Pure theoretical question here : how a custom mapping of the keyboard may impact the effectiveness of a keylogger on my machine? Will this have any impact?
Imagine me, when I should type a password, just change to my new custom mapping and then type it. Should that be a protection against a keylogger? I imagine that an attacker would just have to go look for the configuration file to understand.
I have know nothing about keyloggers so excuse me if the answer is obvious.
A custom mapping of the keyboard shouldn't be used as protection against a keylogger. Reason being, the usage of different mappings on your keyboard does not mean a different password; you still have to type in the same password (characters, numbers, etc.), even with custom mappings.
Related
As it's in the title, I'd like to programmatically unlock my default lock screen. The programming language doesn't matter, it can be either a script language or a compiled language.
My current OS is linux mint with cinnamon desktop handler, but if the answer is general, that's even better.
Assuming my software always knows the plain text current password.
Disclaimer:
I know, it's NEVER safe to store the password in plaintext, even if it's compiled or something (actually, that's plaintext too...).
I know, if my "secret" signal is not safe enough (which is quite probably possible), then it could be outplayed by determined rogue people.
__
My reason to do this, is that I'd like to implement an RFID based login system for my PC :) (I know, RFID is fakeable, yees, yes...)
You can check the generic screensaver manpage (the xdg API).
There is the option reset. This method should be supported by most screen savers. You may need to test them.
If the policies of screen saver requires password, you need to tweak pam policies/modules. Too long to describe here, and you should really read documentation to understand pam (and security implications: pam is generic, so you should understand and check that there are not side effect on other authentication mechanisms). But what you are doing, it seems very pam related (and possibly there is already a module for it, you describe something similar to what it is used on POS).
Recently I wanted to make a small utility that would allow me to arbitrarily remap the keys on my keyboard to correspond to different character inputs.
How is this normally accomplished from a system programming perspective and what should I reference in order to learn how to do this?
Thanks!
I may be mistaken, but I believe it depends entirely on what your running (what your window manager is). For example, if you were running something with openbox (e.g. lubuntu), then you could reference the following:
http://openbox.org/wiki/Help:Bindings
There are similar concepts for Gnome. If you are looking to change Gnome, you may want to go peak around how gnome-tweak-tool changes things (specifically look at the keybindings -- tweak does a lot more!).
In both instances, I suggest using Python (gnome-tweak-tool would be a great reference point for how to do this) because it is very convenient to write GUIs and will allow you to change the necessary files easily :)
If you are using Ubuntu, this post may be useful for you:
https://askubuntu.com/questions/115333/how-do-i-disable-the-sleep-button-on-my-keyboard
Their question was for one specific key, but the top two answers are relevant. The answer with dconf-tools may help you get a better understanding of where things are located.
So in the end, you will end up needing to configure some files differently, but where those files are and how you change them depends on your window manager.
The above is useful for say disabling CAPS_LOCK or swapping L_SHIFT and L_CTRL or something. If you are asking about generically changing any keyboard input, then there's a lot more going on behind the scenes. You may want to read this article for a good explanation of what is going on:
http://www.linuxjournal.com/article/1080
So if you want to remap things, say switching the 'a' and 'f' keys, you would need to capture the keyevent for 'a', and send the 'f' key event instead. There are many ways to see what keys are being pressed, this may be a good place to start:
https://superuser.com/questions/248517/show-keys-pressed-in-linux
Changing things at this level is much more difficult / dangerous, so make sure you are careful!
Hope that helps a little! If this isn't what you were trying to do, please include more information in your question about what the actual goals of your program are.
I do know and have read the appropriate topics section for this site. I have seen various topics about RSI, posture etc closed as being off topic and referred to another site/section. I think however that my question will be worded such that it comes under the "Software Requirements" section as I am looking for input on specific types as well as configuration of software for some very specific medical issues I have.
This is not a topic about prevention of RSI, it is just the closest I can put in a title that people will understand off the bat. I may have already answered my question just by asking it, but in case there is something I have not thought of, the medical and other problems are:
I have a surgically repaired right (dominant hand) index finger following the removal of a benign tumor growth. This growth had clamped the tendon for some 18+ months before it was discovered and excised in 2012. I can use the finger "flat handed" such as for typing English (this email for example) but actions which have me move towards a grip are painful, writing with a pen or using a mouse or touch pad for example. I can use the mouse but not for anywhere near a days work.
I have numbness and pain of an as yet unknown cause in both forearms and little fingers. Repeated fanning of my hands or use of the little fingers makes these very painful which presents obvious problems in using modifier keys when writing code. Even using the ring fingers instead pushes out too much.
Whilst not able to work at the moment my most likely avenue of return is still to my previous job. There is a very limited amount of work I do from home as the primary client insists that you work from their premises and more importantly use their equipment. I do not think I could use any custom equipment (beyond accessories, such as a trackball) even if I offered to pay for it myself, we as a team are greatly removed from Corporate IT Admin. So at best I can be expecting an i3/i5 laptop with 8GB of RAM. I probably could swag/provide an external monitor in addition to the laptop display. We do have admin access to the OS but I cannot be putting native Linux on it or anything, and even if I could I need the corporate communication and meeting tools from Windows.
(edited in). Herniated lumbar disc causing nerve pain in both legs. Again I am working on this from a physical standpoint but for the purpose of this question will assume my current condition is permanent, which precludes pedals or other use of my legs for the purpose of character entry.
So I cannot use a mouse or touch pad (not sure about ball). Cannot use modifier keys and need to work on a Win 7 corporate laptop of the same kind that a business/sales manager might get, albeit with admin access. Primary type of work is LAMP stack although there are also other technologies such as Java, C++ and Python.
I had seen the voice coding by Tavis Rudd (here: http://www.youtube.com/watch?v=8SkdfdXWYaI) which would be an option from home but not the open plan client office. The idea did get me thinking however that my solution may lie in the use of something like emacs with remapped bindings. I probably could get a laptop powerful enough to run a minimalist X11 desktop (say maybe Fluxbox) under Oracle VM or something. Or I could install and use Cygwin.
I never did use full blown IDEs, but never used emacs beyond trivial tasks either. My go to for work would be scite and some xterm shells. It may have improved but I found IDEs a bit sluggish on the laptops we got. I know the IDEs as well as scite will be extensible, the latter under lua, but I suspect emacs will offer more in terms of existing extensions for multiple languages as well as task such as repository work or other access to servers etc (most of which would be *nix).
I am still working on physical investigation and rehab but for the moment am assuming these limitations are here to stay. What would be most helpful here is some indication from those more familiar with emacs or IDEs such as Eclipse or NetBeans, that the software is fit for my purpose, before I go and start learning to use it, which I would have to do (unpaid) before returning to work, needing to hit the ground at least 80% of where I was before.
Such that I can try and avoid any brick walls down the line which I did not foresee. My gut reaction as the first thing to be doing is "learn emacs" as it would be a useful skill in my area regardless, although if there is something else more suited to the primary goal I would do that.
Many thanks.
Default Emacs bindings make heavy use of modifier keys; however there are alternatives to the defaults, without necessarily requiring you to manually customise all the bindings.
Vi/Vim may be a good choice of alternative editor, as rather than using modifier keys to initiate commands, you switch between "insert mode" (in which the keys you type produce text), and "command mode" (in which the keys you type trigger editing commands), so you would rarely (if ever?) need to hold multiple keys at the same time.
Emacs may still be desirable, though. An advantage of Emacs is the degree to which it can integrate with many other processes and applications, thus giving you a familiar keyboard interface to many activities besides editing text. I would say this is far more the case under Unix than Windows, but I'm sure there are still benefits.
There are also ways to use the Vi approach within Emacs, which may be an even better answer. I understand that the evil-mode package ("extensible vi layer for Emacs") is the most comprehensive approach to using vi-style bindings in Emacs.
I'm not a vi user myself, so I'll leave it to others to provide details.
Keeping with the modal editing approach, God Mode gives you Vi-like modal separation, but using the familiar Emacs key sequences (follow the link to make better sense of that statement). The author says "You'll find that this mode comes surprisingly naturally and that you already know how to run your existing Emacs commands."
Leaving modal editing aside, packages such as ErgoEmacs endeavour to provide friendlier keybindings than the defaults, and may be useful.
A custom approach I read about (used by Xah Lee) was to dedicate certain keys as prefix bindings through which everything else could be accessed without modifiers. This is simple for some kinds of binding, and requires effort in other cases (probably in most cases, realistically).
For example, a great many bindings start with the prefix C-x (ctrl+x), but it's possible to assign that entire prefix to a sequence which doesn't require a modifier. e.g.: (global-set-key (kbd "<f6> x") 'Control-X-prefix) would allow you to type F6 followed by x instead of holding down Ctrl while typing x.
Other similar reassignments will not be so trivial, but it's all possible.
More generally (and so perhaps more usefully; certainly with less customisation) you can send any modified key using custom (and thus potentially modifier-free) sequences.
The event-apply-*-modifier functions (for shift, control, meta (your Alt key), super, hyper, & alt (not your Alt key)) are the trick to doing this. When called, they read the next key from the user, and then apply the required modifier to that key, passing the result through as if it had been typed using the real modifier key.
The following would use the number keys on the keypad to represent all the modifier keys. You could then type the sequence C-xC-b as 1x1b.
(define-key function-key-map (kbd "<kp-1>") 'event-apply-control-modifier)
(define-key function-key-map (kbd "<kp-2>") 'event-apply-meta-modifier)
(define-key function-key-map (kbd "<kp-3>") 'event-apply-super-modifier)
(define-key function-key-map (kbd "<kp-4>") 'event-apply-shift-modifier)
(define-key function-key-map (kbd "<kp-5>") 'event-apply-hyper-modifier)
(define-key function-key-map (kbd "<kp-6>") 'event-apply-alt-modifier)
You'd need to do some extra work to enable you to combine multiple modifiers for a single key, but it's possible.
The elisp manual page on Modifying and Translating Input Events is also relevant:
C-hig (elisp) Event Mod RET
A completely different approach would be to use foot pedals (or some other input device; e.g.: http://xkeys.com/xkeys.php) to enable you to use the modifier keys as intended, without the need to rebind anything at all.
I might write a program to detect malicious (or non-malicious) software that is key logging (logging key strokes to gain information).
What tactics would be used?
Is there certain code to look for?
Are there certain locations I should search?
I prefer Java or Perl as I am fluent in those languages
Would these languages work?
Is there a better language to use for this case?
What would be used?
Code?
Algorithms?
Function?
I think it depends on what you are attempting to do. If you are looking for known keylogging programs, you could use any software that can search the file system to view file signatures. However, it sounds like you want to detect unknown programs. I do not believe this is strictly possible. Keylogging applications can passively listen to the keystrokes so there is not an active signature you could look for. It would probably be easier to understand the software that is supposed to run on your computer and then detect any new software that starts to run. It wouldn't necessarily be keystroke logging software, but it would be unauthorized software (or at least yet to be authorized software).
Keystrokes are broadcast to the system as events that you can subscribe to in your application. This is how games and other programs use the keyboard input. The entire system knows when a key is hit and which key it was. You can't know who is listening.
To put it another way, if this were possible, it would kill software keystroke loggers since every anti-virus and anti-spyware application would have an option to detect and remove all of these types of software. They have an option similar to this, but it is based upon known signatures of known keystroke loggers.
As a program trying just to figure if it's input is being key-logged, for badly written key-loggers, you can look for some time-patterns, like periodic delays when the logger recycle buffers, but normally key-loggers are very well-written and will inject themselves in the driver chain and so will be indiscernible from the normal chain.
In that case the only hope to detect key-loggers is to inspect the driver chain looking for non-standard drivers (but some key-loggers can infect standard drivers) which isn't particularly easy in Windows-land (such low level inspection).
One would need to plug into the anti-virus/anti-malware hooks to be able to really access not only the driver chain definitions, but the real code being executed, to detect if some key-logging is takeing place, and that is hard, full of bureaucracy, and almost undoable in anything but C/C++
When going through registration, a lot of sites will disallow the use of symbols in passwords. This drives me up the wall from a usability perspective since I include multiple symbols in all my passwords, and as a programmer that deals with web authentication from time to time, I can't figure out why it wouldn't be allowed. Am I missing something? Are they worried about SQL injection? Don't want to deal with escaping characters? Or is there something with non-Latin-alphabet characters that can mess things up?
Similar question, about sites that restrict length here.
Laziness, 2. Using legacy systems that don't support those characters for auth
They are morons
They are almost certainly storing the plain text password somehwere (see 1)
They aren't in the US: In Europe, you have a different keyboard every few miles. Good luck finding your special character on an Italian keyboard. Or a Greek one. Or Turkish.
The only keys which are probably there are the alphanumeric keys and most people will be able to find their way around them, even if a couple of the keys will be swapped (Y and Z, for example).
Lastly, people are notoriously bad at remembering passwords. Forcing them to use "honey" instead of "jh(/&DFA93475" greatly reduces the rate of calls for support ("I can't remember my password...")
If it's a web app, the developers were not really able to make sure that umlauts survive the transfer from the form to their backend. It would be great if all browser would simply send UTF-8 but most backends can't handle UTF-8 without some careful tuning, either.
It probably means they're lazy or not very smart. If you only store a hash, you won't have to worry about character sets, injections, or space. Pretty much what was explained in that other question you gave.
Our system once had to work together with 3rd party hardware which was operated through touchscreen. Their on-screen errr.... 'keyboard', surely didn't had a non-alphanumeric characters, therefore - we ran into quite serious trouble with passwords - clients had to change them.
Legacy Systems Support
I can't say if it is true for many websites, but in many antiquated network environments that use radius or another form of centralized authentication, often you have to restrict your passwords to the lowest common denominator for all of the disparate systems that you are supporting. So if you are supporting password authentication for a poorly written legacy application that has problems with non-ascii characters and that server piggy backs onto the central authentication server, you are forced to limit all of the other servers to the same password restrictions.
Poor Input Validation and Lack of Password Hashing / Encryption
The applications could have had SQL injection issues in the past and over-zealous programmers just disabled all not ascii rather than address the fundamental flaws in their design.
Unneeded Simplification
The developers may want to minimize issues with binary data petering into the password store and are over-zealous in their data validation. Honestly, I think this is the most likely scenario. The programmers may have already taken an ascii-only approach to usernames and just extended the same line of thinking to passwords.
Bad programming, and the fact they're storing it in clear text, I'm sure.
One possible reason: the site's UI is designed by a marketing type or a non-technical product manager. Someone who doesn't understand combinatorics and thinks they actually provide their developers with precise requirements by dictating that the password field must contain exactly 8 alphanumeric characters.
It's possible that the same password will need to be entered via the phone keypad, (1 = 1, A, B, or C).
Realizing that this is terribly insecure, one way of increasing the security would be to lock the account after X bad password attempts. Often bank websites are just a front end for a horribly old mainframe application and can't change password policies.
The reason they require alphanumeric is usually an attempt to prevent SQL injection when passwords are entered. For example:
On some sites you can actually type in:
U: admin
P: ' or 't' = 't
Normally programmers get through this by using programming practices such as parameterized SQL, but I am willing to bet this is why they are doing it.
it's a toe crunching, teeth grinding issue especially when banks do it; however, I think some of the issues are with the ';' and ' ' " ' characters.
Back in the day some programmers, i suspect, thought by forcing alphanumeric characters, that people might forget their passwords easily.