KeyGhost Security Keyboard Records Keystrokes

CitizenC writes, "If James Bond were more into keystroke loggers, and less into cars and chicks, this is what he would use. The KeyGhost Security Keyboard looks like a plain cheapo keyboard. But it records everything you type on it. 500,000 freakin' characters worth, if necessary. And you can dump its keystroke log to any computer you connect it to. Applications for this technology are left as an exercise for the reader. Check out the review. "

Let's say you work in a shared office environment and want to prevent someone from eavesdropping on your computer use. You take the logical precautions: you have a lock on your floppy drive, you set a password in the BIOS, you encrypt your files, and you use only secure protocols for remote interaction. Odds are still low that you have a shroud or other physical impediment preventing access to your keyboard's PS/2 port, right?

Interestingly, the KeyGhost is also available in a Microsoft Natural model, so it might be inconspicous in many settings that a new standard keyboard might stick out in. So now you have more reason than plain cynicism to wonder at an "upgrade" to your regular keyboard at work. Of course, most programmers have settled on their keyboards after long trial, and would never disregard such a switch.

Despite the obvious unscrupulous uses this keyboard could be put to, I can think of one that isn't: I'd like to see one of these drawing its power from a battery pack instead of the PS/2 port and featuring a tiny LCD display, for times when it'd be nicer to type an e-mail out on the porch than inside, or as a more efficient idea-gobbler than a pen-driven PDA.

Use cut'n'paste

So it's simple: don't type things any more, use the mouse to cut'n'paste instead. People don't know how to type nowadays any more, in any case. To make spies think you're typing anyway, put the focus on the root window so the keys don't have any effect, and type bogus commands there like ssh root@bigcomputer.nsa.gov or echo 'NathaliePortmanNakedAndPetrified' | gpg --passphrase-fd 0' and so on.

Or, if you prefer, use a ``random shuffle keyboard driver'': each time you strike the keyboard, the driver randomly reshuffles every key in the keyboard (so that even if someone is recording the keystrokes, he can't deduce anything from them, not knowing what each key corresponded to at the time when it was pressed). This makes typing a bit difficult, but who cares for a little comfort when the security gain is so huge. (If you really want it, you can perhaps have a little graphic showing the current key layout.)

The KeyGhost on IRC?

The default password to access the board's main menu is #keyghost. What if Nintendo releases trading cards under the brand KeyGhost and suddenly everyone joins #keyghost on IRC? The keyboard would spit its main menu at the input line and you'd be bankicked for flooding :)

This will be cool.

As well...

I could see this as a backup mechanism, in case of some unpleasant disaster. For instance if I accidentally rm the term paper I just typed, I could have it back. Or if the power goes off, and the vi session didn't save what I had, or fsck couldn't recover the file, again, I could get it back. Or if I'm using Windows, and I look crooked...

Of course the devious stuff's more fun! But it'd be neater to have a keyboard-adapter-thingy, which you'd put between the cord and the port, record the keystrokes. Or maybe it could broadcast them via radio... anybody know of such a cool toy?

I'm pretty sure I can beat it.

I love those old clicky IBM 10 lb cast steel jobs. Try finding one of those prefabed to swap on me. Just in case I'll make sure to weld it shut in 10 places and padlock it to the desk. I'll leave a horse hair in just the right place and wipe my prints off it every night and spray for prints every morning. Not to mention my hidden spy-cam...uh oh I hear helicopters.

Who says I ain't safe ;)

What to do, what to do....

So, when you're done typing for the day, fold up a piece of paper and jam it between letters. Hang around for an hour or so, then head home with the paper still in the keyboard.

Then let them have fun with the logs. :)

-- Give him Head? Be a Beacon?

direct physical == no security

Lets face it, if someone has direct physical access to your computer/keyboard/network switch or router, you're pretty much hosed. For example, just a plain old motion activated camera watching your keyboard. You could even argue that two+ mics (strategically placed) with enough resolution could figure out what keys you were typing (especially if they could calibrate it). How 'bout a packet sniffer placed directly between your computer and your network? It used to be disgustingly easy to snoop packets/passwords from the network in the days of hubs or, to go further back, 10Base-2/5 (ah thinnet & t-junctions!).

In Cryptonomicon, Neal Stephenson gives another example of snooping a computer by reading the EMF signal from a computer monitor/display.

Basically, if someone has physical access to your computer facilities, they have a hell of a lot more options to get through your security. Hey, you have to type your password in sometime.

Even if you use some "biometric" device to read your retina/thumbprint, unless the communication between the computer/device is secure both ways, someone can put a dongle between that and your computer and snoop their way in.

There is no trap so deadly as the trap you set for yourself

Don't Buy It Online

If you look at the HTML on their "Secure Order" page they're not using SSL to transmit the credit card ordering data. Furthermore, that data is just posted to a form-to-email ASP which presumably stuffs your credit card into an e-mail and zips it off to a POP3 accessable mailbox for their sales person somewhere. Ack! I was very closing to buying, but now I think I'll pass.

The order page [netsecure.co.nz]

The insecure url they post that to [netsecure.co.nz]