[dm-crypt] avoid keyloggers: enter password with mouse?(virtual?keyboard)
arno at wagner.name
Wed Oct 5 14:15:50 CEST 2011
On Wed, Oct 05, 2011 at 09:37:01AM +0000, Jan wrote:
> Arno Wagner <arno at ...> writes:
> > I really don't know. If it is just the spare-time project of the
> > Internet Cafee owner, you might be right. If it is the project
> > of the secret police, recording the video off the cable is
> > conveivable, although a bit more expensive than the about $80
> > for the hardware keylogger.
> Usually it sould be a spare time project, since I choose the internet cafe
> at random and video grabber cost about $170 (see http://www.keydemon.com/
> ). It would be nice to be protected against hardware keyloggers at least
> with the software I proposed. I know some C basics. In case I find some
> time, where could I get the mentioned linux knowledge?
A C on Linux tutorial should be enough then.
1. Write C-Programm with editor (of your choice,
examples: joe, vi, emacs)
2. gcc -o <program> <sourcefile>.c
This is for a single source file. Should be enough.
For screen output, just do a complete screen rewrite
line-wise with the "poor man's teminal clear" (write
25 or 50 emtpy lines).
You can get c library help either from the GNU info pages
("info libc") or often from the commandline "man 3 <command>",
e.g. "man 3 printf". The "3" refers to section 3 of tha
manual which is the C library. You may have to install the
C library documentation package.
Attacheing a command via its STDIN is a bit more tricky,
but can be done with "popen".
An example is here:
As usual, Google is your friend, just add "linux" to the
> Originally I wanted to find a way to use my GnuPG key in internet cafes
> savely. Since as you pointed out, even with the software I proposed,
> there is no "absolute" security. Here's my pragmatical solution:
> 0. Use privatix.
> 1. Protect against hardware keyloggers with the software I proposed to
> defeat the "most common" thread.
> 2. Use TWO GnuPG keys with the following user-IDs:
> "My Name
> (very safe, your email reaches
> me at my save PC at home only)
> <myaddress at gmx.de>",
> "My Name
> (not completely safe, your email reaches
> me in unsecure internet cafes and at home)
> <myaddress at gmx.de>"
Make sure the second one is clearly marked as not-that-secure, as
the sender has to choose which one to use.
> 3. Have two privatix USB sticks, one for at home, the other for internet
> cafes etc. The first one never leaves my home.
> This way people who want to send me an encrypted email can decide for
> hemselves which level of security their message needs. If they chose the
> second key at east internet providers cannot read the content of the email
> and send personalized advertisments etc.
> Another question:
> When I plug in my USB stick in an internet cafe, boot from it and have
> decrcypted it, is there a hardware mechanism known to you that could
> automatically copy the DECRYPTED contents of my stick? I think that's unlikely
> since the decryption takes place in the OS, ist that right?
Nothing standard. The best bet IMO would be to fake the boot
using a VM and then read the key from the VM's memory. You
are right that decryption is done in the PC, the data that
goes over USB is still encrypted.
I would say that besides the faked boot via VM, you do not need
to worry about it in your scenario. And to fight the faked boot,
do a full power cycle with wall socket unplug, not just a reset.
Presenting such a faked boot takes some effort though.
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt