PtokaX forum

PtokaX => Support => Topic started by: Dam on 27 October, 2005, 17:03:59

Title: PtokaX should save password hashes instead of plain text
Post by: Dam on 27 October, 2005, 17:03:59
I think saving passwords as plain text is insecure: anyone who gain access to the server where PtokaX is can steal sers' passwords.

It's important to say that a lot of users use a single password for all their services, so, with their hub password one can gain access to ther e-mail service, and a lot more.

Using any of the standards here (http://csrc.nist.gov/CryptoToolkit/Hash.html) is MUCH secure.

I recommend not using SHA-1, but it's better than just plain text.

Well, have good luck!

Greetings from Argentina
Title:
Post by: [ZD][Psycho] on 27 October, 2005, 19:25:14
QuoteOriginally posted by Dam
I think saving passwords as plain text is insecure
I agree. I've always thought that PX storing its passwords as plain text was the only big 'downside' of PX.
Title:
Post by: Pothead on 27 October, 2005, 20:24:39
Plain text is nice.
Secure your PC.
Title:
Post by: Dam on 27 October, 2005, 20:36:21
QuoteOriginally posted by Pothead
Plain text is nice.
Secure your PC.

8o

Then, I and most operating systems, are wrong...
Title:
Post by: PPK on 27 October, 2005, 20:42:49
Is not problem to save passwords encrypted, but always anyone who have access to server will be able to steal passwords :rolleyes:
Title:
Post by: Dam on 27 October, 2005, 20:58:08
QuoteOriginally posted by PPK
Is not problem to save passwords encrypted, but always anyone who have access to server will be able to steal passwords :rolleyes:

A password hash it's pretty much useless to a cracker (cause getting a password based on a hash is almost impossible), plus, none of the methods in the link I gave in my first post (except SHA-1) has a flaw (at least, now).

If it's not a problem, please do it, using any of the methods mentioned here (http://csrc.nist.gov/CryptoToolkit/Hash.html).
Title:
Post by: [ZD][Psycho] on 27 October, 2005, 21:28:43
QuoteOriginally posted by Pothead
Plain text is nice.
Secure your PC.
There's no such thing as a "secure" PC.
Title:
Post by: 6Marilyn6Manson6 on 27 October, 2005, 22:12:08
QuoteOriginally posted by [ZD][Psycho]
QuoteOriginally posted by Pothead
Plain text is nice.
Secure your PC.
There's no such thing as a "secure" PC.

Mm false... The PC not is never "secure" :D
Title:
Post by: PPK on 27 October, 2005, 23:22:58
QuoteOriginally posted by Dam
If it's not a problem, please do it, using any of the methods mentioned here (http://csrc.nist.gov/CryptoToolkit/Hash.html).
I don't find any usefull sources to use on this link, and always as i say before if anyone have access to server then is always able to steal password and encrypted password saving not fix this !
Title:
Post by: Dam on 27 October, 2005, 23:35:34
QuoteOriginally posted by PPK
QuoteOriginally posted by Dam
If it's not a problem, please do it, using any of the methods mentioned here (http://csrc.nist.gov/CryptoToolkit/Hash.html).
I don't find any usefull sources to use on this link, and always as i say before if anyone have access to server then is always able to steal password and encrypted password saving not fix this !

Please note that I don't want PtokaX to encrypt passwords, I want PtokaX to hash passwords, which is not the same.

As I said before:

A password hash it's pretty much useless to a cracker (cause getting a password based on a hash is almost impossible), plus, none of the methods in the link I gave in my first post (except SHA-1) has a flaw (at least, now).

If you tell me in what language PtokaX is programmed, maybe I can find a hashing function for you.
Title:
Post by: Tiskelion on 27 October, 2005, 23:49:01
It'd probably be best to implement SHA2(224) hashing using the Crypto++ library (which is free).

Google is my friend :)
Crypto++ website (http://www.eskimo.com/~weidai/cryptlib.html)  :))

also i was wondering.. the passwords would be kinda long with a message digest that has a minimum of 160 bits  ?(  or am i mistaken..
Title:
Post by: Dam on 27 October, 2005, 23:54:21
QuoteOriginally posted by Tiskelion
It'd probably be best to implement SHA2(224) hashing using the Crypto++ library (which is free).

Google is my friend :)
Crypto++ website (http://www.eskimo.com/~weidai/cryptlib.html)  :))

also i was wondering.. the passwords would be kinda long with a message digest that has a minimum of 160 bits  ?(  or am i mistaken..

N I C E. You are right the passwords will be longer, so I don't expect PtokaX developers to make it a default option, but please make it an option at least. ;)
Title:
Post by: Tiskelion on 28 October, 2005, 00:29:38
On second thought, it might be better to use a hash as a key for the encrypting engine. so:

password creation:
1. user makes a password and regs with it.
2. the hub makes a hash from the password and encrypts the password with that hash as a key.
3. the hash is cleared from memory

password checking:
1. user logs in the hub, gives his password.
2. his password is hashed, that hash used as a key to decrypt his password.
3. if the given password and the stored password match, the user is authentic and is given access to the hub.

now the only problem - see, i don't know much about this stuff - is: is the hash for given string "string" the same each time? or does it change each time "string" is hashed? ?(
Title:
Post by: Dam on 28 October, 2005, 00:38:57
QuoteOriginally posted by Tiskelion
On second thought, it might be better to use a hash as a key for the encrypting engine. so:

password creation:
1. user makes a password and regs with it.
2. the hub makes a hash from the password and encrypts the password with that hash as a key.
3. the hash is cleared from memory

password checking:
1. user logs in the hub, gives his password.
2. his password is hashed, that hash used as a key to decrypt his password.
3. if the given password and the stored password match, the user is authentic and is given access to the hub.

now the only problem - see, i don't know much about this stuff - is: is the hash for given string "string" the same each time? or does it change each time "string" is hashed? ?(

Please avoid the word encryption. What I think should be done is:

Password creation:

1. User inputs the password in PtokaX at reg
2. PtokaX hashes that password and saves the result (the hash)

Password checking:

1. User inputs the password in PtokaX at login
2. PtokaX hashes that password and compares with the saved one, if they match, the user is authenticated, if not, access is denied

A hash for string X is always the same.
Title:
Post by: Tiskelion on 28 October, 2005, 00:55:22
As yes, stupid of me

why make it hard if it can be done simple :D
Title:
Post by: Dam on 28 October, 2005, 00:57:08
QuoteOriginally posted by Tiskelion
As yes, stupid of me

why make it hard if it can be done simple :D

Someone who calls himself a stupid, isn't one, ;)
Title:
Post by: PPK on 28 October, 2005, 01:25:15
QuoteOriginally posted by Dam
A password hash it's pretty much useless to a cracker
No cracker is too dumb to trying to get password from hash... if is here DC protocol sending password as plain text :D
As i say before... anyone who have access to server is able to steal password and not need file with passwords :rolleyes:
Title:
Post by: Dam on 28 October, 2005, 02:13:22
QuoteOriginally posted by PPK
QuoteOriginally posted by Dam
A password hash it's pretty much useless to a cracker
No cracker is too dumb to trying to get password from hash... if is here DC protocol sending password as plain text :D
As i say before... anyone who have access to server is able to steal password and not need file with passwords :rolleyes:

Don't you think we must make cracker's work harder and don't let them use that file at least? :(
Title:
Post by: bluebear on 28 October, 2005, 09:24:30
Saveing the passwords in a more secure way is a fine idea.
But DC is very insecure by nature, and since passwords are sent as plain text when a user login. You can find thease passwords by packet sniffing. And hashing the passwords will not make it more secure, you will  still be able to find the passwords. The hash will always be the same on a given string. Wich means that you can, fastly "un-hash" the passwords with a trail an failure method.

PPK wrote:
QuoteNo cracker is too dumb to trying to get password from hash

If they want the password for some reason they will try.
Title:
Post by: bluebear on 28 October, 2005, 09:28:04
QuoteOriginally posted by PPK
I don't find any usefull sources to use on this link, and always as i say before if anyone have access to server then is always able to steal password and encrypted password saving not fix this !

But atleast it will keep amateurs from getting the passwords.
Title:
Post by: Dam on 28 October, 2005, 12:39:18
QuoteOriginally posted by bluebear
Saveing the passwords in a more secure way is a fine idea.
But DC is very insecure by nature, and since passwords are sent as plain text when a user login. You can find thease passwords by packet sniffing. And hashing the passwords will not make it more secure, you will  still be able to find the passwords. The hash will always be the same on a given string. Wich means that you can, fastly "un-hash" the passwords with a trail an failure method.

PPK wrote:
QuoteNo cracker is too dumb to trying to get password from hash

If they want the password for some reason they will try.

There's no fastly word on hashing world, that's the reason why I choose hashing over encryption.

When you got an encrypted password, you got a password. When you got a hash, that's all you have, you cannot recover a password from a hash, what you can do is a brute force attack.

As bluebear said, we should make amateurs work harder.
Title:
Post by: Pothead on 28 October, 2005, 15:20:46
If they can access your computer remotely, they are not amatures, so your f**ked no matter what you do.
If they can access your computer locally, like i said before Secure your pc.
Title:
Post by: Dam on 28 October, 2005, 15:38:51
QuoteOriginally posted by Pothead
If they can access your computer remotely, they are not amatures, so your f**ked no matter what you do.
If they can access your computer locally, like i said before Secure your pc.

An invulnerable computer does not exist, so please stop repeating me to secure it because I already did.

Someone who can get a password from a computer is not an awesome cracker, it's just someone who figured out (or stealed) a password. I did such things when I was younger, for fun, using things like keyloggers. They are pretty easy to use, but they can still f**ck you up.

I do not understand why you don't want to secure something, I understand that the passwords can still be discovered, but you can stop amateur crackers, which enhances the security of your software.
Title:
Post by: bluebear on 28 October, 2005, 17:34:51
Anyway i don't  see how ppls here can say its a bad idea.. Because it not.. Ofcourse passwords should be secured as much as they possibly can be, no doubt about that.

But there is more important things to implement in ptokax before this.

But if PPK is interested, i would be happy to write the code to hash the passwords. So he only would need to implement a few function call's here and there?
Title:
Post by: Dam on 28 October, 2005, 17:51:58
QuoteOriginally posted by bluebear
Anyway i don't  see how ppls here can say its a bad idea.. Because it not.. Ofcourse passwords should be secured as much as they possibly can be, no doubt about that.

But there is more important things to implement in ptokax before this.

But if PPK is interested, i would be happy to write the code to hash the passwords. So he only would need to implement a few function call's here and there?

I would really appreciate it, ;)

If you use Crypto++ I think you should only use function calls, as you said.
Title:
Post by: nEgativE on 28 October, 2005, 18:10:06
Totally agree with this feature, good work for all of u :)
Title:
Post by: Pothead on 28 October, 2005, 19:24:17
QuoteOriginally posted by Dam
An invulnerable computer does not exist, so please stop repeating me to secure it because I already did.
Ever considered buying a lock for your door ?

QuoteOriginally posted by Luso
Totally agree with this feature, good work for all of u :)
Not so good for anybody who has forgotten their password.
Title:
Post by: Dam on 28 October, 2005, 19:35:05
QuoteOriginally posted by Pothead
QuoteOriginally posted by Dam
An invulnerable computer does not exist, so please stop repeating me to secure it because I already did.
Ever considered buying a lock for your door ?

QuoteOriginally posted by Luso
Totally agree with this feature, good work for all of u :)
Not so good for anybody who has forgotten their password.

If you think a computer connected to the Internet can be secure, then you don't know what security is about. One can secure something but cannot make it invulnerable.

PtokaX should not bother with saving passwords. If a user forgets it's password, he/she should talk with the person who is running PtokaX and then get a new one (based on questions, I don't know).
Title:
Post by: plop on 28 October, 2005, 21:20:27
method 1.
some1 gets acces 2 the hubserver, enables the cmd logging on the px console.
next he disconnects the masters/ops and tada there password appears on the screen.

method 2.
install a packet sniffer and tada passwords appear.

method 3.
man in the middle attack, get into a machine which is between the admin/hub.
passwords are plain text.
but this can be made harder by making sure the hubserver requires ipsec, which is a standard option in windows but i guess i'm the only 1 here using it.

method 4.
get the password db and download it, so it can be offline brute force  un-hashed.

a secure windows machine doesn't excist, on average 6 exploits are found in only explorer itself per week.

but a simple hint run px under it's own user which has no login rights, and also secure the px folders by only giving the that certain user acces 2 the folder.
not full proof but takes no extra resources and you add another layer of security (stays windows).

plop
Title:
Post by: Dam on 28 October, 2005, 21:32:17
QuoteOriginally posted by plop
method 1.
some1 gets acces 2 the hubserver, enables the cmd logging on the px console.
next he disconnects the masters/ops and tada there password appears on the screen.

method 2.
install a packet sniffer and tada passwords appear.

method 3.
man in the middle attack, get into a machine which is between the admin/hub.
passwords are plain text.
but this can be made harder by making sure the hubserver requires ipsec, which is a standard option in windows but i guess i'm the only 1 here using it.

method 4.
get the password db and download it, so it can be offline brute force  un-hashed.

a secure windows machine doesn't excist, on average 6 exploits are found in only explorer itself per week.

but a simple hint run px under it's own user which has no login rights, and also secure the px folders by only giving the that certain user acces 2 the folder.
not full proof but takes no extra resources and you add another layer of security (stays windows).

plop

We all know that a brute force attack is always possible but not feasible. And what we want to do now (I least, I do) is to prevent amateur crackers (kiddies who somehow gained access to the server) from stealing passwords.

Yeah, they can steal the hashes, but maybe they don't even know what a hash is. ;)

I don't understand what is wrong with another security barrier, :(
Title:
Post by: Tw?sT?d-d?v on 29 October, 2005, 00:08:49
I honestly think that PtokaX doesnt need to change to way passwords are saved ect ... there has never been any call for this to change ... so why all of a sudden the interest in getting this changed ?(  

seems to me that you have got more of an intrest in getting the files changed then you are letting on :P
Title:
Post by: Dam on 29 October, 2005, 00:55:11
QuoteOriginally posted by (uk)jay
I honestly think that PtokaX doesnt need to change to way passwords are saved ect ... there has never been any call for this to change ... so why all of a sudden the interest in getting this changed ?(  

seems to me that you have got more of an intrest in getting the files changed then you are letting on :P

Believe me, if PtokaX were open source, I would do what I want, :P. But it's not the case, so I need them to do it internally.
Title:
Post by: Pothead on 29 October, 2005, 01:44:17
QuoteOriginally posted by Dam
If you think a computer connected to the Internet can be secure, then you don't know what security is about. One can secure something but cannot make it invulnerable.
My point was, you can secure your pc to stop other people physially using it.  As for remote / hacking access over the internet, if they can do that, passwords for a hub are the least of your worries.
Title:
Post by: Tiskelion on 29 October, 2005, 01:58:07
lay off the pot. we?re not talking about physical access here.
Title:
Post by: Dam on 29 October, 2005, 02:03:42
QuoteOriginally posted by Pothead
QuoteOriginally posted by Dam
If you think a computer connected to the Internet can be secure, then you don't know what security is about. One can secure something but cannot make it invulnerable.
My point was, you can secure your pc to stop other people physially using it.  As for remote / hacking access over the internet, if they can do that, passwords for a hub are the least of your worries.

So what? Why can't I stop crackers doing more damage???

Man... please say something useful...
Title:
Post by: Pothead on 29 October, 2005, 12:07:43
QuoteOriginally posted by Dam
So what? Why can't I stop crackers doing more damage???
Man... please say something useful...
Well you and Tiskelion seem so determind about this feature. Personally i think it's a bad idea, and like what plop said, passwords will still be easily monitored via Etheral.  Or by PtokaX itself.  Or a script added to ptokaX.  And to suggest someone who has the ability to hack your computer, but then not have knowledge to do any of them is kind of stupid.
Does this massive sudden desire to have them changed (like what Uk-Jay said), have anything to do with the !getpass function provided by a few scripts, and some malicious people you decided to give access to that command ?
As that sounds a lot more relasitic than someone hacking your computer, just to get a few passwords, for a hub.
Title:
Post by: Herodes on 29 October, 2005, 15:40:29
QuoteOriginally posted by Pothead
My point was, you can secure your pc to stop other people physially using it.  As for remote / hacking access over the internet, if they can do that, passwords for a hub are the least of your worries.
I'll definately go with this,... we aren't talking about money here.. it is just some extra cmds and priviledges in a hub 4gs ...
Title:
Post by: plop on 29 October, 2005, 16:31:14
QuoteOriginally posted by Dam
QuoteOriginally posted by plop
method 1.
some1 gets acces 2 the hubserver, enables the cmd logging on the px console.
next he disconnects the masters/ops and tada there password appears on the screen.

method 2.
install a packet sniffer and tada passwords appear.

method 3.
man in the middle attack, get into a machine which is between the admin/hub.
passwords are plain text.
but this can be made harder by making sure the hubserver requires ipsec, which is a standard option in windows but i guess i'm the only 1 here using it.

method 4.
get the password db and download it, so it can be offline brute force  un-hashed.

a secure windows machine doesn't excist, on average 6 exploits are found in only explorer itself per week.

but a simple hint run px under it's own user which has no login rights, and also secure the px folders by only giving the that certain user acces 2 the folder.
not full proof but takes no extra resources and you add another layer of security (stays windows).

plop

We all know that a brute force attack is always possible but not feasible. And what we want to do now (I least, I do) is to prevent amateur crackers (kiddies who somehow gained access to the server) from stealing passwords.

Yeah, they can steal the hashes, but maybe they don't even know what a hash is. ;)

I don't understand what is wrong with another security barrier, :(

a brute force attack against px doesn't work, px is protected against this.
if you wanna add an extra layer of security you should protect the windows machine.
this can be done with a router or a linux/bsd rig setup as router/gateway.
for example my hub server is only accessible on the 2 ports px runs on, and those are protected with a N.I.D.S. and a firewall with state-full protection (which are running on BSD).

plop
Title:
Post by: Dam on 29 October, 2005, 19:03:20
Guys, please, don't make strange stories. All I want to do is to secure PtokaX (since I can't modify it directly, I ask you to do that).

When I said to make a brute force attack I meant an off-line one (if they where hashes).

It's very difficult to me to explain myself in English (and I puts me in a very bad mood).

So, please, don't think wrongs things. I want to avoid kids who know how to use a keylogger from stealing passwords.

That's all.
Title:
Post by: ??????Hawk?????? on 29 October, 2005, 19:15:27
http://www.pctools.com/spyware-doctor/ (http://www.pctools.com/spyware-doctor/)
Title:
Post by: Dam on 29 October, 2005, 19:19:27
QuoteOriginally posted by ??????Hawk??????
http://www.pctools.com/spyware-doctor/ (http://www.pctools.com/spyware-doctor/)

??
Title:
Post by: [ZD][Psycho] on 29 October, 2005, 19:24:05
QuoteOriginally posted by Pothead
Well you and Tiskelion seem so determind about this feature. Personally i think it's a bad idea, and like what plop said, passwords will still be easily monitored via Etheral.
What if someone used a newly found exploit in an FTPD that the hub's server is running? You can't guard yourself against everything. As bluebear pointed out earlier, this security feature would be protection against amateurs.
QuoteOriginally posted by Pothead
Or a script added to ptokaX.
The GetUserPassword(Nick) function would have to be removed if any such hashing of passwords would be implemented. It would only return the hash of a password if it wasn't removed
QuoteOriginally posted by Pothead
And to suggest someone who has the ability to hack your computer, but then not have knowledge to do any of them is kind of stupid.
And to suggest that if a certain person has the knowledge to hack into your computer, then they must have a, b, and c knowledge is rather illogical.
Title:
Post by: plop on 29 October, 2005, 21:39:57
QuoteOriginally posted by Dam
Guys, please, don't make strange stories. All I want to do is to secure PtokaX (since I can't modify it directly, I ask you to do that).

When I said to make a brute force attack I meant an off-line one (if they where hashes).

It's very difficult to me to explain myself in English (and I puts me in a very bad mood).

So, please, don't think wrongs things. I want to avoid kids who know how to use a keylogger from stealing passwords.

That's all.

i agree that plain text files for pw databases aren't secure, but px doesn't have any exploits.
so the pw database is safe from that side.
the risk comes from windows itself.
when it comes 2 key loggers the problem is simple, your anti virus fails.
you need 2 secure the server not the hub, just like it's plain stupid 2 place a vault in a house without locks on the door.
everybody can walk out with the safe.

my personaly favorite of storing the pw's is by replacing the xml files for a sqlite/mysql server.
sqlite has an advantage over mysql as it doesn't require any setup/config.
so less hassle for hub owners.
but still if someone gains root acces 2 the server they can steal the database and dencrypt the data, same as with the hashes.
just sql works a hell of a lot faster and doesn't use extra resources/bandwidth from px.

plop
Title:
Post by: PPK on 29 October, 2005, 22:07:14
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:
Title:
Post by: Dam on 29 October, 2005, 22:09:25
QuoteOriginally posted by plop
QuoteOriginally posted by Dam
Guys, please, don't make strange stories. All I want to do is to secure PtokaX (since I can't modify it directly, I ask you to do that).

When I said to make a brute force attack I meant an off-line one (if they where hashes).

It's very difficult to me to explain myself in English (and I puts me in a very bad mood).

So, please, don't think wrongs things. I want to avoid kids who know how to use a keylogger from stealing passwords.

That's all.

i agree that plain text files for pw databases aren't secure, but px doesn't have any exploits.
so the pw database is safe from that side.
the risk comes from windows itself.
when it comes 2 key loggers the problem is simple, your anti virus fails.
you need 2 secure the server not the hub, just like it's plain stupid 2 place a vault in a house without locks on the door.
everybody can walk out with the safe.

my personaly favorite of storing the pw's is by replacing the xml files for a sqlite/mysql server.
sqlite has an advantage over mysql as it doesn't require any setup/config.
so less hassle for hub owners.
but still if someone gains root acces 2 the server they can steal the database and dencrypt the data, same as with the hashes.
just sql works a hell of a lot faster and doesn't use extra resources/bandwidth from px.

plop

Usually, people who locks vaults have also other security methods. Strong doors, security guards, etc. ;)
Title:
Post by: Dam on 29 October, 2005, 22:16:57
QuoteOriginally posted by PPK
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:

You mean:

Hash passwords as any SHA algorithms (except SHA-1) and send hashed passwords over Internet as TTH (what I would recommend)

or:

Hash passwords as TTH and send them over Internet as TTH also?

Any of the above, it's a big step, thank you so much!! :)
Title:
Post by: Pothead on 29 October, 2005, 22:31:42
QuoteOriginally posted by [ZD][Psycho]
The GetUserPassword(Nick) function would have to be removed if any such hashing of passwords would be implemented. It would only return the hash of a password if it wasn't removed
Same goes for the Debug screen, showing the password. :)
QuoteOriginally posted by [ZD][Psycho]
And to suggest that if a certain person has the knowledge to hack into your computer, then they must have a, b, and c knowledge is rather illogical.
If they can hack your computer, they are not amutures, and it's pretty reasonable to assume they can tick a box in the settings, or know how to brute force stuff.
QuoteOriginally posted by PPK
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:
Then if they get the passwords database, i'll take 2 minutes to modify their client to just send the hash.  ?(
Title:
Post by: Dam on 29 October, 2005, 22:48:03
QuoteOriginally posted by Pothead
QuoteOriginally posted by [ZD][Psycho]
The GetUserPassword(Nick) function would have to be removed if any such hashing of passwords would be implemented. It would only return the hash of a password if it wasn't removed
Same goes for the Debug screen, showing the password. :)
QuoteOriginally posted by [ZD][Psycho]
And to suggest that if a certain person has the knowledge to hack into your computer, then they must have a, b, and c knowledge is rather illogical.
If they can hack your computer, they are not amutures, and it's pretty reasonable to assume they can tick a box in the settings, or know how to brute force stuff.
QuoteOriginally posted by PPK
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:
Then if they get the passwords database, i'll take 2 minutes to modify their client to just send the hash.  ?(

amateur = someone who gets a passwords the easy way (keylogger, for example) and don't now: a) what a packet sniffer is b) what a brute force attack is c) how to modify the source of the client he/she uses d) what a hash is e) a big etc.
Title:
Post by: Pothead on 30 October, 2005, 00:26:15
To install a keylogger over the internet, means you must have shit security.
Don't use Internet Explorer, and get a decent firewall, virus scanner, and problem solved.  Anything which involves getting past a Firewall and / or Virus scanner, means that they ain't an amateur.

*** Edit ***
And yes, btw, i do know a way to hack a computer, which is undetectable by firewall and virus scanner.  But it still involves the victim using Internet Explorer.
Title:
Post by: Dam on 30 October, 2005, 01:23:21
QuoteOriginally posted by Pothead
To install a keylogger over the internet, means you must have shit security.
Don't use Internet Explorer, and get a decent firewall, virus scanner, and problem solved.  Anything which involves getting past a Firewall and / or Virus scanner, means that they ain't an amateur.

*** Edit ***
And yes, btw, i do know a way to hack a computer, which is undetectable by firewall and virus scanner.  But it still involves the victim using Internet Explorer.

To install a keylogger over Internet means that the user which is running the server is a stupid. But anything that enhances security (at least for a bit) of a software is always important.

Can't you see that this will not only be good for me, but for all users who will use that feature??

I do now how to secure my PC, but it will not be invulnerable. Plus, social engineering exists and new software bugs (even on antivirus software) are found.