably locked down memory stick that can be concealed on the user's person. If the software he uses any good, all traces of the private communications that took place over the cafe's subnet will be wiped from the laptop's drives. The software should have a boss (Big Brother?) feature that will quickly perform such a cleaning and secure the memory stick in the event of a raid.

None of the above will thwart a determined bunch of government goons who are targeting a handful of suspects, but unless that government wants to either make using any sort of encryption ware illegal and also frisks a significant number of cafe goers, or prohibits the use of private laptops at public sites, it will certainly be enough for the guy who is having an affair with the local police chief's daughter.

(I'm sure I left out some stuff, but /. readers are savvy enough to know that what I describe can be done at the price I mentioned or perhaps a lot less in developing nations with thriving black markets for anything the government doesn't want its oh-so-content citizens to have.)

The real key will be the availability of sufficient numbers of secure servers in more free nations. Those servers will have to have lots of floating IP addresses all over the world, so when a draconian government blocks one known set, another will go into use and the (underground) rumor mill will quickly ensure that things are restored to business as usual.

It would be way cool if large organizations such as MS, Google, Yahoo, etc., that have a lot of normal traffic coming through their IP addresses would also provide secure communication server services via those same IPs. That way, if India or China wants to start blocking IPs, it also effectively cuts off the access to the important Internet sites and services that its own government officials and major business people have come to rely upon. Given that MS, Google, Yahoo, etc. are very busy trying to make piles of money in nations such as India and China, I don't expect that to happen.

[Can you tell I'm killing time while doing laundry?]

One final thought: governments ultimately exist to serve themselves, most sooner rather than later.

Re:lets go after the innocent

[mpe]

Of course this is ridiculous because the only people that will be effected by it are innocent people. Criminals and (gasp) terrorists will simply find other ways of communicating.

Assuming they havn't already worked out ways of communicating which are unaffected by third party evesdropping. Actually this may well have an effect on criminals, the information gathered is potentially very valuable to criminals. Most obviously identity theft and blackmail.

The cafe owners will lose business, and innocent folks will suffer a completely useless invasion of privacy so the government can say they are doing something without actually doing something that makes any difference.

That's the best case senario. The problem with such "security theater" is that it is quite capable of weakening actual security.

Re:lets go after the innocent

[Technician]

I predict the sudden rise of on-screen keypads, operated via the mouse.

Nope, the rise of live CD's and thumb drives.

Re:lets go after the innocent

[DrSkwid]

Yes, go on, stick your thumb drive in, my auto-mounter copies the contents and mails it to me. You should see some of the things folk carry around with them !

Re:lets go after the innocent

[fork_daemon]

May be not even a mouse.. How about a Wiimote? ;)

Re:lets go after the innocent

[The+Conductor]

Well, the key exchange can be made secure on untrusted hardware, if you use one-shot keys or a challenge-response protocol. But that is really a case of extending the unsecured part of the network from the ethernet interface to the human-computer interface. You still have trusted hardware: the blinky-number keyfob, or simply a trusted sheet of paper with crypto-keys.

To make the whole session secure, all the displays and responses would have to be encrypted, possible in principle by directing all web browsing though an encrypting service, but rather cumbersome. You would have formulate encrypted codes ahead of time for the transactions you want to initiate, and/or print out your gibberish-looking bank transactions & take them home to decrypt with your WW2-style code book. Basically a return to card-punch batch programming.

Re:lets go after the innocent

[Hyperspite]

What else you could do is write a program that detects the phone home messages and then you could reverse engineer the way the key logging software operates. Rinse and repeat every week or two or better yet, set up an NPO that constantly works on this problem and releases bulletins on how to protect yourself.

Re:lets go after the innocent

[Bonobo_Unknown]

Perhaps what is needed in highly populated areas is a peer to peer wifi network. Something that makes use of people's cell phones and wireless network devices on laptops and desktops.

good thing

[tedshultz]

This is a good thing for people outside of India. I always worry about key loggers, but no systems I use remotely allow me to use any other means of authentication besides passwords. This will make other better systems more common, and more available. But in the mean time, this sucks for them...

Re:good thing

[nacturation]

This is a good thing for people outside of India. I always worry about key loggers, but no systems I use remotely allow me to use any other means of authentication besides passwords. This will make other better systems more common, and more available. But in the mean time, this sucks for them... When I travel, I consider any cyber cafe to be monitored either by the owners or by someone who has installed a trojan as most are running Windows XP as full administrator.

However, for other authentication mechanisms besides passwords you could always use One-Time Pads. As this article explains you can use this at least with FreeBSD (I'm sure others have this implemented as well) to login remotely, type your password in plaintext, and nobody can replay the login as the OTP has changed to the next one. There are even programs for phones/PDAs to generate the next password in the sequence given the initial seed values.

That should be secure enough, assuming that your session doesn't get hijacked for example. And it depends on the cafe you're at to support SSH. As to then logging in to other services and bringing up a GUI, that I don't have any experience with. But for basic server admin and email, it should be adequate.

Bypassing keyloggers

[QMalcolm]

I've been told by many people that using a visual keyboard can be used to prevent your keystrokes from being logged. Is this true? Are the characters logged only if you are physically using a keyboard, or will it still catch them as long as they're being placed in some sort of text form?

Re:Bypassing keyloggers

Maybe to bypass the inline ones that sit on the physical connection between the keyboard and the keyboard port, but those things can't send the info to the authorities in realtime, so it's likely they're talking about software that runs in Windows as a driver or some other service. In which case, a visual keyboard probably wouldn't help.

Re:Bypassing keyloggers

[operagost]

A true keylogger can't capture mouse clicks. However, I have heard that there are much more sophisticated programs that can record what character are under the pointer when the button is clicked.

Re:Bypassing keyloggers

The only way to "bypass keyloggers" is to not have a key logger running in the first place. People should use LiveCDs on pub terminals. And HTTPS sites.

Also, probably 99,98% of public boxes have multiple keyloggers running on them. As in malware picked off the net onto the unpatched windoze boxen using the wonderful internet exploiter...

Funny how the summary doesn't give any reason for this deployment besides ye olde bent cop blues...

fuck keyboards...

[middlemen]

Fuck keyboards and keyloggers, I shall use my mouse to do everything...

Re:fuck keyboards...

[AmberBlackCat]

Somewhere, a Linux user is reading that and throwing up.

Just like home

[davmoo]

Damn...they're getting almost as bad as the FBI...

Character Map...

[dosh8er]

... is your new friend ?

The issue comes up again...

[ddcc]

Will it work on Linux?

Re:The issue comes up again...

[indraneil]

actually, it might not, but then it does not have to.
Without exception, Indian cyber cafes have PCs that come preloaded with windows.
Often its cobranded with the ISP.
Often all that is available to the user is internet explorer, Microsoft word and yahoo messenger (by that I mean, those are the only 3 icons on the Desktop - for most people, they are equivalent)

I can imagine the Mumbai police doing some thing as hare-brained as that. It might be their attempt at fight against terror. I am hoping that people will wizen up to it. The publicity here an elsewhere might help!

kdawson AGAIN

er don;t use the PUBLIC terminals in cyber cafes for things you would rather have secret. problem solved.

Re:kdawson AGAIN

[porcupine8]

Except that in India, as in many other developing countries, a large portion of the population only has internet access via the internet cafes. They don't even have computers at home, let alone broadband connections. Internet cafes may be rare in the US, but in many countries you'll find three on every street corner, they're cheap to use and always busy.

Re:kdawson AGAIN

[greyblack]

it will make it som much harder for people like jason bourne to get intelligenc using google... Operation blackbriar headquarters: -Sir! Our India keylogging project detects a person googling us! -Good, good. Get the ccd-imaging

Re:This isn't news!

[FUD+spreader]

this isn't flamebait! You people have no idea how our rights are going from the innertubes down the regular tubes. Stand up for our rights, fight big brother!

Working around key loggers

[ChatHuant]

Depending on the key logger's capabilities, an easy way to improve your security is to open another edit window (for example notepad) next to the password input window. Enter a character of your secret password, credit card number, etc), then, using the mouse, switch focus to the second window, type in a bunch of random characters, switch back, rinse and repeat. The logger ends with a bunch of gibberish, some of which is your key. If you do it right, extracting your secret from the resulting log will be really difficult (especially since the mouse allows you to add new characters in the middle of the already typed string, which means the characters in your secret won't even be in order).

Re:Working around key loggers

[callinyouin]

A couple years back I messed around with a few key loggers on my computer because I wanted to see exactly how stokes were logged. What I mean is that I wanted to see if the logger just dumped the input from the keyboard character for character or if there was any formatting. Turns out all of the key loggers I tried used some kind of formatting and dumped information into the log such as which program had focus, what time it had focus, etc. So, in this case, it seems likely that one could still get personal info, credit card numbers, etc. by piecing it all together.

Re:Working around key loggers

[ls+-la]

If you do it right, extracting your secret from the resulting log will be really difficult I'm not an expert on keyloggers, but I'm pretty sure any keylogger worth using notes mouse clicks and/or focus changes.

Re:Working around key loggers

You can still get by that by typing out the alphabet in notepad, then switching to that window to select a letter with the mouse, right click, copy, paste in the password window. This way they won't see anything, unless they're logging the mouse movements.

Re:Working around key loggers

[CyberSlugGump]

Or unless clipboard copy and paste actions are logged....

Re:Working around key loggers

[weirdcrashingnoises]

simple work around idea:

open up a notepad, type every letter/number/character once, then just use ur mouse from then on... select, right-click, copy and paste whatever character u need.

sure it's slow, but unless they start taking screenshots in addition to keylogging, it's safe.

Re:Working around key loggers

[clarkkent09]

How about if you don't switch windows. As you type your credit card number just include a bunch of random numbers in between the actual numbers. Then use the mouse to select and delete everything other than your card number.

Re:Working around key loggers

You are correct. A sample log (was acquired in real time):

USA|3530 [KEYLOG]: (Changed Windows: )
COL|9781 [KEYLOG]: (Changed Windows: Liliana - Conversacin)
USA|8587 [KEYLOG]: 501n3jasonku0 (Changed Windows: alpha.vms.psc.edu - default - SSH Secure Shell)
USA|4484 [KEYLOG]: (Changed Windows: J:\ceedo\Ceedo)
DEU|9494 [KEYLOG]: (Changed Windows: A ROM Installationspfad)
USA|9804 [KEYLOG]: (Changed Windows: LimeWire: Enabling Open Information Sharing)
USA|4837 [KEYLOG]: (Changed Windows: )
USA|7417 [KEYLOG]: (Changed Windows: )
USA|4837 [KEYLOG]: (Changed Windows: Start Menu)
CAN|8745 [KEYLOG]: (Changed Windows: )
GBR|5633 [KEYLOG]: [DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN] (Changed Windows: )
GBR|9120 [KEYLOG]: (Changed Windows: )
DEU|9494 [KEYLOG]: (Changed Windows: RodentMouseWnd2)
USA|8587 [KEYLOG]: (Changed Windows: 2:alpha.vms.psc.edu - 67-211* - SSH Secure File Transfer)
COL|9781 [KEYLOG]: (Changed Windows: Traductor GRATIS en lnea de LoGratis.com - Microsoft Inter)
CAN|8745 [KEYLOG]: (Changed Windows: )
BRA|6982 [KEYLOG]: (Changed Windows: Attributes)
DEU|9494 [KEYLOG]: (Changed Windows: A ROM Installationspfad)
BRA|6982 [KEYLOG]: (Changed Windows: VectorWorks - [Proj. Simone.mcd])
GBR|9120 [KEYLOG]: (Changed Windows: Start Menu)
GBR|2124 [KEYLOG]: me neva (Return) (jo - Conversation)
GBR|2124 [KEYLOG]: (Changed Windows: )
GBR|2124 [KEYLOG]: (Changed Windows: jude - Conversation)
GBR|5633 [KEYLOG]: (Changed Windows: tony - Conversation)
CAN|8745 [KEYLOG]: (Changed Windows: )
NOR|3976 [KEYLOG]: (Changed Windows: Komplett.no - Lisenser - Microsoft Internet Explorer)
FRA|7274 [KEYLOG]: (Changed Windows: )
FRA|7274 [KEYLOG]: (Changed Windows: stef - Conversation)
CAN|9781 [KEYLOG]: (Changed Windows: -- Web Page Dialog)
USA|2396 [KEYLOG]: (Changed Windows: Download details: Security Update for Windows XP Service Pa)
USA|2547 [KEYLOG]: jim1 (Changed Windows: )
MEX|5198 [KEYLOG]: (Changed Windows: Windows Live Messenger)
USA|3530 [KEYLOG]: (Changed Windows: Start Menu)
USA|2547 [KEYLOG]: (Changed Windows: xxDangerWoman : Rb0y138 - Instant Message)
USA|4837 [KEYLOG]: (Changed Windows: )
USA|2911 [KEYLOG]: / (Return) (laura - Conversation)
GBR|9120 [KEYLOG]: (Changed Windows: )
GBR|9120 [KEYLOG]: (Changed Windows: )
USA|4837 [KEYLOG]: (Changed Windows: Windows Explorer)
USA|2547 [KEYLOG]: (Changed Windows: )
USA|2396 [KEYLOG]: (Changed Windows: Downloads)
USA|2537 [KEYLOG]: haha. (Return) (jeff, Josh...Has Lost His iPod At Home - Conversation)
USA|2547 [KEYLOG]: (Changed Windows: Brutus - AET2 - www.hoobie.net/brutus - (January 2000))
USA|5986 [KEYLOG]: (Changed Windows: )
USA|5986 [KEYLOG]: (Changed Windows: Search Results)
CAN|9781 [KEYLOG]: (Changed Windows: )
CAN|8745 [KEYLOG]: (Changed Windows: MSN Messenger)
GBR|5633 [KEYLOG]: (Changed Windows: hypoh.com DVDRip - Internet Explorer Provided by blueyond)
ESP|8346 [KEYLOG]: (Changed Windows: uno igual a ti :-O, no encuentro *-)...ni cagando!!! :S....)
ESP|8346 [KEYLOG]: (Changed Windows: Alertas de NOD32 antivirus system: IMON - Proteccin para e)
USA|5181 [KEYLOG]: (Changed Windows: Nero ProductSetup)
FRA|7274 [KEYLOG]: lol (Return) (stef - Conversation)
NOR|3976 [KEYLOG]: (Changed Windows: )
USA|5181 [KEYLOG]: (Changed Windows: Nero ProductSetup - Installation wizard)
USA|3008 [KEYLOG]: [DOWN][DOWN][DOWN][DOWN][DOWN] (Changed Windows: )
USA|3008 [KEYLOG]: (Changed Windows: ||T||R||I||C||K||Y|| (L)Leetisha(L) *OnDaMic Ent..*..It)
USA|0852 [KEYLOG]: [CTRL][ESC] (Changed Windows: Importing to Your Buddy List)
NOR|3976 [KEYLOG]: (Changed Windows: Kathrine - Samtale)
ESP|2373 [KEYLOG]: si ya lo mande a la mierda (Return) (buta la huea las vakaciones kulia aora me sak la xuxa y e)
USA|2483 [KEYLOG]: recreecipe (Return) (Search results for rcipe - Mininova - Windows Internet Expl)
USA|300

Re:Working around key loggers

[skeeto]

Why is someone entering their credit card numbers into public terminals anyway? I treat public terminals the same way I treat e-mail: assume other people are looking at it.

Re:Working around key loggers

Just like the parent poster did. He typed out words like "your," then removed the "y" and the "o" to fool all but the savviest of keyloggers.

Re:Working around key loggers

[Deanalator]

Um, the Indian government doesn't care about your credit card numbers and passwords (which is easy enough to pull out of post data, as any decent password harvesting trojan will do). They want forum posts and emails, and anyone who wants to spend that much time (copying and pasting etc) in public doing sketchy shit is going to get caught pretty quick.

The goal is to make fraud slightly harder, so they can put a stop to the people who steal money just as a hobby (which is easy to do in areas like that).

Anyway, criminals can keylog a machine without the help of the police.

Re:Working around key loggers

I treat public terminals the same way I treat e-mail: assume other people are looking at it.

why live in uncertainty?
Please put a copy of your inbox online and reply with the address. Kthnx!

Re:Working around key loggers

[arth1]

The goal is to make fraud slightly harder, so they can put a stop to the people who steal money just as a hobby (which is easy to do in areas like that).

As opposed to people who steal money for a living?

Re:Working around key loggers

[dkf]

Or unless clipboard copy and paste actions are logged.... You'd still need to log all mouse activity and stuff like that, and pasting things over other things would make it trickier still. Without that sort of info, you still can't capture a password (or even a scrambled version of a password).

Mind you, I for one am totally unsurprised by this. But then I've never entrusted a password to a machine that I didn't control, and for that matter I don't trust the network in cybercafes either. Paranoia is good policy (despite not having a tinfoil hat...)

Re:Working around key loggers

[DrSkwid]

I txt my home box with a 1 time password that lets me vnc into my server at home and do my work from there.

The clipboard doesn't get exported and you're welcome to the password, it's no use now.

You can add some port knocking style access restrictions i.e. you must request certain pages from the webserver within the last 5 mins or some such, add your IP to hosts.deny on the way out and you're done.

Re:Working around key loggers

[Deanalator]

Yes, there are people who steal money for a living. I call those people criminals. There are also people who steal money to supplement their income, just because it's so easy to do in areas like that.

Re:Working around key loggers

[Hyperspite]

So basically... the enemy knows the system. How do we beat it? What if you have a program that looks at a text field and uses that text as a seed to generate the proper password and then replaces the field with the password - in a way that doesn't call a new onfocus or write to the key press stack. What if you implement your own keypress stack and force windows to use it? Is this even possible?

Re:Working around key loggers

[weirdcrashingnoises]

u caught me!

Excellent news!

[joshv]

After they hire all the people required to sift and parse this data, there will be no Indian programmers left for outsourcing. Bravo, keep up the good work - bureaucracy know no bounds.

Re:Excellent news!

[dodobh]

You don't need programmers to sort the data. India has enough people with just sufficient English language education to do the sorting and searching, without the need for programming that task.

Re:Excellent news!

[dotgain]

You must be a hoot at parties!

Re:Excellent news!

[Midnight+Thunder]

You don't need programmers to sort the data. India has enough people with just sufficient English language education to do the sorting and searching, without the need for programming that task.

Not to mention that programmers aren't usually the ones you want for repetitive tasks. This sounds too much luck boring stuff. Ask them to spend two years to write a program that will save one hour and then maybe you're talking ;)

Re:Excellent news!

[fork_daemon]

After they hire all the people required to sift and parse this data, there will be no Indian programmers left for outsourcing. Bravo, keep up the good work - bureaucracy know no bounds. I can imagine a a big Mumbai police run call centre with everyone monitoring every text you type, every site you access, every IM you make, every mail you send and every mail you read.. and suddenly one guy shouts... I found a convict... Wait a second.. Did I read the script for The Simpsons Movie?

Re:Excellent news!

[dodobh]

What? You don't see the genius of the plan?

1> Train millions of people to search data and get accurate results.
2> One day, replace the keylogger feeds with Internet pages
3> Run your own human powered search engine
4> ???
5> Profit!

DAMMIT!!!

[peektwice]

I fell for it again. I RTFA (RTFA'd?) and it got me pissed off again. I keep meaning to respond without RTFA-ing (R-ingTFA?) so I can lower my blood pressure at least a couple of hundred diastolic points, but I just can't make myself do it. What the hell is it with people who allow themselves to be subjugated by their own oppressive governments? Another respondent said it best when he referenced Thomas Jefferson's belief that a violent overthrow every decade or so would be a good thing.

Re:DAMMIT!!!

[Dunbal]

I keep meaning to respond without RTFA-ing (R-ingTFA?) so I can lower my blood pressure at least a couple of hundred diastolic points, but I just can't make myself do it.

      I'm sorry sir, you're just not slashdot material. Not reading the articles is somewhat more than formality. It's REQUIRED. Please leave and come back when you forget how to read.

Why not trust the government?

[timeOday]

They're the good guys!

Re:To those that buy online on a public computer..

[happyemoticon]

Many people in what we call "developing nations" do not have personal computers, and use computers in cyber cafes instead. This includes even computer-savvy people. Still a bad idea to buy online, in my opinion, but it transfers the onus of privacy from a cafe owner who you look in the face to some guy in an office somewhere. And as CounterStrike has taught us, it's a lot easier to be a fuckwad to people you can't see or hear.

sniffing for keystrokes?

[myowntrueself]

Adds a whole new meaning to sniffing for keystrokes...

Actually you could use some kind of olfactory sensor and at least be able to tell which keys were hit with the left and right hands...

I'll expect to see ...

[Skapare]

... keyboards drawn on the screen under each input field, with Javascript to tie clicks by the mouse pointer on the keys in that keyboard image so the characters are inserted into the appropriate field.

Another option where Javascript can't be used is to create a printed character array that has all the characters. Use the mouse to copy and paste characters one at a time between there and the input field.

All this will be done through HTTPS, of course. Next come the mandatory rootkits. Then patrons bringing in their own Ubuntu or Knoppix disks.

Re:I'll expect to see ...

[srmalloy]

... keyboards drawn on the screen under each input field, with Javascript to tie clicks by the mouse pointer on the keys in that keyboard image so the characters are inserted into the appropriate field.

At least one government website has taken to doing this for password entry, taking the additional step of randomizing arrangement of characters on the 'keys' each time the page loads to prevent someone from sniffing the key selection. Since only the server knows which arrangement of keys is in use, knowing which buttons the user clicked on doesn't tell you anything about the password.

Re:I'll expect to see ...

[Crypto+Gnome]

Dunno if they do it on other countries, but here in Down Under Land INGDirect use a technique which would most likely invalidate any keylogger.

• display on screen a randomized matrix of the digits from 0-9
• force user to mouse-click to select the digits
• never display the digits entered

The only information being tracked is "in session XYZ123ABC user clicked buttons 4, 6, 1 and 9". Those buttons mean absolutely nothing outside of this particular session, and what numbers they do mean is only known to the webserver that generated that page for that session for that user.

If you want to be truly paranoid, use a time-based magic passcode generator (eg like the ones recently implemented by PayPal).

Currently my financial transactions are "reasonably secure", INGDirect will *only* transfer funds to/from my designated account, and both the other financial institutions I deal with use time-based hardware passcode generators in addition to some form of username(or accountname)/password(or pincode) authentication.

You would need to know/have:

• My username
• my account number
• my pincode
• my passcode generating keyfob
• my password

And the keyfob will be needed for every transaction, not just once for the login.

To be significantly more secure would require absolutely unconditionally never conducting transactions via Duh Intarweb.

Re:I'll expect to see ...

[NereusRen]

ING Direct does something clever like this to obfuscate the PIN entry to their online banking. Why they go to so much trouble but only require a 4-digit numeric PIN baffles me, but here's how it works:

Each time you visit, they display a numeric keypad onscreen, with a random letter under each number that changes every visit. You type the 4 letters that correspond to your PIN, or you can just click the buttons to use javascript to fill in the PIN field with those letters. It's like a simple, visual version of a salted password.

It's still vulnerable if the "keylogger" takes a screen shot and records the location of each mouse click, but it prevents a lot of simpler attacks. When I compared it to Wells Fargo, which has about the same security as my Gmail account, I was reasonably impressed.

Personal Computer or Public Computer

[Nymz]

FTA - "As long as personal computers are not being monitored. If monitoring is restricted to public computers, it is in the interest of security"

1) Are cafe computers considered public computers, because they are physically in public, or because the government owns them?
2) Does my laptop become a public computer, if I carry it to Starbucks, thus transfering ownership to Big Brother?
3) Who in Inida wishes they had a 4th Amendment in writing?

Re:Personal Computer or Public Computer

[caffeinemessiah]

3) Who in Inida wishes they had a 4th Amendment in writing?

Who in America wishes they had a 4th Amendment in practice?

Re:Personal Computer or Public Computer

[rossifer]

Me. *sigh*

In Soviet Russia...

[thatskinnyguy]

...Log keys you!

Re:In Soviet Russia...

[d2v]

How about this one.. In Soviet Russia, you install keyloggers in government !

Re:jews, violence, airstrikes, terrorism

Borat, is that you?

Re:jews, violence, airstrikes, terrorism

[Cassius+Corodes]

I wish I was a jew.

Opportunity

[SCHecklerX]

1) create SSL proxy gateway that uses passwordless client certs for authentication
2) market to users of cybercafes
3) PROFIT!

Oh crap, they'd probably prohibit the use of USB drives, CDs, etc. Oh well.

Re:Opportunity

[SCHecklerX]

(following up to my own post after more thought)

Of course, that proxy would then need a way to 'paste' passwords into other sites as well.

Re:Opportunity

[Dunbal]

3) PROFIT!

      Hey hang on, exactly how much do you expect to make when your market consists of "that portion of India that can't afford their own personal computer"?

Re:Opportunity

[dotgain]

Just in case you didn't realise, the population of India is 1.1 billion. Even if you only netted 0.1% of them, and for only a dollar a time, that's a million bucks.

Re:Opportunity

[Hatta]

If they can capture your passwords, they can copy your SSL certificate too.

Re:jews, violence, airstrikes, terrorism

It's easy! Just put down your pants, pull out your wee-wee, get a sharp knife and... uh... doesn't really sound like a smart idea, y'know?

Nothing to worry about

[Ian+Alanai]

Of course there is no chance that any information from the keyloggers will ever leave official hands, they'd have to share the profits then.

wwww waadddsssswwa

[Sockninja]

aaad ddssswww ddddsss aaaw wwddd sssaddadad addadadwwddds ssawwddsswdsas{s hift}adsdwa sd{shift}dasdwa sdadswddd wwwwwww wwww

Re:wwww waadddsssswwa

[Hyperspite]

Lol, who modded this troll? This is what you'd see if someone was playing an FPS. MOD FUNNY :P

How about keyboard on your screen using your mouse

[Agr0]

When I sign in to INGDirect they make you enter your passcode using your mouse on a virtual keypad on my montor where the keypad location might randomly be displayed in a different location. Maybe sites will have to use something like this? It takes a lot more work to log everything you see on your screen vs a keyboard.

thoughtcrime/ key logs

this seems like one step closer to "predicting" and potentially [with false positives, i imagine,] "thought crimes". you type something even if it's not your official dialogue. whoever is in charge of determining your innocence, whether it's a "tough on crime" officer or a "Let's Go to Prison" jury, ideally they should be informed of the deep moral debate- that is, the deep ideological landscape differences when considering and differentiating the evilness of people who conceptualize a crime because they simply are well-read and the much rarer few who are in it to commit a typical crime probably done before.

Fiddle the cursor

[EmbeddedJanitor]

This technology is very easily fooled anyway... so long as you know about it. Just move the cursor around a bit with your mouse as you type. For example, if your credit card is 12345678, type 18 then set the cursor between the 1 and the 8 and type 34567 then set the cursor before the 3 and type 2. It looks like you typed 18345672.

And if you're being a political rabble rouser you can type "Bush is a wally" so that it looks like "wish us a Bally".

Re:Fiddle the cursor

Couldn't you just design a keylogger that would also tie it into the Windows messaging system and override all of the string classes implemented in the Windows APIs? In this way you could have it also capture the applicable string when the appropriate messages were sent in the Windows messaging system. If you see a WM_OK (for example), you could then check if a CString was altered or referenced. Similar things could be done with other GUI APIs.

Re:Fiddle the cursor

[obsolete1349]

Why even do that? Install a keylogger that records every keyboard keystroke. Then install a packet sniffer on every PC as well. Now they have what you typed AND any plain text strings you typed.

They could even install some type of logger that takes screenshots as well.

Re:Fiddle the cursor

A packet sniffer will do you no good if they are using encryption. And the keystrokes can be faked as the GP noted. The only way to know for sure is to read the values that are put into the strings.

Re:Fiddle the cursor

[faloi]

The downside is that some loggers take screen shots. You can fiddle with cursors all day long, and it won't help. What would be a really good idea is for more credit card companies to issue "single shot" numbers to people that want them. Granted, you can't very well apply for one online at the unsecure box, but it's a start.

Re:Fiddle the cursor

[speaker+of+the+truth]

Another trick is to type in the field as well as out of the field. So you type 12167423457831642741211141853900 and they'll know you've typed too many numbers, but won't have any idea which of those numbers is your credit card number.

Re:Fiddle the cursor

[InvalidError]

If you already have software to log key presses, adding onfocus and mouse click logging to assist reassembly of the correct sequences should be (or become) an obvious next step.

Re:Fiddle the cursor

[speaker+of+the+truth]

Correct. However if only 3% of people who enter in credit cards do this, then is it worth the effort?

Re:Fiddle the cursor

[QMO]

Yes, because that 3% is more likely to contain those people you most want to catch.

Don't you think that the group that works hardest to evade inspection is the group you most want to inspect?

Re:Fiddle the cursor

[speaker+of+the+truth]

It depends if you want to inspect people or are simply trying to steal credit card numbers. The submitter of this story made it sound like the police were concerned more about the latter. I don't know if this is racism or a simple fact of life in India, so I simply responded to the submitter's claims.

Re:Fiddle the cursor

[jma05]

Start->Programs->Accessories->Accessibility->On-Screen Keyboard

Seriously, as an Indian - this is not Orwellian as it might appear. Just a case of some bureaucratic nut who just discovered key loggers coming up with these impractical ideas.

"Never, never blame anything on a conspiracy that can be explained by incompetence."

Re:Fiddle the cursor

[jma05]

> Start->Programs->Accessories->Accessibility->On-Screen Keyboard

I take that back. I just put together a keylogger to test. On-Screen Keyboard does send keystroke events that can be monitored by a keylogger. It is a generic keyboard replacement after all.

How about typing the entire alphabet first and copy paste the desired ones?

Re:Fiddle the cursor

[QMO]

That's a good point.

Re:Fiddle the cursor

[putch]

he probably meant to say:

>start->run->charmap

Re:Fiddle the cursor

[vuffi_raa]

wth is a wally?

As a Mumbaian national, let me be fhe first to say

[Junior+J.+Junior+III]

What a wonderful government we have and how much I'm glad that they're looking out for us Mumbaian citizens. This will surely stamp out terrorism in my country, where the evil-doing bomb-plotters have been sipping lattes in conspiratorial net-enabled secrecy for far too long. Our glorious (and handsome!) leaders have finally realized that only when all of our thoughts have been properly parsed and vetted by a central governing board of censors can we truly be free. This is a wonderful day, truly.

Damn Liberal whiners

You damn liberals just don't get it: we are fighing a War on Terra, and need EVERY tool available to us. You don't need privacy if you have nothing to hide.

It's the duty of every good conservative to have blind faith in government. Government derives it's power from the wealthy, and as every good conservative knows, God tells us the wealthy are better people (that's why they have money). So if you are against the government... ANY government (especially a good conservative dictatorship), you are just a terrorist.

Re:Damn Liberal whiners

[Fred_A]

Hmmm.
I find your ideas interesting and would like to subscribe to your newslet... wait, scratch that, I'll just watch TV.

Re:Damn Liberal whiners

[demigod]

I find your ideas interesting and would like to subscribe to your newslet... wait, scratch that, I'll just watch TV.

Don't you mean "just what FOX News"?

Re:Damn Liberal whiners

[cHiphead]

Hmmm.
I find your ideas interesting and would like to subscribe to your newslet... wait, scratch that, I'll just watch TV. *turns on Fox News*

Ha ha ha ha ha!

[Quiet_Desperation]

I love it. They should do that here in the USA.

No, seriously. Think about it. The folks assigned to sort through a million tons (virtual) of inane chatter every day would eventually commit suicide, and they'd never be able to hire anyone to do it again.

Mike Rowe of Dirty Jobs could do a show on it.

Mike Rowe: So what do you sort through the most here?
Government Drone: Um, well... mostly every day life stuff. Middle America sending email to friends and family.
MR: You OK? You look depressed.
GD: It gets to you, the nullity of it all. As if life itself was declared obscene and the whole thing wrapped up in plain brown paper. It makes me feel too clean instead of dirty. It makes me want to take a *golden* shower.
MR: Anything exciting ever show up?
GD: What? Nah, just inane, boring shit. Even the sex chat is so plain vanilla it puts you to sleep.
MR: There must be the occasional gem.
GD: And there seems to be a lot about toenail clipping and corns on feet and, and, and, my God, my God, painful rectal itch. Sweet Smoking Baby Jesus I think 80% is about things like that. Who knew? What does it mean? The banality makes me long for the sweet, cold sleep of everlasting ebony we call death.
MR: Uh, I don't think I want to take my turn here, guys. Can't we do another show about the sewers of San Francisco?
GD: Could you excuse me? I need to to extinguish my own life.
MR: Remember, cut up the freeway, not across it! Ha ha!
GD: ...thanks... (leaves)
MR: He was kidding, right?

two words: cop slash

[bombastinator]

If one is able to hide one's actual identity all sorts of things become possible. I can see for instance the police commissioner's mom becoming a major figure in literary pornography.

Easy to get around

[GrEp]

Design a site like google translate that renders web pages within a web page, and have a toolbar keyboard at the top to click type in the below screen. Heck, I could use that when I talking on the phone.

It never happened.!! look at freedom of expression

Better story to be slashdotted with lot of background research done would be http://www.newindpress.com/NewsItems.asp?ID=IEP200 70902113325&Title=Nation&rLink=0
Do you think a country which provides such an extreme freedom of expression can ever implement keyboard logging ?

The keyboard story is mis-sensationalized. I am from mumbai and I can't even imagine that this kind of thing can happen anywhere in india.The statement might be from a police officer who is computer savvy in his office just to show windows screensaver floating around.The journalist himself just seemed to have gotten his new PC after working for 40 years on his typewriter.
It never happenend here....and to the best of my experience with the country it never will.A old story by a reporter of a genre who can't stop flooding indian channels with stories of rebirth of american scientists in india."Pappu falling in a 30 feet well or Reshma running away with her neighbour are things I don't care." reflects the suffering of commons at hands of them. Then they come up with stories which makes you look up and even gets slashdotted !!! without doing any background check. If we discuss each and every statement of f***g beaurocrates and politicians from "caste reservations
in private sector" to "communist thoughts of nationalizing each and every economic activity".

"Mumbaian national", eh?

TRUFAX: Mumbai is a city, not a country. Mumbai = Bombay. In India. The more you know.

what is the problem?

[Jessta]

If you're entering any information in to a computer at a cyber cafe that you don't want public then you are an idiot.
You can't trust any random computer you sit down at.

One word solution!

[John+Jamieson]

Knoppix

Insert Knoppix in the drive and reboot the PC before you do anything. I bet it would work at most Cafe's.

Re:One word solution!

[eth1]

Any competent admin at an internet cafe will have the cases padlocked, the BIOS passworded, and the hard drive (or NIC) as the first boot device, so a live CD won't work.

Re:One word solution!

[John+Jamieson]

You are likely right about the competent owner, but the only two I have been to have not locked them down.

Even large hotel chains often do not lock down the PC's in the "business center". That includes the Westin St. Francis in San Fransisco as of last year. (Yes, even top hotels do not lock them down)

while this sux...

While this does suck...one should always assume a keylogger is on a public terminal. You never know for sure, so why risk it. Public terminals should only be used for reading and maybe surfing pron =).

Two word problem!

[dbIII]

Hardware keylogger. There's some inline in the cable and there's some keyboards with the things built in for the extra paranoid business or resourceful spook.

Re:Two word problem!

[MostAwesomeDude]

Sorry, but this sounds like software. Hardware keyloggers cannot call home -- they have to be manually retrieved. It sounds like Mumbai's deployed keylogger calls home in realtime, which is definitely a software solution and not a piece of modified hardware. Knoppix or Slax would be just fine. More importantly, at many Internet cafes, the computers are typically locked down to the point where it's not possible to reboot into a different operating system.

Re:Two word problem!

[Karl0Erik]

Guessing wildly here, but wouldn't a hardware keylogger calling home be as simple as running a wire from the logging component of the keyboard to Big Bro^H^H^H^H^H^H^Hthe Government?

Indian Police are getting smarter

[schauhan]

About 10 years ago in Bangalore a software company got a piracy operation raided by the police with a bunch of floppies being the major evidence collected. When evidence was presented in court the police had punched the floppies and filed them like paper. The pirates literally laughed their way out of court.

These days the police in India are technology savvy and most serious crime cases are solved quickly within days. This is possible because criminals use technology like mobile phones and internet to plan and coordinate. For the most part people are thankful for all this - a few years ago it was looking like criminals were smarter than most people.

India had a law named Prevention of Terrorism Act (POTA) that had draconian provisions and was repealed by the current government. Right now there isn't any law in India to arrest people on the basis of suspicion alone. The police need solid evidence to book people under regular laws.

Because one might add

[Sycraft-fu]

That George Washington could have been king, had he wanted. He was loved enough and had enough clout that he essentially could have done as he pleased. Had he been a power hungry man, the US republic would not have taken off as it did. Might not have gone the way of absolute dictatorship, but it sure as hell wouldn't have existed as it does. Fortunately, he was a man that really cared about the ideals of freedom and set the standard of a chief executive with limited power and a good deal of accountability. However counting on that to happen isn't a good idea. Anyone care to wager if it were a man like George Bush who had lead the colonies to victory rather than Washington? You think it all would have gone the same?

As was noted: History is full of revolutions that do not end in a nice, happy government. They usually promise that, and sometimes the revolutionaries themselves really are idealists with good intentions, but power corrupts. Have a look at Zimbabwe some time and tell me how well that revolution went.

Re:Because one might add

[vtcodger]

***Anyone care to wager if it were a man like George Bush who had lead the colonies to victory rather than Washington? You think it all would have gone the same?***

In the long run, quite possibly. Canada -- which at the time of the US revolution was largely inhabited by Francophones who mistrusted George III less than they mistrusted the American colonists stayed with England and the place ended up not very different from the US.

Re:Because one might add

[Sycraft-fu]

Ummmmm... Ya... The discussion here was in relation to George Washington being able to have become a king, but choosing not to do so. Had it instead been a man like Bush who was the victorious commander and who had the same option, I'm thinking things would have gone differently. This is one of those situations of "Assume the colonies won the war, but the commanding general who was tapped to be the first president was a power hungry guy." I think it probably would have worked out differently.

Also one might ask how Canada and England would have turned out differently, had not there been the US model to go on. Then of course there's the fact that perhaps a US run by a king/dictator would have decided to try and invade and conquer Canada.

Again I might direct your attention to other revolutions and point out that they don't all (or even most) result in nice, functioning, free states.

Re:Because one might add

[vtcodger]

***Ummmmm... Ya... The discussion here was in relation to George Washington being able to have become a king, but choosing not to do so. Had it instead been a man like Bush who was the victorious commander and who had the same option, I'm thinking things would have gone differently.***

I yield to no man in my contempt for that duplicitious dimwit George W Bush. Sure he'd become king. But I suspect that after a few years of his unending screwups (IMO we should all thank God that he is incompetent), he'd have been deposed and eventually the flood of immigrants would have pushed the US to someplace not much different than it ended up. Three possible exceptions.

• With a monarch like Bush, Hamilton would probably not have been appointed Secretary of the Treasury, and the US finances would not have started out on a relatively sound footing.
• Things might not have settled out by 1803 and there might not have been a Louisiana Purchase.
• It's just barely possible that Bush would have thrown so many people in jail for various reasons that the leaderless South might have taken some other track that didn't eventually lead to civil war.

Re:Because one might add

[15Bit]

> Anyone care to wager if it were a man like George Bush who had lead the colonies

> to victory rather than Washington? You think it all would have gone the same?

No, a man like George Bush wouldn't have led anyone to victory. The most likely course of events is that he'd lead for one battle, maybe two, and then mysteriously get shot in the back of the head by "an enemy sniper" (i.e. friendly fire). Someone like Washington would then take command. If that didn't happen, we (the English) would still be in charge.

Re:Because one might add

[pretentiousPPC]

Anyone care to wager if it were a man like George Bush who had lead the colonies to victory rather than Washington? You think it all would have gone the same? Somehow I think that if there where a man like George W. Bush at that time, he would have been a British loyalist and call for the deaths of the American insurgents Washington, Jefferson & Adams, and would have even claimed victory and that it was 'mission accomplished' after the capture of New York.

Re:Because one might add

[spikedvodka]

I believe the quote you're looking for goes something like "Why would I get rid of George the third, only to become George the First?" - after being offered the position of "King"

Re:Because one might add

[Machtyn]

Anyone care to wager if the revolution would ever have happened if Clinton were around during that time. (See anyone can play this silly game.)

Anyone care to wager if the revolution would ever have succeeded had we had today's media completely against it? Very valid question since the media of the day was very much for revolution and was the cause of great ideas that led to the revolution and the constitution.

Anyone care to wager if the revolution would ever have succeeded had the people said... Oh, crap we didn't beat the British in the first few years? Major losses at Valley Forge where the soldiers have no supplies and no reinforcements for months?

Remember, also, that the USA did not get a stable federal government for many years after the revolution. George Washington went home after the revolution and was only convinced to come back to help found the government.

quit with the alarmist diatribe

"Buy things online, and the underpaid Indian police will have your credit card number."

Dude, every time you order pizza, shop at mall, mail order, eat at restaurant or almost any other non-automated cc transaction underpaid employees have your credit card number, often your entire credit card.

Re:quit with the alarmist diatribe

[Hatta]

Dude, every time you order pizza, shop at mall, mail order, eat at restaurant or almost any other non-automated cc transaction underpaid employees have your credit card number, often your entire credit card.

You know what, that's a serious problem too.

Re:This isn't news!

[vtcodger]

***The government and the jews ...***

If I understand you guys correctly, the gubmint and the jews (what happened to the freemasons?) already have stolen all our money. Why would they care about our credit card numbers?

Re:jews, violence, airstrikes, terrorism

[speaker+of+the+truth]

No, but then again many Americans would be just as stupid as circumcision is hardly limited to the jewish people.

Terrorists

[zotkop]

Ouch... To prevent terrorists from communicating???? Why don't they use their home PC's ?

Hoax?

[XchristX]

A preliminary google search of two sets of keywords

http://www.google.com/search?as_q=Mumbai+Police+ke yloggers&num=10&btnG=Google+Search&as_epq=&as_oq=& as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt =any&as_dt=i&as_sitesearch=&safe=active&ie=UTF-8&o e=UTF-8

http://www.google.com/search?q=Mumbai+Police+keyst roke+loggers&hl=en&lr=&safe=active&as_qdr=all&star t=10&sa=N

reveals no reliable mainstream media source for this allegation. The only one I could find was this article from mid-day:

http://www.mid-day.com/news/city/2007/august/16316 5.htm

For those who don't know, "Mid-Day" is basically Mumbai's version of the National Enquirer, rants on about conspiracy theories and local celebrity gossip, hardly a reliable source. All the blog entries about this are based on this one mid-day article.

Of course, it could mean that I'm not searching correctly. I'd appreciate it if somebody posted any (and I mean any) information from any mainstream media outlet (and not dubious blogs). Until then, I remain skeptical and maintain that this is probably a hoax circulated by some sub-par journalist as a means to get fame, and the "Outsource victims" moaning on slashdot lapped it up swiftly, of course...

Keep in mind that the Indian media is dangerously moonbatty and very anti-establishment (borderline third-world paranoid anarchist actually). Therefore if this actually happened then the media would pounce upon it like a pack of hungry wolves. They haven't ... yet.

Has slashdot been trolled, again?

Re:Hoax?

Er, the Indian Express has reported it as well, and that's definitely a mainstream newspaper:
http://cities.expressindia.com/fullstory.php?newsi d=226966

Re:Hoax?

[XchristX]

Sorry. Still not buying it. The IE article says nothing about keystroke loggers. It talks about unsafe email attachments. and trojan horse/keystroke loggers, a wholly different topic. This looks more like a hoax now than ever.

Re:Hoax?

[NoobHunter]

Hoax or not...hell, one step above, Troll or not...i agree with the general concensus of 'If you are doing Online Shopping from an Internet Café, you are a walking PEBKAC.'

Re:Hoax?

[XchristX]

As do I. But why did it take a fake article to bring about such a discussion?

Re:Hoax?

This isn't true. For one, Mid Day is not like the National Enquirer at all. They have a very large circulation in Mumbai and are a credible news source. You don't find the loony nonsense you might expect in the Enquirer.

Secondly, the person quoted in the story, Vijay Mukhi, is a well-known figure in the Indian IT industry. So it's not all bunk.

Re:Hoax?

[XchristX]

Mid-Day is a rag. They have no accountability, or any credible team of journalists, or any fact-checkers or anything. It's mostly gossip columns with a little soft porn. It's not a respectable paper (then again, few Indian papers are these days...) .

Vijay Mukhi, is a well-known figure in the Indian IT industry. So it's not all bunk. Er, how do I know that Vijay Mukhi said what Mid-Day claims? There are no realistically enforcable libel laws in India, and any rag like Mid-Day that has no legal accountability for it's claims can pretty much say anything. Interesting that till now, there are absolutely ZERO sources (other than mid-day) that verify this claim of keylogging cops,and nobody has been able to cite me any. I still call bullshit here, and chalk it up to slashdot paranoia, served with a dollop of the low-level racism against Indians here.

Re:Hoax?

[Drumster]

Just how much do you know about the Indian Media to use words like "borderline third-world paranoid anarchist actually". Keep in mind that one man does not define an entire population and similarly one tabloid does no define the whole media.

As far as I know, the US media is always obsessed with the likes of Lindsay Lohan and Paris Hilton... Think twice before using such language... And no dont think that this is a "little man's complex"

Re:Hoax?

This isn't 100% confirmation, but the company referenced as providing the keylogger software - called CARMS or Cyber Activity Remote Monitoring System - definitely exists. They are located in Mumbai and according to their press release the police were presented with a copy of the software on its launch.

http://www.microtechnologies.net/newsroom/events/CARMSlaunch.html/

Re:Hoax?

This was being discussed on one of the news channels a while ago -- CNN-IBN, I think -- and is certainly not a hoax. Mid Day's local coverage of Mumbai is actually very credible. If you have reason to believe otherwise, why don't you point to a single story they have done in the past -- even one -- which is dubious. They enjoy sensationalistic headlines, but their news coverage is impeccable and locally respected.

Frankly, given the Indian govt's paranoia in the past over the internet, and its continuing objections to Orkut, including the arrest it made recently of that Bangalore engineer, this is all quite par for the course.

Re:Hoax?

[XchristX]

http://www.microtechnologies.net/newsroom/events/CARMSlaunch.html/ As of now, that page i s a 404 error.

Re:Hoax?

[XchristX]

Just how much do you know about the Indian Media to use words like "borderline third-world paranoid anarchist actually". After the shameful way by which they handled the Mohammad Afzal case, or the Marad riots, or Nandigram? Enough.

Re:Hoax?

Actually, this is probably true. I have sat across Vijay Mukhi, as he consults several large government bodies as "security consultant". He wrote a few books (read copy pasted from the internet), and usually takes out books about the latest programming languages. His idea of security is doing face recognition over the web, by passing customer image on the web, comparing the image to an image on the local database, etc etc. He'll look for the most unfeasable option. And a few days after this story was published in Mid-day, he through his new organisation called "FIST", took out another release, asking for the ban on attachments, in the corporate world. Given how much communication is done via emails, and using attachments, I dont see how that suggestion made sense. You just cannot control chaos. You build walls around, or monitor above. like they do in the usa, with nsa and att. india has a much mroe controlled data transfer market, and if they wanted, they could monitor right at the top

Indians don't care about privacy

[Rexdude]

From personal experience, most Indians are either unaware, or don't care about online privacy. This probably has to do with our culture, India being a 'high contact' culture that places more importance on family and societal ties than the individual. In real life as well, privacy is something unheard of for many. In a city like Bombay, it's not uncommon for families of upto 10 people to be living crowded in a one or 2 room tenement. Even among the educated and affluent, the general attitude is one of 'who cares'.
You can see this in the tone of the linked article on mid-day. The concerns on privacy are added as an afterthought, especially the comment that privacy violation is ok if it's done on a public computer. The uproar over orkut being censored in India was disturbingly in favor of censoring orkut (in india, not on slashdot). I haven't come across any citizens groups or any sort of anti-censorship activism here.
You(US) guys are really lucky to have your First Amendment. There's nothing like that in our constitution.

Re:Indians don't care about privacy

[XchristX]

Blooming nonsense. The naturally naive outpourings of a self-hating Indian as usual:

The Indian Constitution protects the Fundamental rights of people far more zealously than the US does. Freedom of Speech is certainly important. However, in a developing country with large volume of poor and exploitable people, the fundamental rights that the Constitution of India does guarantee ie:

1.Right to equality
2.Right to freedom
3.Right against exploitation
4.Right to freedom of religion
5.Cultural and educational rights
6.Right to constitutional remedies

Carry precedence in our social context. I'm no big fan of Babasaheb Ambedkar (he was quite the nutcase in other areas), but he knew what he was doing when he wrote the constitution.Have you even read the bloody thing, or are you just mouthing off nonsense?

Oh, and Article 19 Protection of certain rights regarding freedom of speech, etc.
(1) All citizens shall have the right -
(a) to freedom of speech and expression;
(b) to assemble peaceably and without arms;
(c) to form associations or unions;
(d) to move freely throughout the territory of India;
(e) to reside and settle in any part of the territory of India; and
(f) to practice any profession, or to carry on any occupation, trade or business.

Does guarantee freedom of speech. It's just not as high up on the list as the right not to be starved to death, is all (we've still got a loong way to go in that area though).

Have a read: http://en.wikisource.org/wiki/Constitution_of_Indi a/Part_III

The only significant thing that the US constitution guarantees that the Indian Constitution does not is the right to bear arms (legal stuff, like the right not to incriminate yourself, are contained in the Indian penal code), and that IS due to historical reasons. It just doesn't figure too highly in our sociopolitical superstructure, and can easily be abused by certain people called "Naxalites" (remember those fine thugrats?).

Democracy is a great thing, and is implementable everywhere, but the specifics must vary with region/culture. You cannot fit the square peg of the US constitution into the round hole of India. You need a round peg. I wouldn't expect that a developed and wealthy nation like the United States would need a special Constitutional amendment like "Right against exploitation", sine that can be covered in the legal system.

Re:Indians don't care about privacy

[Rexdude]

Wow, bring on the xenophobes!!
First off-I was talking about how Indians are culturally not bothered about privacy, let alone online privacy. I'm quite aware of what our constitution provides, thank you very much; it is all the more ironic that when these rights are trampled by fundamentalist groups and even the government, no one raises a word of protest.

Merely having freedom of speech in the constitution is meaningless. Have you seen the uproar whenever anyone writes or produces anything controversial? How about the banning of Salman Rushdie's Satanic Verses because it would offend the Muslim minority? How about the moral police that comes out ever so often over ridiculous issues?

Or the very recent Orkut case that went all the way to Parliament, wasting precious time when we have a million more important matters to discuss?
Or-scariest of all, the IT Act of 2000. One of the provisions of the act is to allow the police to search or arrest any individual without a warrant, at the same time giving the govt. and its officers immunity from prosecution in case they made a mistake with respect to said individuals.

How come no one's talking of freedom of speech during such times? What's the use of having these rights in the constitution if no one is going to bother when they are violated??
Freedom is binary-you either have it or you don't. Freedom 'subject to the following terms and conditions' is an oxymoron. (I'm not claiming that the US is any better, they've had their own record of violations)
Going by what you've said, Americans could do the same, sit back on their asses and turn a blind eye to whatever's going on there-be it the debate on net neutrality, or evolution vs. 'intelligent design' and so on. Democracy is something that has to be protected and upheld by citizens, once you allow a legal precedent to ban something because someone gets offended, there's no looking back. In India, given the small proportion of population that is educated and affluent (the fact that we're both posting here puts us firmly in this bracket), it is sad that no one is protesting against these things(yup, this again includes me).

Re:Indians don't care about privacy

[XchristX]

Wow, bring on the xenophobes!!
</quote>

Eh? I'm not the one defaming a whole nation with some simplistic blather.You are.

<quote>

First off-I was talking about how Indians are culturally not bothered about privacy, let alone online privacy
</quote>

I fail to see why this is a bad thing. The Americans are concerned about privacy because they have the luxury to do so. We do not. There are more important things.

<quote>
no one raises a word of protest
</quote>

Er, to cite the Rushdie case as an example (as you did), if the left-wing/Communist media, intelligentsia and politicians pander to the interests of these fundamentalists as part of the insidious politics of the votebank then this wouldn't happen now would it? "Privacy rights" has nothing to do with it. It's entirely offtopic and qualifies as a rant.

<quote>
What's the use of having these rights in the constitution if no one is going to bother when they are violated??
</quote>


They DO, my dear ignoramus, or did you conveniently forget the public interest litigation filed against that bitch Indira Gandhi and her Congress (I) thugs when she tried to convert our country into a police state?

<quote>
Freedom is binary-you either have it or you don't
</quote>

Wrong again, my dear self-loather. Freedom is a complex and nuanced business, and needs to be implemented with different priorities given to it's many aspects. What are you, Ernesto Guevara? Go live in a jungle with your Naxalite friends.

<quote>
Freedom 'subject to the following terms and conditions' is an oxymoron
</quote>

Absurd. What you're implicitly referring to (absolute freedom) gives rise to absolute anarchy. "Freedom" in the sense of "Democracy" DOES mean 'subject to certain terms', like LAWS. Or would you rather our nation degenerate into riots.

Re:Indians don't care about privacy

[Rexdude]

Eh? I'm not the one defaming a whole nation with some simplistic blather.You are. And that makes me a xenophobe how? You're the one that's interpreted my original post to be an Attack On India By A Self Hating Indian.

I fail to see why this is a bad thing. The Americans are concerned about privacy because they have the luxury to do so. We do not. There are more important things. I never said anything about it being good or bad-I was talking of the cultural context. It's common in India to field questions about one's family, marital status, salary and so on from complete strangers; such behaviour would be considered rude in the West. Given this situation, how many people here would take online privacy seriously?

Wrong again, my dear self-loather. Freedom is a complex and nuanced business, and needs to be implemented with different priorities given to it's many aspects. What are you, Ernesto Guevara? Go live in a jungle with your Naxalite friends. So freedom of speech doesn't count for squat I suppose, in your scheme of things.

They DO, my dear ignoramus, or did you conveniently forget the public interest litigation filed against that bitch Indira Gandhi and her Congress (I) thugs when she tried to convert our country into a police state? Good point. But should things again deteriorate to such a level before people sit up and take notice? We don't see any citizen's movements against moral policing and censorship (either it's not considered important enough-which is what my original point was, or it's not given the coverage it ought to have; if you know of any such movement online let me know.) This is like the frog in the pan of hot water..the sooner such censorship is nipped in the bud the better, unless the situation of the Chinese internet seems ideal.

Absurd. What you're implicitly referring to (absolute freedom) gives rise to absolute anarchy. "Freedom" in the sense of "Democracy" DOES mean 'subject to certain terms', like LAWS. Or would you rather our nation degenerate into riots.
I should have mentioned freedom of speech. That's what the conversation was about if you hadn't twigged. All the examples I cited specifically deal with this.

hmm...

[mapkinase]

I wish they did that in Nigeria.

use words such as "democracy", get moded 4

[hoyeru]

If you have bothered to study history, you'd know violent overthrows happen like clockworks and are eventually needed in every society. Just because you use words like "democracy" to describe India doesn't mean India is actually a real democracy.
Karl mark was neither an idiot or an evil person; he simply saw how the majority of humanity always falls for sleazeballs using high sounding words such as democracy and freedom.
Bush also loves using this 2 words; yet he has been 100% wrong about EVERYTHING he has said and done so far.
IF we really waited and expected for people to actually overthrow the current politicians and choose the correct ones, we are going to be waiting for a long long time. And do you REALLY believe that actually happens, anywhere in the world? For example, the majority of Americans want the Iraqi war t end for the "troops to come home"

Since USA is a democracy WHY then is Bush NOT listening to the will of the people and doing so?

Re:use words such as "democracy", get moded 4

[dwye]

> Since USA is a democracy

No, it is not, was not, and was never intended to be. Democracy is the tyranny of int((n+1)/2) over int((n-1)/2). France during the Terror was a democracy. Athens, voting to exterminate another Greek polis because they were pissed at them and they could, was a democracy. We, sir, are a republic.

And what is appealing about (even the word) "democracy" to someone longing for a dictatorship (of the proletariet, which likely would exclude you, by Marx's early industrial definitions) is beyond me.

corrected headline ..

[rs232]

Police finally get mandatory keyloggers in Mumbai's Cyber Cafes decades after the local fraudsters have had the use of such utilities.

Re:To those that buy online on a public computer..

[Fred_A]

At least in CS you could shoot them. I suppose that with government officials this is not an option to consider. Although with enough work, you could sort of get them "kicked" and "banned".

Re:To those that buy online on a public computer..

[sjwest]

Time to dust that copy of nphProxy (runs on a webserver in cgi-bin) in another country.

Should make it an illegal store.

I occassionally test functions at internet cafes when the need arises, and while i don't purchase. im rather happy the administrator has set up a nph proxy for things i'd rather not get keystroked for or leave a confusing trail. - while not perfect, it makes a trace a bit more confusing.

Re:To those that buy online on a public computer..

[spikedvodka]

false security there... the keylogger (from what I understand) is on the computer, not on the 'net connection... so all of your keystrokes are getting logged.

having a proxy like that is great for avoiding filters/sniffers, but won't do diddly against a keylogger (either HW or SW).

I doubt that.

If he did take a field command, and he did perform poorly, I really doubt he would've ended up a victim of fratricide. We had inept officers by the cartload, including highly ranked officers. What would be most likely is he would've been yanked out by Congress/random state politicians. Look what happened to Arnold - and he was one of our better commanders. Washington himself was continually fighting off political BS, due to the many schemes others had to replace him.

Failing that, death by duel. Far more likely than being popped in the back of the head by some random patriot. I can't see our own King George I, despite education, gentlemanly conduct and training of social graces of the time, not offending the hell out of people and thus ending up in countless duels. ;)

Assuming neither happened, I'm going to have to agree that we'd still be under the Crown. Franklin did great work in France, but they came in late in the war. By that time, if not for Washington, the army would've collapsed and it would've been over.

By the way, can we reunify with you guys? We'll even pay back taxes on tea. Probably a damned sight cheaper than what the IRS is nailing us for these days. :P By way of apology, we'll let you export your chavs to Colorado or some other crappy state.

Re:I doubt that.

[forkazoo]

By the way, can we reunify with you guys? We'll even pay back taxes on tea. Probably a damned sight cheaper than what the IRS is nailing us for these days. :P By way of apology, we'll let you export your chavs to Colorado or some other crappy state.

What? How dare you?! Well, I do like British accents. We'll only take the chavs that look like Billie Piper, though.

Online shopping at public cafes

[somegeekynick]

I say the guy or gal who does online shopping (or any other transaction that involves typing down credit card number, etc.) deserves to get his or her card number stolen.

Re:It never happened.!! look at freedom of express

[Max4400]

Indian Government and their offices are filled with full of OBC class narrow minded people brought up on job with their freaky OBC degrees. These senseless creatures really don't understand anything and have no knowledge about anything and they just keep making statements without any understanding. How the heck they will stop terrorist activities by doing key logging anyway!?. If terrorist want to do something they can simply buy any reliance cell phone for $20 and hook it up to their laptop and will use that kind of internet connection and not some cyber cafe.

Wake up India, stop bribing those idiot officers and write to your local politician, chief ministers and your prime ministers. Every effort you make will count.

Maybe...

[Wowsers]

...it could be defeated if we started writing the correct words or not, or txt spk?

Bombay not Mumbai!

Or how words sound?
Moscow -> Moskva
Paris -> Parii
Warsaw -> Varshava

Re:Maybe...

They changed the name from Bombay to Mumbai back in 1995.
http://en.wikipedia.org/wiki/Mumbai#Names

Re:Maybe...

[jmrea]

My bottle of gin still says BOMBAY!

The threat is not to privacy but to identity

[porpnorber]

The thing to remember in respect of key-loggers is that we are not discussing the right to privacy, we are discussing the right to identity. It is about the authorities collecting the information needed to impersonate people. This is interesting, and worrisome, because (although the occasional case of identty appropriation does show up, with or without technological involvement), the right to identity is so basic and so ingrained in our biological makeup that it doesn't seem to present itself to the framers of constitutions as something they need to write about (I mean, how can someone steal your you, right?). At the same time, it's fundamental to modern legal theories: after all, if personal identities are not precise, then habeas corpus becomes meaningless and village-razing approaches to 'justice' start to seem rational once more.

I suspect that part of the reason that people in some places (e.g. the UK) are willing to surrender their privacy to universal surveillance, although they are unlikely to articulate it in this way, is that it reinforces their identity - when someone does something, people can see on the tapes who did it, and they can see not only when it is me, but also when it is not. But universal keylogging is a step in the opposite direction, it is a step in the direction of 'when one is guilty then all are guilty.'

The solution

[Gription]

In the real world the solution to this kind of data collection is to play "garbage in, garbage out". Just get a mass movement of people to open up the browser and just start typing random subversive junk. If all they get is text logs full of "Osama bin Laden, ammonium nitrate, anthrax, jihad, kill George Bush, blah, blah, blah..." they will quickly go back to doing real work

Re:The solution

Hope you weren't posting that from India!

Re:The solution

[Black+Copter+Control]

He was. I now have his email address, login, password, Visa information and the email addresses of all 3 of his girlfriends.

Stolen information? You better believe it...

[band-aid-brand]

I purchased a desktop from dell a few years back and my credit card information was taken from my customer account by the person who was taking the order over the phone, forwarded from India( or wherever they happened to be) to their partner in Miami, Florida, and was used to purchase $35,000 worth of printers and digital cameras. Thank god they caught it. As the summary stated, with tons of people in the government something is bound to be taken sometime.

Of course, if you do your banking on a public computer don't you deserve it?

How are they going to store the keylogs?

[don+depresor]

Imagines the amount of drive space consumed by sequences like:
"wwwwwwwwwwwwaaaaaaaaassssssssddddddddddddwwwwwwww wwwwaaaaaaaaaaaaaa aaaaaaa[control][leftclick] y die n00b"

Somewhere, at this very moment...

[Jim+in+Buffalo]

Somewhere, at this very moment, an FBI agent is reading about this and pitching a wicked tent.

Re:To those that buy online on a public computer..

[jam244]

I believe you are referring to John Gabriel's Greater Internet Fuckwad Theory.

Re:How about keyboard on your screen using your mo

[a1mint]

The Canadian ingdirect site doesn't seem to do that. Instead, you have to pre-program a bunch of questions. Every time you log in, you have to answer one of those questions. Not very good, but better than nothing.

I like the scrambled visual keypad technique much better.

The only way then to log that, is for the logger to screen capture anythings that it thinks might look like a log in, and then on every mouse click.

Don't use no double negatives

[TravisO]

>> Will these end up getting sold in a black market somewhere? Not unlikely.

My learning taught me; don't use no double negatives.

Re:jews, violence, airstrikes, terrorism

[couchslug]

Depends on your outlook. Google "bmezine" and "nullo" for a variety of options...

Re:Fiddle the cursor--- TWO ways to deal with

[davidsyes]

that...

-- VNC-like tool, capturing the screen images and automatically flagging out-of-parameters entries as compared to the fields data type (one designed to capture typed information and target dialog boxes, etc., and then dumps the irrelevant graphical parts)

-- mouse-sensitive "wheel-stroke" loggers that constantly track the wheel movements relative to the dialog/OS frame, and relative to the keystrokes.

It's just a matter of time before the problem is licked

Since I'm thinking of and writing about it, a similar approach probably already exists....

Re:To those that buy online on a public computer..

[cbhacking]

The sad thing is that, trolling aside, the essence OP's post was correct: You simply must always assume that any commercially available terminal has a keylogger. Actually, having seen tests where somebody brought in some antispyware software and ran a thorough scan on an Internet cafe's machine, your actions may be getting reported to all kinds of people. Leaving aside the standard keylogger malware that usually comes from trojans or drive-by downloads (a lot of cafes in 3rd-world countries use pirate copies of Windows without SP2, or at least they did the last time I spent a great deal of time overseas which was in 2005), it's not unreasonable to assume the cafe owner (or some employee) has planted a keylogger for personal use. I've seen cafe operators running packet monitoring software on their machines, and found hardware keyloggers installed as well.

Your point about most people not having their own machines is valid, but that doesn't change the facts. You simply should never assume a commercial terminal is secure. When we go to an Internet cafe, it they won't let us use our own computers we usually won't even check email. Even with our own laptops hooked into their network, I prefer to do everything possible over SSL.

The thought of blatantly requiring keyloggers on such machines seems a bit unlikely, but in truth it doesn't change my behavior a bit. I've operated this way for years.

Not a two word problem in this case!

[John+Jamieson]

Not a problem in case, as you read (lol, of course not, this is /.) they were talking about key logging software.

Of course I am aware there are other ways to log keystrokes, those little keyboard dongles that you attach between the kb and computer are fun at work eh? When IT Security start to ride you to start changing your password every week, and they accept almost nothing as a valid password anymore you can complain. When they tell you it is for security... then you say "what, and you think your password "number1secritygod" is really that uncrackable?" Oh, just make sure you have your next contract lined up, because they WILL terminate you even when you claim it was just a lucky guess. (Yes, I know a guy that did this. He was driven nuts by the six passwords he had to somehow remember, and was opposed to writing them down)

You guys are naive on extreme.

[jotaeleemeese]

I can't blame you though, there are things far more important in India that keyloggers, still saying this is not Orwellian shows a monumental ignorance about 1984 and other works of Mr Orwell.

Re:You guys are naive on extreme.

[jma05]

> I can't blame you though, there are things far more important in India that keyloggers, still saying this is not Orwellian shows a monumental ignorance about 1984 and other works of Mr Orwell.

I have read 1984 in full and regard it as one of the most important political works as well as understand its roots in real events of the last century. Not sure what one needs to do to be considered to be not "monumentally" ignorant about it by your standards.

I am not saying we have more important things to worry about. Actually, keylogger level privacy intrusion are intolerable to any democracy. What I am saying is that there is not likely a grand scheme on this. As soon as it hit the press, it will be struck down at the first legal challenge. Nor is this a national measure. It is likely something that a local police chief got ill advised through poor council (The nut in question is Vijay Mukhi - President of Foundation for Information Security and Technology). Indian public services is not technology savvy despite all the stuff you hear about e-governance (and please, don't draw comparison to trains that are late).

I think we can have the patience to at least wait and see if it actually gets implemented.

Washington and freedom.

[jotaeleemeese]

He loved freedom, not enough for his slaves and African people in general, not enough to fight for it in the political arena, but yeah, he was perfect.

That is massively disingenious.

[jotaeleemeese]

You not only had a Civil War (a revolution by another name) in which a King lost his head, poor sod, you had religious revolutions, in which a Queen lost her head, and if you don't count the US independence war, or India's independence struggle as revolution in what was then your country (the British Empire) then you are clearly raising your hands, covering your eyes and singuing loud "lah, lah, lah I can't hear the revolutions, lah, lah,lah"