On Wed, 16 Jul 2003, Tyler Durden wrote:
This reminds me of another thing that occurred to me, but as I'm no computer engineer I can't tell how much of a defense it would be. (At the very least a nice stopgap for a while...)
To get around keystroke loggers, it would be nice to have some fom of onscreen keyboard, perhaps available over the web. The keyboard would likely work only with the mouse (making it slow to use, of course), and each time the keyboard appears (and at periodic intervals) the keyboard scrambles its keys.
Been done. Something like that is included in Tinfoilhat Linux distribution, see http://tinfoilhat.shmoo.com/ Another thing for keyboard-based data input is Sneaky Pete, a Java app http://packetstorm.icx.fr/java/sneaky.tar.gz (from http://packetstorm.icx.fr/java/indexdate.shtml - original project homepage is dead). And I suppose there are more. However, this will work around the keyboard loggers, but will cause development of eg. programs saving the screenshots at the moment of a mouseclick. (Which is definitely more detectable - by storing bulk amounts of data - than just a plain keylogger, disadvantaging the adversary somehow.) Also won't protect against ceiling cams, if they'd have enough resolution to see the screen clearly enough. Couldn't there be some challenge-response device, eg. over IrDA or radio waves or direct contact (eg, iButton DS1955B or DS1957B), which would be unlocked by something like a PIN code? How to avoid the leakage of the PIN and subsequent seizure of the device then?
I suspect it would be MUCH harder to figure out what has been typed.
At least for a while, yes.