Log in

No account? Create an account
Previous Entry Share Next Entry
Was installing a tool to keep track of your typing stats, and upload them to a website for fun and competition. Seems simple enough, right? Of course, there is a major problem with any program that runs all the time and can keep track of your keystrokes - it could be a password logger! Or any kind of mean evil program that tries to steal your password!

Or so goes the argument. Then again, the same could be said about your IRC or AIM client. Your web browser. Or any other number of services that run all the time on your computer. If a small program that's visibly saving all your keystrokes can nab a password, why would you trust another program anymore? What trust does notepad offer that WhatPulse does not?

Perhaps you trust some of those larger programs. "AIM wouldn't put something like that into their software, I'm sure of it!" Perhaps so, but then again, perhaps not. Who can tell what exactly software writers do in closed source software? I understand that there is a certain "Well, this software is popular - therefore it must be safe" attitude, however, I think that level of security paranoia can not be reasonably accepted in one case and not the other.

Clearly, open source software doesn't have this problem. Because the source is so freely available, it's easy to check over it - and if any reasonably large group of people use a product, the chances that no one would have found malicious code like that are fairly slim. However, in some cases, people use the fact that software is open source to indicate that they feel it is automatically safe and trusted.

Open source does not mean "bug free" - everyone accepts that fact without question. Yet at the same time, many pepople seem to think that open source or well known does mean "Safe". However, I think that this is a silly assumption. There is truly nothing in many open source situations that indicates that the program is not taking information from your computer - information that you don't expect it to have - and taking malicious actions with it.

So, what's the solution? Open source isn't the answer - documentation and understanding are the answer. Until people know enough about how a program works that they can look at every part of it and actually understand what it's doing, the open source movement does not in any protect users. I could easily sneak a 3 or 4 line password logger into an AIM client I wrote with no one the wiser. However, if every line of code I wrote was well documented explaining what I was doing, it would be far more difficult to do this kind of thing. I highly doubt that a comment saying "This section of code emails your password to my inbox" would be looked over for very long.

Non-open source programs are even more explicitly difficult to detect this kind of thing in. Since the code is not available, the only way to check for malicious intent is to specifically watch ports or run a debugger of some kind against the code to trace what's actually going on. Not only is this difficult, it is also not 100% foolproof - in the same way that viruses and other similar programs escape detection, typical run of the mill programs could escape this type of detection.

I have no real concerns over my privacy. I take fairly good care of my passwords - both in choosing relatively difficult ones and changing them relatively frequently - and as such, access to accounts I control is limited in both difficult of obtaining said access and time that persons with such access continue to have it. I don't have any critical information around that I don't keep backed up in some form or another, and I make sure that anything that's really important for me to keep hidden doesn't go into a computer system where it's equally likely to stay hidden or be seen.

I'm not saying that most programs are malicious - rather, quite the oppisite. However, I think that an obsession with security, in the end, really doesn't get you anywhere but overly concerned about nothing. Nobody really wants your password anyway, and if they did, they'd probably have a better way of getting it from you than to make you download some small program and install it on your computer.

  • 1
The same goes for just about any security issue: in the end, you just have to trust people. Every time you pay with a credit card, some cashier has your credit card number; you trust that they won't walk off with the receipt, and will shred it dutifully (even though they often have far more incentive for fraud than a highly-paid programmer). Heck, the easiest way to steal credit card numbers is to go dumpster diving outside a major department store. Too many shops don't shred their receipts.

AIM sends passwords with a trivial encryption mechanism (they xor them with a well known roasting string). Anyone with a sniffer can grab every password that passes by on the wire.

LJ stores passwords in plain text in the database. You know how easy that is to crack, with your 97,000 GJ passwords.

Microsoft tracks the hardware identification of every box that its software is used on, and sends that back to headquarters. Any Office or VB document can be tracked back to its author, both in terms of the software registration and the hardware owner. That's how the author of the Melissa virus was caught.

I'm not sure that well-commented open source software is the answer either. The general problem with comments is that they lie. Even when the programmer has the purist intent, the comment usually says something different than the code. It would be trivial to hide a password logger into some code where the comment says "Perform general housekeeping and performance monitoring tasks."

Are you familiar with Literate Programming? This is a movement started by Don Knuth that holds the primary purpose of a program is to convey its intent to readers. The program reads like a book, and only incidentally happens to be machine-executable. In fact, the Tex and Metafont programs are published books - see Tex The Program. It seems it would be harder to hide Trojans in this, because readers expect that they'll be able to understand everything, and don't just gloss over obscure code.

The amount of security people assume in their daily lives that simply Does Not Exist is incredible to me. I'm reminded, with your credit card argument, of a Dilbert comic: Dilbert describing how he would never shop online, because you can't trust the internet, as the waitress takes his credit card. When the waitress comes back, she's wearing a fur coat as she hands the card back to him. That kind of security mindset is exactly what causes problems - people simply assume that there is more security there than there actually is.

In the end, it all comes down to trust. However, at the same time, a reasonable expectation of privacy can no longer truly be expected. As they said in Hackers: "You know, you can absolutely nothing, and your computer goes through like, 17 computers a day. Orwell was wrong, not 1984, He's here now and living large" (probably a slight misquote, but it's from the party, by Cereal Killer).

What you said is true - comments often do lie. Perhaps the Literate Programming way of doing things really is the way of the future: don't just have the programmer tell you what the code should be doing: have it be obvious from the program. Then again, there is some code so convoluted even the person who writes it doesn't understand how it works, but I suppose that's a whole other problem.

Security doesn't exist. Nor does privacy. I've accepted that - I've given up all expectations of any privacy online, and I embrace the public nature of the internet. If I didn't... well, I have a feeling I would be a very unhappy person, because I'd be reaching for a goal that doesn't exist, at all.

Wow, this is pretty much what I think about it too.

So I downloaded the program and tried it. In the end, however, I decided not to use it, and I uninstalled it again. I think it is pretty dangerous -- not because I fear that someone would log my keystrokes, but because I fear that it encourages me to type more, which is only going to serve to make my RSI issues worse. I could envision myself pressing the up- and down-arrow keys repeatedly on a page I am currently reading, just to generate more keystrokes. I would probably participate if the "virtual" keystrokes generated by Dragon NaturallySpeaking would count, but they don't.

I thought zou!d be amused that this post is on google!s first page for whatpulse.\
americdan kezboards suck$.

  • 1