lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Dec  2 01:40:10 2005
From: mz4ph0d at gmail.com (mz4ph0d@...il.com)
Subject: Most common keystroke loggers?

Nick Fitzgerald wrote:
You are deeply confused if you think "is totally trivial and hasn't
been attacked _yet_" is in any meaningful way "more secure"
than "is equally trivial and has already been broken".


And if that was what I was talking about, fair enough, but seeing
as I'm not ... all I was suggesting was something to help with the
situation where what was being employed was a compromise
that had a) a keystroke logger, and b) click hotspot screenshot
mechanism. It obviously (and though you did seem to have read
the entire post, thanks for that, you missed that I was at least
implying exactly this) doesn't help at all if you are dealing with
a more complex problem than that. I probably didn't make that
clear as I pretty much thought that was a given.

Some said "an onscreen random keypad" and others replied
"10 x 10px hotspot screenshots", so that's the exact problem
I looked at one possible way of addressing that particular and
limited problem. At no time did I suggest that it helped with
other problems that may be present, or made the solution
somehow now magically secure.

I also don't see how having a button change to be blank after
mousing over it effects people with fine motor skills. The
whole keyboard yes, a single button, no. Seriously visually
impaired people will have problems with *any* kind of
online keypad that is trying to obfuscate what the buttons
do apart from what they look like (because you would be
removing the tags used by the browser for accessibility
purposes anyway).

There is NO solution that will fully protect any login system
against a compromised machine if that machine is being
monitored and the compromise in place is being dynamically
updated to suit the needs of the attacker. That is also a given.
It may on the other hand help if you are dealing with a machine
that has a piece of malware on it that installed a keystroke
logger that is capable of hotspot screenshots and is not
dynamically updating. It also may make the output from the
machine uninteresting enough to the attacker to not bother
trying to further compromise the machine in question to
install things to do the more complex forms of attack that
you are talking about.


(Note, I didn't feel the need to once insult you or "strong arm"
you into being quiet. You are obviously an extremely intelligent
and knowledgeable guy, with a lot of experience in this area,
why the need for the attitude?)


Z.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ