Re: OT: Hardware keyloggers embedded in new keyboards?
Well I guess Dvorak users would be safe from an attack like this until the saboteur caught on. Maybe the paranoid could pry out the keys everyday and use a randomized keymap.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 05:28 pm, [EMAIL PROTECTED] wrote: Someone here made referrence to 'nazis'. http://en.wikipedia.org/wiki/Godwin's_law In said article please note: Quirk's exception Intentional invocation of this so-called Nazi Clause is ineffectual. and Guy's corollary If a Usenet discussion mentions Godwin's law as a conterrebuttal to a mention of Hitler/Nazis, then the chance of Godwin's law being disputed is equal to one.
Re: OT: Hardware keyloggers embedded in new keyboards?
man kafka (franz), or even better try man `The Trial`, then figure out for yourself! Ioan
Re: OT: Hardware keyloggers embedded in new keyboards?
On Mon, 20 Jun 2005 00:07:13 -0500, Dave Feustel wrote: On Sunday 19 June 2005 08:51 pm, Nick Holland wrote: Dave Feustel wrote: http://bs.somewhere.real.not This has nothing to do with OpenBSD. It isn't new. It isn't unique. In effect, you just spammed the list, advertising someone's product. If you are going to put totally off-topic stuff on the list, how 'bout making it interesting and new? I thought you had more insight. All of OpenBSD's security is at risk with this technology. I thought that you might have a brain. All of OpenBSD's security at risk? How, in your wildest chemically induced dreams, could it be? 1 Not everything that runs OBSD is a PC and even some of those that are PCs are using serial consoles. 2 You have to own the PC to get to talk to the keyboard. How will you do that do you suppose? If the PC has been hacked after the firewall has been hacked it is probably running windows anyway and you can spy on it in many ways without a keylogger. Sniffing the packets at the firewall would do for a start. 3 How do you know which firewalls are hiding which keyloggers so that it is worth your while to break in? Oh! I know! They run little programs of their own that nobody notices that send a message to mother, right? And this program runs on every PC OS and so it can . and on, and on, and on. If there is one thing worse than conspiracy myths it is the crowd of people without a built-in crap-detector who help spread the stories. Hey, I've got a nice big bridge for sale with great views of Sydney Harbour. No, really! Good price too! R/ From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: OT: Hardware keyloggers embedded in new keyboards?
You can't sell that bridge - I own it... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod.. Whitworth Sent: Monday, 20 June 2005 4:26 PM To: Dave Feustel; [EMAIL PROTECTED]; Nick Holland Cc: misc Subject: Re: OT: Hardware keyloggers embedded in new keyboards? On Mon, 20 Jun 2005 00:07:13 -0500, Dave Feustel wrote: On Sunday 19 June 2005 08:51 pm, Nick Holland wrote: Dave Feustel wrote: http://bs.somewhere.real.not This has nothing to do with OpenBSD. It isn't new. It isn't unique. In effect, you just spammed the list, advertising someone's product. If you are going to put totally off-topic stuff on the list, how 'bout making it interesting and new? I thought you had more insight. All of OpenBSD's security is at risk with this technology. I thought that you might have a brain. All of OpenBSD's security at risk? How, in your wildest chemically induced dreams, could it be? 1 Not everything that runs OBSD is a PC and even some of those that are PCs are using serial consoles. 2 You have to own the PC to get to talk to the keyboard. How will you do that do you suppose? If the PC has been hacked after the firewall has been hacked it is probably running windows anyway and you can spy on it in many ways without a keylogger. Sniffing the packets at the firewall would do for a start. 3 How do you know which firewalls are hiding which keyloggers so that it is worth your while to break in? Oh! I know! They run little programs of their own that nobody notices that send a message to mother, right? And this program runs on every PC OS and so it can . and on, and on, and on. If there is one thing worse than conspiracy myths it is the crowd of people without a built-in crap-detector who help spread the stories. Hey, I've got a nice big bridge for sale with great views of Sydney Harbour. No, really! Good price too! R/ From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Mon, 20 Jun 2005 16:36:28 +1000, Timothy A. Napthali wrote: You can't sell that bridge - I own it... :) Given your office address I'd bet you are keeping a close watch to see if I sell it again, too! ~|^ = From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: OT: Hardware keyloggers embedded in new keyboards?
Dave Feustel wrote: On Sunday 19 June 2005 08:51 pm, Nick Holland wrote: Dave Feustel wrote: http://www.amecisco.com/faq_hardwarekeylogger.htm#Q1 This has nothing to do with OpenBSD. It isn't new. It isn't unique. In effect, you just spammed the list, advertising someone's product. If you are going to put totally off-topic stuff on the list, how 'bout making it interesting and new? I thought you had more insight. All of OpenBSD's security is at risk with this technology. Oh, come on. There are a LOT of things that are real problems for security for all systems. Keyboard loggers are one very tiny one. You are jumping up and down about an anthill in the sidewalk, and ignoring the termites in your support beams. HW Keyboard loggers are nifty devices, I've thought of getting one, just to prove some points. However, it requires physical access to a machine. Software keyboard loggers are so much more effective -- self-deploying, no physical access, remote data retrival, etc. If you aren't law enforcement or the legal owner of the equipment and the building it is in, installing a HW keyboard logger involves Breaking and Entering. Now, a jury might not catch the implications of a keyboard logger, but BE convictions are really easy...that's a non-trivial risk to the installer. Software keyboard loggers are almost zero-risk. And think about all the people who are administering OpenBSD, Linux, firewalls and other front-line equipment from compromised Windows systems and systems holding your personal information. Yes, be scared. But be scared about the right things... As for my insight, no, I assume any machine that I haven't had under lock and key is potentially insecure, including the OpenBSD machine on my desk at the office. Building a keyboard logger into a keyboard is nothing new. We put one in your keyboard two years ago. :) Nick.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Mon, Jun 20, 2005 at 12:07:13AM -0500, Dave Feustel wrote: On Sunday 19 June 2005 08:51 pm, Nick Holland wrote: Dave Feustel wrote: http://www.amecisco.com/faq_hardwarekeylogger.htm#Q1 This has nothing to do with OpenBSD. It isn't new. It isn't unique. In effect, you just spammed the list, advertising someone's product. If you are going to put totally off-topic stuff on the list, how 'bout making it interesting and new? I thought you had more insight. All of OpenBSD's security is at risk with this technology. Technically, not all. Ever heard of one-time-password ? they're specifically engineered for this kind of risk.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 12:52 am, Brett Lymn wrote: On Mon, Jun 20, 2005 at 12:06:02AM -0500, Dave Feustel wrote: So far I see no defense against this spying technique of password capture. Regardless of whether they are built in or not - one possible way to get around keyloggers snatching passwords is to present an on screen keypad that changes the locations of the numbers/letters (to prevent a replay attack working), pick out a PIN or password on the screen, maybe even combining it with a typed password. What you describe is what I was thinking of too. One-time passwords or challenge-response would work too, since they cannot be reused. My brother used to work for IDA in Princeton, and he had a little calculator-type device that would allow him to compute the response to a login challenge. That allowed him to login and read his mail from my windows pc without compromising his login credentials. But static passwords are dead with the advent of these builtin keyloggers. This will fall to a determined attack (video surveillance) but just about anything would.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 12:43 am, Chris Zakelj wrote: Dave Feustel wrote: The device is obviously not new. What *is* new is that it is being installed as oem equipment inside of keyboards for HP and Dell systems and also inside of 'used keyboards which can be unobtrusively switched in for older keyboards. Then the companies doing the switching can secretly monitor all the keystrokes of the user, picking up everything the user types. There is no way to detect the keylogger short of opening up the keyboard. Shortly I predict the keylogging functiion will be incorporated into the keyboard cpu so that even opening up the keyboard will not permit the presence of the logger to be detected. What's new is that this functionality now comes builtin to new systems, possibly at the behest of Homeland Security, which would in that case know the password needed to retrieve the logged keystrokes. So far I see no defense against this spying technique of password capture. If you haven't noticed, companies (probably driven by lawyer paranoia) have been becoming more and more aware of the problems associated with employees misusing email. While as a person I find this rather intrusive and annoying, as an employee and (I shudder to think) potential PHB in 40 years, I find nothing wrong with it. My continued employment depends, in part, on the positive public image my predecessors have spent years building up, and to have it destroyed by a couple of people using company resources in inappropriate ways would really tick me off. Do they have a right to see what I do at home? Hell no, it's not their resources I'm using. But when I'm at the office, they've got every right, because it's their equipment, and their bandwidth. I agree. As for the homeland security argument, do you have any idea how much raw data they'd have to sift through before coming to something appearing to be a password? This really wanders into the realm of only the criminals have something to fear, simply because monitoring every computer user in the country would be a task only HAL could perform... and we all know how well that turned out. You are making fact out of fiction and also dealing with the wrong scenario. If everyone's keystrokes are monitored by a builtin keylogger in each computer, then the computer of any 'person of interest' is an open book to any 3-letter agency that decides to find out what that person has on his/her computer. This power will be widely used illegally no matter what safeguards are proposed.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Mon, Jun 20, 2005 at 07:08:18AM -0500, Dave Feustel wrote: If one-time passwords capability is built into OpenBSD, where can I read about how to use them? RTFM comes to mind. apropos otp gives you valid pointers. After that, I think you're a big boy, you can figure it out yourself...
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 12:23 am, Timothy A. Napthali wrote: I'm fairly sure this is a hoax. I have seen this referenced several times over the past few weeks and I have seen no evidence to indicate and truth to the matter. Here is a relevant link: http://www.rumormillnews.com/cgi-bin/forum.cgi?read=73190 Apart from the obvious legal implications outside of the US how long do you think Dell, HP or any other manufacturer would have customers for if this were true? We may get to find out - see the above link which is apparently the source material for the snopes article you reference below. While it does pay to be sceptical of reports like the one snopes criticizes, I do not trust snopes since I have seen refutations there of reports that I have detailed hardcopy proof of. The dangers of fluoride and vote fraud are two subjects that are quite well doc- umented, anything snopes may write to the contrary notwithstanding. See: http://www.snopes.com/computer/internet/dellbug.asp
Re: OT: Hardware keyloggers embedded in new keyboards?
Dave Feustel wrote: If you read the FAQ carefully you would note that the keylogger chip is now being installed in oem equipment for the company marketing the keyboard. Buying a unit off the shelf does not guarantee that there is no keylogger chip installed in the keyboard. No, but it does mess up the ability of whoever is watching to remotely access what they thought was your keyboard. Sorta like being given a computer with ethernet MAC fe:ed:de:ad:be:ef:00:00, then switching it for a card with MAC 12:34:56:78:90:ab:cd:ef. Now your spy agency has to break into the place and find out what the new card is, otherwise they're not getting anything.
Re: OT: Hardware keyloggers embedded in new keyboards?
Dave Feustel wrote: You are making fact out of fiction and also dealing with the wrong scenario. If everyone's keystrokes are monitored by a builtin keylogger in each computer, then the computer of any 'person of interest' is an open book to any 3-letter agency that decides to find out what that person has on his/her computer. This power will be widely used illegally no matter what safeguards are proposed. And you are wearing more tinfoil than the dude in Conspiracy Theory. Just because there's a keylogger doesn't mean it's possible to access that information. Firewall off SMTP. Oops, now it can't use its built-in sendmail. Forbid inbound access, aww, there goes SSH/telnet/rlogin access. For every technological problem, there is a technological fix. Just ask the DVD Consortium how well CSS worked. Better yet, ask Sony about their audio CD protection... I got your $2 hack right here, and it's called a Sharpie. Others have pointed out the futility of your Chicken Little rant. This is your last scrap from me.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 01:32 am, Ben Hooper wrote: |I thought you had more insight. All of OpenBSD's security is |at risk with |this technology. | |The security features of an OS will not stop a physical attack, no |matter how well designed. This is no different than the admin leaving |root's password on a post-it note stuck to the underside of the file |drawer. If you don't trust your physical environment, change it. In |this case, I'd remove the 'secure' flag from ttyCn, and use either a |serial console or SSH in from a keyboard I trusted (by buying |it myself |from a retailer, and using appropriate tamper-evident tape). One Time Passwords such as skey(1) are also good for insecure environments. Ben. I just read the man page for skey, but I still don't quite understand how it works. Would I use a calculator to generate a response that I type in response to a challenge, or what?
Re: OT: Hardware keyloggers embedded in new keyboards?
...on Mon, Jun 20, 2005 at 07:08:18AM -0500, Dave Feustel wrote: If one-time passwords capability is built into OpenBSD, where can I read about how to use them? skey(1) will start you off. Alex.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Mon, 20 Jun 2005 07:08:18 -0500, Dave Feustel wrote: On Monday 20 June 2005 06:36 am, Marc Espie wrote: On Mon, Jun 20, 2005 at 12:07:13AM -0500, Dave Feustel wrote: On Sunday 19 June 2005 08:51 pm, Nick Holland wrote: Dave Feustel wrote: http://www.amecisco.com/faq_hardwarekeylogger.htm#Q1 This has nothing to do with OpenBSD. It isn't new. It isn't unique. In effect, you just spammed the list, advertising someone's product. If you are going to put totally off-topic stuff on the list, how 'bout making it interesting and new? I thought you had more insight. All of OpenBSD's security is at risk with this technology. Technically, not all. Ever heard of one-time-password ? they're specifically engineered for this kind of risk. If one-time passwords capability is built into OpenBSD, where can I read about how to use them? In the FM, dick! Did you look? You blab on and on about a load of fevered imaginings and after all the time you've been here asking question after question you still haven't learned to do basic research. That is the same reason you are ttrotting out the tripe about how the sky is falling on all of us OpenBSD folk. STFA or cry on the shoulder of Mrs Google or read the answers in this thread where at least two, (it seems to even my failing memory) have mentioned such things in the last few hours. At least one by Marc Espie and the other one quoted you a man page reference. Go do your own homework for a change or become a farmer where spreading bullshit has a noble purpose and a fruitful outcome. In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod. Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: OT: Hardware keyloggers embedded in new keyboards?
...on Mon, Jun 20, 2005 at 07:32:09AM -0500, Dave Feustel wrote: One Time Passwords such as skey(1) are also good for insecure environments. I just read the man page for skey, but I still don't quite understand how it works. Would I use a calculator to generate a response that I type in response to a challenge, or what? s/key has been around for a long time. Ask Google. Alex.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 07:14 am, Chris Zakelj wrote: Dave Feustel wrote: If you read the FAQ carefully you would note that the keylogger chip is now being installed in oem equipment for the company marketing the keyboard. Buying a unit off the shelf does not guarantee that there is no keylogger chip installed in the keyboard. No, but it does mess up the ability of whoever is watching to remotely access what they thought was your keyboard. Sorta like being given a computer with ethernet MAC fe:ed:de:ad:be:ef:00:00, then switching it for a card with MAC 12:34:56:78:90:ab:cd:ef. Now your spy agency has to break into the place and find out what the new card is, otherwise they're not getting anything. I question this assumption. The keyloggers can have universal passwords in addition to the 'user' password included with the documentation (if the existence of the keylogger is even disclosed to the buyer ). I *would* like to see some pictures of a keylogger chip installed in a keyboard.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Mon, 20 Jun 2005, Dave Feustel wrote: One Time Passwords such as skey(1) are also good for insecure environments. Ben. I just read the man page for skey, but I still don't quite understand how it works. Would I use a calculator to generate a response that I type in response to a challenge, or what? You compute the answer to the challenge using the skey command on another computer, a calculator or any device that is capable of performing the RFC 2289 defined computation. An alternative is the precompute a list of responses. The FAQ has a section on S/Key too. -Otto
Re: OT: Hardware keyloggers embedded in new keyboards?
...on Mon, Jun 20, 2005 at 07:24:16AM -0500, Dave Feustel wrote: Here is a relevant link: http://www.rumormillnews.com/cgi-bin/forum.cgi?read=73190 That's just the same thing all over. We may get to find out - see the above link which is apparently the source material for the snopes article you reference below. While it does pay to be sceptical of reports like the one snopes criticizes, I do not trust snopes The pictures from the original article have supposedly been taken from http://www.dansdata.com/keyghost.htm. The snippets which were used to fake the homeland security letter were in the same directory as the original lol.htm How do you make shure your version of OpenBSD isn't rigged to use some covert channel to send off keyboard input data to somewhere else, by the way? Alex.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Mon, 20 Jun 2005 07:32:09 -0500, Dave Feustel wrote: On Monday 20 June 2005 01:32 am, Ben Hooper wrote: |I thought you had more insight. All of OpenBSD's security is |at risk with |this technology. | |The security features of an OS will not stop a physical attack, no |matter how well designed. This is no different than the admin leaving |root's password on a post-it note stuck to the underside of the file |drawer. If you don't trust your physical environment, change it. In |this case, I'd remove the 'secure' flag from ttyCn, and use either a |serial console or SSH in from a keyboard I trusted (by buying |it myself |from a retailer, and using appropriate tamper-evident tape). One Time Passwords such as skey(1) are also good for insecure environments. Ben. I just read the man page for skey, but I still don't quite understand how it works. Would I use a calculator to generate a response that I type in response to a challenge, or what? Read it again and again and include the SEE ALSO files and learn how to use the docs and stop asking questions, the answers to which you have been pointed to already. Seems like anything is a challenge to you boy. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday, June 20, Dave Feustel wrote: I thought you had more insight. All of OpenBSD's security is at risk with this technology. Nope, he has lots of insight. You on the other hand are the security risk here... well, you were, and maybe, just maybe, if you smarten up and realize what you are looking at you will end up *not* being as big a security risk. To put it bluntly, insecure hardware will (usually) always screw over the software that runs on it. Use hardware that you know is secure, and you have no problem. Use hardware you don't know is secure, well, you just don't know. Another reason not to use an i-cafe except through a zaurus... --Toby.
Re: OT: Hardware keyloggers embedded in new keyboards?
Dave Feustel [EMAIL PROTECTED] writes: On Monday 20 June 2005 12:33 am, Chris Zakelj wrote: Dave Feustel wrote: I thought you had more insight. All of OpenBSD's security is at risk with this technology. The security features of an OS will not stop a physical attack, no matter how well designed. This is no different than the admin leaving root's password on a post-it note stuck to the underside of the file drawer. If you don't trust your physical environment, change it. In this case, I'd remove the 'secure' flag from ttyCn, and use either a serial console or SSH in from a keyboard I trusted (by buying it myself from a retailer, and using appropriate tamper-evident tape). If you read the FAQ carefully you would note that the keylogger chip is now being installed in oem equipment for the company marketing the keyboard. Buying a unit off the shelf does not guarantee that there is no keylogger chip installed in the keyboard. Yes, the company is installing them into normal looking keybaords. So what? To be able to dump the buffer from the keylogger they still need physical access to your keyboard. If they have physical access to dump the data, nothing prevents them from installing a keylogger (surprise) or a camera that will film the keyboard or a microphone that will record the keyboard clicks so that they can analyze the clicks and steal your password from that. They can also install any number of other surveillance devices into your computer or your house, including an amplifier for their orbital mind control lasers. //art
Re: OT: Hardware keyloggers embedded in new keyboards?
On Mon, Jun 20, 2005 at 07:49:47AM -0500, Dave Feustel wrote: I *would* like to see some pictures of a keylogger chip installed in a keyboard. also might be a good idea to find some pictures of the underside of a keyboard. phillips head screws and all... for me, it's time to edit .procmailrc jared - [ openbsd 3.7 GENERIC ( jun 10 ) // i386 ]
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 08:14 am, Otto Moerbeek wrote: On Mon, 20 Jun 2005, Dave Feustel wrote: One Time Passwords such as skey(1) are also good for insecure environments. Ben. I just read the man page for skey, but I still don't quite understand how it works. Would I use a calculator to generate a response that I type in response to a challenge, or what? You compute the answer to the challenge using the skey command on another computer, a calculator or any device that is capable of performing the RFC 2289 defined computation. An alternative is the precompute a list of responses. The FAQ has a section on S/Key too. -Otto Thanks Otto. I'll check it out.
Re: OT: Hardware keyloggers embedded in new keyboards?
On Mon, 20 Jun 2005 17:45:53 +0200, Dimitry Andric [EMAIL PROTECTED] wrote: On 2005-06-20 at 17:00:57 Artur Grabowski wrote: the data, nothing prevents them from installing a keylogger (surprise) or a camera that will film the keyboard or a microphone that will record the keyboard clicks so that they can analyze the clicks and steal your password from that. They can also install any number of other surveillance devices into your computer or your house, including an amplifier for their orbital mind control lasers. Nah, much cheaper to use good ol' rubber-hose cryptanalysis. ;) Nope, rubber-hose cryptanalysis actually takes effort and might qualify as exercise for the practitioners, so the simple, effort-free, Bar-O-Chocolate cryptanalysis method would actually be a lot easier... http://news.bbc.co.uk/1/hi/technology/3639679.stm And no, if you happen to be a 200lb, 6'3 balding male in his mid thirties, then the effectiveness of the Bar-O-Chocolate method is not improved by dressing up like a girl scout. -Well, at least that's what I've been told. JCR
Re: OT: Hardware keyloggers embedded in new keyboards?
On Jun 20, 2005, at 9:11 AM, Marco Peereboom wrote: nazis Invalid invocation! It must be a genuine, spontaneous reference. Now you damn us to dozens more messages in this thread because we all are now aware of the risk. EZ ;-)
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 08:05 am, Alexander Bochmann wrote: ...on Mon, Jun 20, 2005 at 07:24:16AM -0500, Dave Feustel wrote: Here is a relevant link: http://www.rumormillnews.com/cgi-bin/forum.cgi?read=73190 That's just the same thing all over. We may get to find out - see the above link which is apparently the source material for the snopes article you reference below. While it does pay to be sceptical of reports like the one snopes criticizes, I do not trust snopes The pictures from the original article have supposedly been taken from http://www.dansdata.com/keyghost.htm. Thanks for the link!!! The snippets which were used to fake the homeland security letter were in the same directory as the original lol.htm How do you make shure your version of OpenBSD isn't rigged to use some covert channel to send off keyboard input data to somewhere else, by the way? Actually I have had the feeling that something like that may be going on already. Finding out via ZoneAlarm that it was going on in Windows was what made me switch to OpenBSD. Thanks again for the link, Dave Feustel Alex.
Re: OT: Hardware keyloggers embedded in new keyboards?
On 6/19/05, Timothy A. Napthali [EMAIL PROTECTED] wrote: I'm fairly sure this is a hoax. I have seen this referenced several times over the past few weeks and I have seen no evidence to indicate and truth to the matter. Apart from the obvious legal implications outside of the US how long do you think Dell, HP or any other manufacturer would have customers for if this were true? Not a hoax. Our security department ordered one as a demo piece for our Security Awareness campaign. The legal ramifications are easy -- only put it on systems that you control, and make sure all users are at least in theory aware of monitoring -- through a EULA, AUP, or employee policy. That being said, I doubt you'll ever get the major vendors to ship them in their own products, at least unless you're the gummit or a very very big client. The PR disaster if they shipped these to someone with loose lips would be huge. See: http://www.snopes.com/computer/internet/dellbug.asp Yeah, this is probably a hoax, but the link in the initial post is certainly not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Feustel Sent: Monday, 20 June 2005 3:06 PM To: Greg Thomas Cc: OpenBSD-Misc Subject: Re: OT: Hardware keyloggers embedded in new keyboards? On Sunday 19 June 2005 07:24 pm, Greg Thomas wrote: On 6/19/05, Dave Feustel [EMAIL PROTECTED] wrote: http://www.amecisco.com/faq_hardwarekeylogger.htm#Q1 Why just new ones? Do you think this device is new or something? Greg The device is obviously not new. What *is* new is that it is being installed as oem equipment inside of keyboards for HP and Dell systems and also inside of 'used keyboards which can be unobtrusively switched in for older keyboards. Then the companies doing the switching can secretly monitor all the keystrokes of the user, picking up everything the user types. There is no way to detect the keylogger short of opening up the keyboard. Shortly I predict the keylogging functiion will be incorporated into the keyboard cpu so that even opening up the keyboard will not permit the presence of the logger to be detected. What's new is that this functionality now comes builtin to new systems, possibly at the behest of Homeland Security, which would in that case know the password needed to retrieve the logged keystrokes. So far I see no defense against this spying technique of password capture. Dave -- Systems Programmer, Senior Electrical Computer Engineering The University of Arizona [EMAIL PROTECTED]
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 10:43 am, Tobias Weingartner wrote: On Monday, June 20, Dave Feustel wrote: I just read the man page for skey, but I still don't quite understand how it works. Would I use a calculator to generate a response that I type in response to a challenge, or what? Or what. --Toby. PS: Google for a tutorial, a howto, whatever. I have been doing just that. Just please go away, and come back educated. Sorry to be such a pest. That is not my intention. Yes, learning can be painful. Is it painful for you too? Cognative dissonance makes it more painful. Fortunately I have very little of that. Consider this one of those occasions. Haven't felt any pain so far today. Must not be learning anything. :-)
Re: OT: Hardware keyloggers embedded in new keyboards?
On Monday 20 June 2005 07:29 am, Jeremy Bowen wrote: On Monday 20 June 2005 11:55 pm, Dave Feustel wrote: If you read the FAQ carefully you would note that the keylogger chip is now being installed in oem equipment for the company marketing the keyboard. Buying a unit off the shelf does not guarantee that there is no keylogger chip installed in the keyboard. I've read the FAQ. Can you explain how someone could install/access this on a keyboard that I've purchased without accessing the password that is set for the keyboard ? I don't understand this question yet - could you elaborate please? If I buy an off the shelf unit, I apparently get the password in the box it comes with. If not and if it is impossible to detect, then how is an attacker going to know if I've purchased one of the keyboards with a key-logger installed or not ? The attacker could try the unversal password and see if the keylogger responds. If I didn't buy my keyboard and I'm that paranoid, then my physical security is probably already compromised. Maybe I randomly swap keyboards with my co-workers to screw up the attackers chances of getting the correct password for my keyboard. (I mean, surely they wouldn't use the same password on all the keyboards :-) Why not?
Re: OT: Hardware keyloggers embedded in new keyboards?
On Tue, 21 Jun 2005, Jeremy Bowen wrote: Why else would anyone incorporate it in there, when a cheap Korean manufacturer could save $5 by leaving such a device out. (Or are you suggesting the NSA are in the business of subsidising keyboard sales :-) Of course, at this point, I'd like to point out to that they say will mod OEM keyboards for you such that you can buy it as a lookalike keyboard. There was nothing on their site that I could find that would suggest that they are OEMing this for anyone. Now could you please take you tinfoil hats and please stop clogging our collective inboxes over a reading comprehension problem? This isn't [EMAIL PROTECTED], you know. -- Signing off, Joseph C. Bender [EMAIL PROTECTED] Does the government fear us? Or do we fear the government? When the people fear the government, tyranny has found victory. The federal government is our servant, not our master. ---Thomas Jefferson
Re: OT: Hardware keyloggers embedded in new keyboards?
On 6/19/05, Dave Feustel [EMAIL PROTECTED] wrote: http://www.amecisco.com/faq_hardwarekeylogger.htm#Q1 Why just new ones? Do you think this device is new or something? Greg
Re: OT: Hardware keyloggers embedded in new keyboards?
Dave Feustel wrote: http://www.amecisco.com/faq_hardwarekeylogger.htm#Q1 This has nothing to do with OpenBSD. It isn't new. It isn't unique. In effect, you just spammed the list, advertising someone's product. If you are going to put totally off-topic stuff on the list, how 'bout making it interesting and new? Nick.
Re: OT: Hardware keyloggers embedded in new keyboards?
I'm fairly sure this is a hoax. I have seen this referenced several times over the past few weeks and I have seen no evidence to indicate and truth to the matter. Apart from the obvious legal implications outside of the US how long do you think Dell, HP or any other manufacturer would have customers for if this were true? See: http://www.snopes.com/computer/internet/dellbug.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Feustel Sent: Monday, 20 June 2005 3:06 PM To: Greg Thomas Cc: OpenBSD-Misc Subject: Re: OT: Hardware keyloggers embedded in new keyboards? On Sunday 19 June 2005 07:24 pm, Greg Thomas wrote: On 6/19/05, Dave Feustel [EMAIL PROTECTED] wrote: http://www.amecisco.com/faq_hardwarekeylogger.htm#Q1 Why just new ones? Do you think this device is new or something? Greg The device is obviously not new. What *is* new is that it is being installed as oem equipment inside of keyboards for HP and Dell systems and also inside of 'used keyboards which can be unobtrusively switched in for older keyboards. Then the companies doing the switching can secretly monitor all the keystrokes of the user, picking up everything the user types. There is no way to detect the keylogger short of opening up the keyboard. Shortly I predict the keylogging functiion will be incorporated into the keyboard cpu so that even opening up the keyboard will not permit the presence of the logger to be detected. What's new is that this functionality now comes builtin to new systems, possibly at the behest of Homeland Security, which would in that case know the password needed to retrieve the logged keystrokes. So far I see no defense against this spying technique of password capture. Dave
Re: OT: Hardware keyloggers embedded in new keyboards?
Dave Feustel wrote: The device is obviously not new. What *is* new is that it is being installed as oem equipment inside of keyboards for HP and Dell systems and also inside of 'used keyboards which can be unobtrusively switched in for older keyboards. Then the companies doing the switching can secretly monitor all the keystrokes of the user, picking up everything the user types. There is no way to detect the keylogger short of opening up the keyboard. Shortly I predict the keylogging functiion will be incorporated into the keyboard cpu so that even opening up the keyboard will not permit the presence of the logger to be detected. What's new is that this functionality now comes builtin to new systems, possibly at the behest of Homeland Security, which would in that case know the password needed to retrieve the logged keystrokes. So far I see no defense against this spying technique of password capture. If you haven't noticed, companies (probably driven by lawyer paranoia) have been becoming more and more aware of the problems associated with employees misusing email. While as a person I find this rather intrusive and annoying, as an employee and (I shudder to think) potential PHB in 40 years, I find nothing wrong with it. My continued employment depends, in part, on the positive public image my predecessors have spent years building up, and to have it destroyed by a couple of people using company resources in inappropriate ways would really tick me off. Do they have a right to see what I do at home? Hell no, it's not their resources I'm using. But when I'm at the office, they've got every right, because it's their equipment, and their bandwidth. As for the homeland security argument, do you have any idea how much raw data they'd have to sift through before coming to something appearing to be a password? This really wanders into the realm of only the criminals have something to fear, simply because monitoring every computer user in the country would be a task only HAL could perform... and we all know how well that turned out.
