Comments on Key Capture Survey

Michael D. Crawford crawford at scruznet.com
Mon Jan 2 15:37:03 PST 1995


I am the author of the Last Resort keystroke capture program for the
Macintosh, published by Working Software, Inc..  I am writing up the
surveys for LR for Mac, DOS and Windows and will send them shortly.  I have
a couple of comments, which the list might be interested in hearing.

Your entries for the Macintosh should record the file type and creator
code, which are, for Last Resort, 'cdev' and 'mIKE' respectively (case is
significant).  If someone were to write an automated scanner meant to
protect a disk against such utilities, it would be much more reliable if it
looked for the creator codes, as Mac programs are usually written to not
depend on having a particular file name.  These codes live in the file
system, but are not part of the name space as '.EXE' would be on DOS.  You
can view them with ResEdit's "Get File/Folder Info" item from the File
menu.

We spent a lot of time pondering the problem of password theft.  We decided
that the benefit to the consumer of having this utility available to save
data outweighed the obvious danger of password and text theft.  The problem
increases, though, if one is not aware that Last Resort is installed.  The
Read Me file on the distribution disks has a discussion of this problem (as
well as the problem of people snarfing your files when you share your disk
to the whole company or campus), and there is a way to disable key capture
temporarily, for password entry.

I'm not real happy with the ease one can sneak Last Resort onto someone's
machine, but I take a little ironic solace in knowing that similar programs
that are "more hidden" than LR are available in source code form from
Phrack, at least for DOS.

On the plus side, I have gotten many, many letters, e-mails and phone calls
from people who say it saved their butts when a piece of critical
information would have been lost.  I had the habit of taking customer
orders over the phone while in the middle of debugging a program (like Last
Resort!) and would frequently crash before the order could be saved or
printed.  LR saved my company real money in this case.

David Pogue's book _Hard Drive_ is based in part on Last Resort, in that a
key capture utility is used to recover a password that saves the world.  I
was quite tickled by this.

I'm sad to say, though, that I know of one case in which Last Resort
precipitated the end of a relationship, in which a fellow discovered the
love letters his girlfriend had e-mailed to someone else in his Last Resort
files.  This particular fellow was glad that he found out about it, but I
still feel a twinge of guilt when I think about it.

I certainly support any effort made to document the existence of these
programs.  I might suggest that one way to defend against them would be to
watch for the patching of certain system calls - patching GetNextEvent or
installing a jGNEFilter on the Mac, and warning the user if this happens.
It's easy to detect such patching; for the most part it will be innocent,
but a hacker who had a fair amount of Mac programming knowledge could make
a keystroke capture program in an evening of work, so attempting to catalog
them all will provide only moderate protection against them.

BTW... most of those other commercial keystroke capture programs (no names
here) are clones of Last Resort.  Some of them even had the gall to use our
logo in their advertising (in a claim they were better than us).  LR might
not do as much as some of them, but I know that it is more reliable than
the competitors I have tested.  So if you are going to actually _use_ a key
capture program for your own (legitimate!) use, consider getting The Real
Thing, the One True Key Capture Program, the Saviour of Data: Last Resort.

I don't work for WSI any more, but we remain friends, and they can be
reached at:

Working Software, Inc.
PO Box 1844
Santa Cruz, CA 95061-1844
(408) 423-5696
(800) 229-9675
(408) 423-5699 FAX
working at scruznet.com
76004.2072 at compuserve.com

Cheers,

Michael D. Crawford
crawford at scruznet.com     <- Please note change of address.
crawford at maxwell.ucsc.edu <- Finger me here for PGP Public Key.








More information about the cypherpunks-legacy mailing list