| Author | Thread |
|
|
11/24/2004 02:22:20 PM · #26 |
Originally posted by TomFoolery:
just about a million or so people interested in how many keys they press a day, weeek, month, and so on. |
I'm wishing they had more statistics. Like my average for each day of the week, average for each month of the year, better graphs, etc. I gues I know how the general DPC public feels now. :)
I think the neatest feature they could add would be to track keys pressed "into" which applications... Like what % of the time to I type on my web browser (iexplore.exe) vs my email (outlook.exe).
:)
Message edited by author 2004-11-24 14:22:40.
|
|
|
|
11/25/2004 01:39:23 PM · #27 |
| dang you guys are weak -- i been on it for one day and I'm already closing in strong on second place. Either that or I spend entirely too much time on my computer playing this stupid game I have grown an addiction to over the years. |
|
|
|
11/25/2004 02:33:48 PM · #28 |
|
|
|
11/25/2004 02:35:04 PM · #29 |
|
|
|
11/25/2004 02:41:01 PM · #30 |
I'm not in...too easy for this program to recognize any 16 digit numbers (credit card) and passwords or anything else for that matter.
|
|
|
|
11/26/2004 10:37:16 AM · #31 |
|
|
|
11/26/2004 10:42:22 AM · #32 |
I'd like to be in but there are far too many alarm bells ringing in my head at the concept of logging every key I press. It would be so easy for this data to be abused.
|
|
|
|
11/26/2004 11:04:17 AM · #33 |
Originally posted by colda:
I'd like to be in but there are far too many alarm bells ringing in my head at the concept of logging every key I press. It would be so easy for this data to be abused. |
It's counting. Not logging.
-Terry
|
|
|
|
11/26/2004 11:18:11 AM · #34 |
Originally posted by ClubJuggle:
It's counting. Not logging. |
But you can't know that for sure without seeing the sourcecode or sniffing the network traffic...
|
|
|
|
11/26/2004 11:19:35 AM · #35 |
Like with Ethereal? I just did that.
The password and keycounts are hashed, but the packet is too small to be sneding keystrokes. I can send you the packet capture if you like.
-Terry
|
|
|
|
11/26/2004 11:25:33 AM · #36 |
Originally posted by Manic:
Originally posted by ClubJuggle:
It's counting. Not logging. |
But you can't know that for sure without seeing the sourcecode or sniffing the network traffic... |
My thoughts exactly.
It seems to 'collect stats' and upload at intervals. How does anyone know that it not doing any form of anaylsis and uploading 'filtered' data seperately?
As Manic says, without sniffing the traffic how can you be sure.
If this is a scam, I think that it might be mroe sensible to let it get into the 'wild' for a fair amount of time before harvesting the data.
For such a project, and considering that it's been clearly announced that it's a sourceforge project that has been revivied, it strikes me as being very odd indeed that the source code is not available.
Sorry, but it just seems like a mad risk to take in my opinion.
Darren
|
|
|
|
11/26/2004 11:28:15 AM · #37 |
And even if these guys don't do anything with the data, I'm now relying on their security to keep others away from that data.
|
|
|
|
11/26/2004 11:30:03 AM · #38 |
But according to CJ's investigation, it doesn't even send any data other than the number of keys.
|
|
|
|
11/26/2004 11:34:00 AM · #39 |
Originally posted by Konador:
But according to CJ's investigation, it doesn't even send any data other than the number of keys. |
But without seeing the sourcecode, we can't be sure that that will always be the case. I guess if you're confortable with the risks involved, then it's your choice, but in my situation I can't risk it. Maybe when the linux version comes out, we'll get to see the src and know for sure...
|
|
|
|
11/26/2004 11:36:18 AM · #40 |
Originally posted by Manic:
Originally posted by Konador:
But according to CJ's investigation, it doesn't even send any data other than the number of keys. |
But without seeing the sourcecode, we can't be sure that that will always be the case. I guess if you're confortable with the risks involved, then it's your choice, but in my situation I can't risk it. Maybe when the linux version comes out, we'll get to see the src and know for sure... |
Yeh it's not really a problem for me because I have all my passwords saved in cookies or whatever. And even if I didn't, how would it know what was my password out of all 90k keys submitted so far?
|
|
|
|
11/26/2004 11:36:51 AM · #41 |
I've emailed the project head about the project. He told me that the source code is not made available because of problems with cheating. This project resumes a previous "Project Dolphin" whose client source code was released, and some cheating has already happened based upon that source code. Nonetheless the packet captures I have done do not suggest any type of foul play and my antivirus software (which detects keyloggers whether known or unknown) does not alert on it. The project and client have been around for about a year, so if it were keylogging software odds are the antivirus vendors would have caught on by now.
That leaves one of two possibilities:
1. It's a keylogger so well-written that it evades detection by packet sniffer, by antivirus signature, or by antivirus heuristics.
2. It's not a keylogger.
I believe the second is far more likely.
-Terry
|
|
|
|
11/26/2004 11:37:59 AM · #42 |
Originally posted by thatcloudthere:
And even if these guys don't do anything with the data, I'm now relying on their security to keep others away from that data. |
If it's only sending keycounts (as my analysis suggests) there's no problem. They can't leak something they don't have.
-Terry
|
|
|
|
11/26/2004 11:38:20 AM · #43 |
Originally posted by Konador:
But according to CJ's investigation, it doesn't even send any data other than the number of keys. |
okies, can CJ assure me that the following senario is impossible:
1. The client software recognises a probable credit card number
2. The CC number is logged on the client
3. A header packet is sent to notify the server that a cc number is coming
4. The server treats stores and decodes the next x number of packets to reconstruct the possible cc number
|
|
|
|
11/26/2004 11:38:56 AM · #44 |
Okay, maybe I'll give it a shot...
By the way, my credit card number is 6018 4412 2297 7031 and expires 04/05.
;0)
Message edited by author 2004-11-26 11:40:34.
|
|
|
|
11/26/2004 11:45:33 AM · #45 |
Originally posted by thatcloudthere:
Okay, maybe I'll give it a shot...
By the way, my credit card number is 6018 4412 2297 7031 and expires 04/05.
;0) |
Thanks, I just bought a camera.
|
|
|
|
11/26/2004 11:46:58 AM · #46 |
Originally posted by langdon:
Originally posted by thatcloudthere:
Okay, maybe I'll give it a shot...
By the way, my credit card number is 6018 4412 2297 7031 and expires 04/05.
;0) |
Thanks, I just bought a camera. |
Well that explains it! I just tried to but I was told my limit had been reached!
|
|
|
|
11/26/2004 12:17:18 PM · #47 |
Originally posted by colda:
Originally posted by Konador:
But according to CJ's investigation, it doesn't even send any data other than the number of keys. |
okies, can CJ assure me that the following senario is impossible:
1. The client software recognises a probable credit card number
2. The CC number is logged on the client
3. A header packet is sent to notify the server that a cc number is coming
4. The server treats stores and decodes the next x number of packets to reconstruct the possible cc number |
I can't assure you that it's impossible that the client could do that.
Of course, I can't assure you it's impossible that Internet Explorer or Norton AntiVirus does that, either.
My assessment of the situation is that the client is at least a year old. If the client were malware of some sort, I find it exceedingly unlikely that neither Norton AntiVirus nor Spybot Search & Destroy would be aware of it in that period of time. I have run full scans of my system using both, and neither has alerted on the Pulse client. Additionally, Google searches for "Pulse stolen credit card," "Pulse stolen password," "Project Dolphin stolen password" and "Project dolphin stolen credit card" turn up no relevant pages at least in the first few pages of results.
Based upon this, my personal conclusion is that the software does just what it says, counting (not logging) keys and feeding those counts to the project server. I also offer the results of my research above to allow you to draw your own conclusions.
-Terry
|
|
|
|
11/26/2004 12:25:22 PM · #48 |
Originally posted by Konador:
The source code is available apparently, as it says on the homepage it uses the source code from a previous project which I was also a member of. I'm not sure where it can be downloaded from, but my spyware programs haven't found anything suspect since installing. |
Spyware looks for known issues - you repor them and then it will find it.
They show you the source code...i can show you source code - you have NO way of knowing of the file i give you to install is THAT source code...
have you seen the new AOL commercials? The ones where the folks are saying " I want a virus, i want my music files erased, I want someone to corrupt my hard drive".
Sure join in...it may be as innocent as a new born babe, or perhaps you can be the first on your block to get in an internet scam!
Me? Nope. Not a chance in 7734 |
|
|
|
11/26/2004 12:25:41 PM · #49 |
Originally posted by ClubJuggle:
Originally posted by colda:
Originally posted by Konador:
But according to CJ's investigation, it doesn't even send any data other than the number of keys. |
okies, can CJ assure me that the following senario is impossible:
1. The client software recognises a probable credit card number
2. The CC number is logged on the client
3. A header packet is sent to notify the server that a cc number is coming
4. The server treats stores and decodes the next x number of packets to reconstruct the possible cc number |
I can't assure you that it's impossible that the client could do that.
Of course, I can't assure you it's impossible that Internet Explorer or Norton AntiVirus does that, either.
My assessment of the situation is that the client is at least a year old. If the client were malware of some sort, I find it exceedingly unlikely that neither Norton AntiVirus nor Spybot Search & Destroy would be aware of it in that period of time. I have run full scans of my system using both, and neither has alerted on the Pulse client. Additionally, Google searches for "Pulse stolen credit card," "Pulse stolen password," "Project Dolphin stolen password" and "Project dolphin stolen credit card" turn up no relevant pages at least in the first few pages of results.
Based upon this, my personal conclusion is that the software does just what it says, counting (not logging) keys and feeding those counts to the project server. I also offer the results of my research above to allow you to draw your own conclusions.
-Terry |
Thanks for the reply Terry,
I'm almost certain that you're right, and indeed, hope for everyone's sake that you are.
For me personally, I'm just not comfortable with it enough to risk it.
|
|
|
|
11/26/2004 12:30:48 PM · #50 |
All fear and paranoia set aside for a moment, I have a question:
"Why?"
There need be no logical explanation, but I just don't need fake stimulation from the false sense of competition. I'll go watch the snow fall and have a cigar instead...
...sorry, I don't mean to sound condescending 'cause I do lots of seemingly pointless things as well.
|
|
Home -
Challenges -
Community -
League -
Photos -
Cameras -
Lenses -
Learn -
Help -
Terms of Use -
Privacy -
Top ^
DPChallenge, and website content and design, Copyright © 2001-2025 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Current Server Time: 11/26/2025 01:51:59 PM EST.
