Chris Schmidt (crschmidt) wrote,
Chris Schmidt
crschmidt

WhatPulse

Was installing a tool to keep track of your typing stats, and upload them to a website for fun and competition. Seems simple enough, right? Of course, there is a major problem with any program that runs all the time and can keep track of your keystrokes - it could be a password logger! Or any kind of mean evil program that tries to steal your password!

Or so goes the argument. Then again, the same could be said about your IRC or AIM client. Your web browser. Or any other number of services that run all the time on your computer. If a small program that's visibly saving all your keystrokes can nab a password, why would you trust another program anymore? What trust does notepad offer that WhatPulse does not?

Perhaps you trust some of those larger programs. "AIM wouldn't put something like that into their software, I'm sure of it!" Perhaps so, but then again, perhaps not. Who can tell what exactly software writers do in closed source software? I understand that there is a certain "Well, this software is popular - therefore it must be safe" attitude, however, I think that level of security paranoia can not be reasonably accepted in one case and not the other.

Clearly, open source software doesn't have this problem. Because the source is so freely available, it's easy to check over it - and if any reasonably large group of people use a product, the chances that no one would have found malicious code like that are fairly slim. However, in some cases, people use the fact that software is open source to indicate that they feel it is automatically safe and trusted.

Open source does not mean "bug free" - everyone accepts that fact without question. Yet at the same time, many pepople seem to think that open source or well known does mean "Safe". However, I think that this is a silly assumption. There is truly nothing in many open source situations that indicates that the program is not taking information from your computer - information that you don't expect it to have - and taking malicious actions with it.

So, what's the solution? Open source isn't the answer - documentation and understanding are the answer. Until people know enough about how a program works that they can look at every part of it and actually understand what it's doing, the open source movement does not in any protect users. I could easily sneak a 3 or 4 line password logger into an AIM client I wrote with no one the wiser. However, if every line of code I wrote was well documented explaining what I was doing, it would be far more difficult to do this kind of thing. I highly doubt that a comment saying "This section of code emails your password to my inbox" would be looked over for very long.

Non-open source programs are even more explicitly difficult to detect this kind of thing in. Since the code is not available, the only way to check for malicious intent is to specifically watch ports or run a debugger of some kind against the code to trace what's actually going on. Not only is this difficult, it is also not 100% foolproof - in the same way that viruses and other similar programs escape detection, typical run of the mill programs could escape this type of detection.

I have no real concerns over my privacy. I take fairly good care of my passwords - both in choosing relatively difficult ones and changing them relatively frequently - and as such, access to accounts I control is limited in both difficult of obtaining said access and time that persons with such access continue to have it. I don't have any critical information around that I don't keep backed up in some form or another, and I make sure that anything that's really important for me to keep hidden doesn't go into a computer system where it's equally likely to stay hidden or be seen.

I'm not saying that most programs are malicious - rather, quite the oppisite. However, I think that an obsession with security, in the end, really doesn't get you anywhere but overly concerned about nothing. Nobody really wants your password anyway, and if they did, they'd probably have a better way of getting it from you than to make you download some small program and install it on your computer.
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 4 comments