On Wed, 16 Jul 2003, Tyler Durden wrote: > This reminds me of another thing that occurred to me, but as I'm no computer > engineer I can't tell how much of a defense it would be. (At the very least > a nice stopgap for a while...) > > To get around keystroke loggers, it would be nice to have some fom of > onscreen keyboard, perhaps available over the web. The keyboard would likely > work only with the mouse (making it slow to use, of course), and each time > the keyboard appears (and at periodic intervals) the keyboard scrambles its > keys.
Been done. Something like that is included in Tinfoilhat Linux distribution, see http://tinfoilhat.shmoo.com/ Another thing for keyboard-based data input is Sneaky Pete, a Java app http://packetstorm.icx.fr/java/sneaky.tar.gz (from http://packetstorm.icx.fr/java/indexdate.shtml - original project homepage is dead). And I suppose there are more. However, this will work around the keyboard loggers, but will cause development of eg. programs saving the screenshots at the moment of a mouseclick. (Which is definitely more detectable - by storing bulk amounts of data - than just a plain keylogger, disadvantaging the adversary somehow.) Also won't protect against ceiling cams, if they'd have enough resolution to see the screen clearly enough. Couldn't there be some challenge-response device, eg. over IrDA or radio waves or direct contact (eg, iButton DS1955B or DS1957B), which would be unlocked by something like a PIN code? How to avoid the leakage of the PIN and subsequent seizure of the device then? > I suspect it would be MUCH harder to figure out what has been typed. At least for a while, yes.
