Sounds good, will download it later when I get home.

kerpalguy

Funny, I was just looking for something like this...

collinturner.com

looks interesting, thanks

peetah

Will this work with Portable Firefox?

qwerty017

So I would be typing the encrypted stream instead of actual passwords?

daddydave

Using it now, hope they won't come up with a smarter keylogger that can beat that.

artistpavel

Too bad it only works with browsers. I know a few World of Warcraft players who would like to protect their account with something like this.

jeevzycreezy

Do I have to point out the obvious... if someone installed a keylogger without your knowledge then you are screwed anyways.

snowmoon

I have to say, I couldn't possibly have any real faith in an application like this. There are two major types of keystroke loggers: The kind that hooks into an individual process (or application) and watches what's going on, and the kind that hooks directly into the keyboard.

The ones that hook into processes usually hop around to whatever process you have in focus. This is a preferred method, since hooking directly to the keyboard is a huge red flag for any security suite.

So in this scenario, for the type of keylogger source code that any scriptkiddy can find in half an hour's worth of googling and compile, it would watch you type your text into the scrambler. And then (Depending on how the scrambler gets from A to B) it may catch the scrambled text, too.

Major false sense of security. I feel a little let down by LH's due diligence on this one.

Bottom line (And if anyone is telling you otherwise, they are lying or don't know what they're talking about.) is that if your system is compromised and there IS a keylogger on there, you're screwed, man.

Digitarius

Keyloggers, the good ones, capture the actual key presses. Not what is transmitted to the application.

This is a product that only works if you have a keylogger that attached itself to IE (that's why everyone at LH uses Firefox).

playdoh

Will give it a try and see how it works, thanks for the tip!

stonebridge

As others pointed out, this scheme has major flaws. In my estimation all it amounts to is pointless busywork for your processor.

Johnay

That's why I install my keylogger between the keyboard and the computer... no software can get at it :-) (unless it's on the keyboard)

jjdb210

Of course, this is why I install my keylogger between the keyboard and the computer... Let's see them scramble that...

jjdb210

And how do you know if this is secure? It encrypts 'at the driver level'... so if some piece of keylogging malware is also at the 'driver level', they both log your keystrokes?

And how is this decrypted? The decryption/encryption key must be somehow on your system, so the malware can read it, thereby completely defeating the software. If you have the key, you can decrypt the pressed keys yourself.

By the way: it doesn't protect against automatic screen capturing malware, snooping on your network connection, phishing sites or remote break-ins.

Does not look very secure to me..

stuq

Common sense tells me, if this program can see what I type, the keylogger sure will too.

artistpavel

So... do you TYPE your passwords into this program and it gives you encrypted keystrokes to type, which it decrypts and sends as KEYSTROKES to the browser??
Or do you just type into the browser, and it intercepts them, encrypts them, decrypts them, and sends them out as PLAIN KEYSTROKES?
I can't think of any possible way this could work. In the words of a great Internet meme: FAIL.

ninjabob7

I've been using this for a while now, but it's not compatible with Firefox 3 yet, but i always use it on my portable apps version. I don't trust most computers other people own.

metaslugx

@metaslugx: According to their page 2.1.0 supports firefox 3.

@ninjabob7: It acts as a keyboard driver, intercepts the key presses, encrypts them, sends them to the web browser plugin which decrypts them and sends the characters on their way.

I've tested it with "hook" level keyloggers and driver level ones and all were twarted. Browser plugin loggers were not twarted. That said there is nothing to prevent a better driver level keylogger from intercepting it higher up, and it doesn't stop anything from taking screenshots.

Stealth web page recorder runs as an Internet Exploder plug in and it WILL still record passwords.

Keyscrambler worked on the following loggers:
Perfect keylogger
Revealer Free edition:
Free Key logger (iwantsoft)
Refog's kgb free
log-it-all

This "Martin's undetectable keylogger" is supposed to hook at the driver level, to demonstrate that anti keylog programs that just kill hooks don't work. It is thwarted as well.

The only link to download that I can find is off of archive.org
[web.archive.org]

johnsmith1234

Hi, since there seems to be a bit of confusion as to how KeyScrambler actually works, I thought I'd post a clarification.

You can think of KeyScrambler as creating a secure channel for your keystroke traffic much as SSL creates a secure channel for your network traffic. One endpoint is the KeyScrambler kernel driver, the other end point is the protected application (such as your browser).

You don't have to do anything different than you normally would with KeyScrambler. You just type into Firefox or IE as usual, and KeyScrambler's kernel driver encrypts the keystrokes. They then travel in encrypted form through the OS and into the browser. KeyScrambler's browser plugin decrypts them once they arrive at the browser.

We have tried to encrypt the keystrokes as early as possible and decrypt them as late as possible. This means that keyloggers are deprived of all the usual channels that they use for snooping on keyboard traffic. That's why KeyScrambler works against keyboard hooking, window message hooking, kernel API hooking, DirectX snooping, GetKeyState, GetKeyboardState, GetRawInput, and many other less well known methods.

Some users have said that KeyScrambler doesn't protect against every kind of snooping. That's true. No software security product can be 100% effective. Most anti-spyware and anti-virus products are actually only effective 60-70% of the time at detecting and stopping current malware (a lot of these huge test suites include many old viruses, going all the way back to DOS, so a 90+% detection rate on these samples may translate to a much lower real-world rate, and we're not even talking about 0-day threats).

What you do gain from using KeyScrambler is protection against the vast majority of keyloggers both known and unknown because all the common and easy to use keylogging methods are rendered completely useless.

If anyone has more questions about KeyScrambler, you either can post here or email support at qfxsoftware.com

-- Qian ("Chen") Wang from QFX Software (maker of KeyScrambler)

qzwang

This is a scam. If you have a trusted machine you won't need this, and if you can't trust the machine your using, don't use it for anything secret as the machine could be compromised in many different ways. This won't help with hardware key loggers, and there is no way to guarantee that this will work with all software key loggers as that is an infinite set. What about if your current machine is running in a VM, or via Citrix/VNC/RDP? Or if heaven forbid this closed source application somehow has a vulnerability its self. There are so many loop holes in this idea it's scary. Lifehacker, I'm disappointed in you for promoting such fear mongering crap. Everything else you do is good, why this? -- Peter

SultanaAeson

I've had it installed for about a month or so now. I don't see any drain on resources.

Is it really protecting private data? I dunno. Maybe a little. But why not, right?

eVentureBiz

Why all this? How parnoid can we be? :/

rfu

@qzwang: It's always great to hear directly from developers, thanks for the post Qian! =)

Jason Fitzpatrick

While this is a good idea, it isn't going to guarantee you enough protection to be worth the money. Even if it was free I'd be doubtful of it's value.

As has been mentioned, it does nothing against hardware-based keystroke logging. And thanks to recent revelations of possible tampering by the Chinese in chips headed into the US, you can't be sure your keystrokes are safe just because there's not a dongle hanging on the outside of the computer.

Qian's description of the product sounds good, and the browser plugin is a clever idea. But I have to emphasize that any security feature done in software can be defeated in software. There's been significant progress in figuring out what a user types soley by timings and nothing else, for example.

But most importantly, this will only protect against keyloggers installed and running locally. It's useless against phishing websites. And it very well may be useless against browser-based keyloggers. And yes, those do exist.

FWIW, I'm a professional IT security guy with a CISSP, extensive experiencce with dealing with malware, vulnerability assessments, and all sorts of other fun infosec stuff.

Jeff the Riffer

@Jason: Thank you and thanks for the coverage.

There's been a lot of great comments here, but I don't agree with the notion that KeyScrambler isn't useful if it doesn't protect against every way in which a user's data can be stolen. To me, this is a bit like saying that door locks are not useful because they don't prevent burglars from climbing in from the windows.

Keylogging is a hard problem. And like most hard problems, the best way to solve it is to break it down into a number of smaller problems. This is what we're trying to do with KeyScrambler. We have been able to go from a situation where keyloggers literally had dozens of ways to log keystrokes, to just one or two hard-to-exploit ways such as using keylogging hardware.

It's true no software can stop hardware keylogging or chips that have been tampered with. But how likely is the average user to actually be keylogged this way? Unless your life is like a James Bond movie, I'd say not very. And if it is, then you probably have some kind of martini-to-text gadget from Q that's completely secure anyway.

So with KeyScrambler, we're finally making progress against keyloggers. We no longer have to say it's impossible.

Another point is that KeyScrambler does not exist in a vacuum. It is meant to be a part of a bigger security picture. There are good people and companies working on problems such as phishing and pharming and we haven't found the need to duplicate their efforts.

Use the right tool for the job. That applies in computer security just as it does everywhere else in life. After all, even if you have a state-of-the-art home security system with sensors and lasers up the wazoo, I bet you'd still want to lock your door.

--Qian (KeyScrambler developer)

qzwang

Majority of the keyloggers employ very low level OS calls, as such they won't be visible inside task manager. If someone develops a keylogger to work at application level, you can see it running inside task manager(This is what I believe).
The purpose of developing this add-on is to safeguard from those majority of keyloggers. By being little smarter(check the task manager on public computers), and using apps like this, we can surely avoid keylogging.

TechnoLaziness