i was browsing all of the features of Kaspersky internet security 2009 and i noticed that they had a secured virtual keyboard now as soon as i seen this i thought this is a must for a feature request for Spybot.

i was browsing all of the features of Kaspersky internet security 2009 and i noticed that they had a secured virtual keyboard now as soon as i seen this i thought this is a must for a feature request for Spybot.

I agree. Taking in consideration that Spybot fights spyware (not only), and keyloggers are a type of spyware, would make sense for a virtual keyboard.

Regards

Hmmm...

"Secured" sounds... difficult.
Creating a virtual keyboard is not really diffcult, but one really has to take care it does not create a false sense of safety. Various different types of "keylogging" activity tak different approaches... a few quick thoughts:


A global hook into keybeard functions is the oldest tric. Protocols any keypress into a file, which'll include passwords. Used for personal spying mostly, passwords would have to be searched for manually.
Counteraction: here, a virtual keyboard using e.g. GetWindowText/SetWindowText could paste characters from a virtual keyboard into a password field without sich a keylogger noticing.
A modern keylogger might simply capture the contents of all edit fields that are password masked using the same GetWindowText and would this bypass the above.
Counteraction: no virtual keyboard will help here. If it is a browser application, interpreting the website and storing the password out of the field to only inject it when submitting a dialog would be a partial solution.
Modern keyloggers can track the mouse movements as well, in the worst case recording screenshots plus mouse position whenever the mouse is clicked due to the amount of data, such a dense recording would be limited to cases where the focus might be on masked fields, aka passwords fields).
Counteraction: on Vista, elevation that is allowed to drive UI input to other windows. Does not help if the passworded app is already elevated, nor against the problem described in 2.
The password stealer type of virtual keyboard might work e.g. as a BHO, capturing passwords from all web forms with fields that are masked or have a suspicious password-field-like name.
Counteraction: a virtual keyboard would have to paste false data into the form, and inject the good password only at a very low level, like a LSP. In the hope that the stealer is not on LSP level as well and acting after itself. Even then, it might cause trouble, become incompatible to anonymization features like Tor, and more important, does not properly work with secure (https) connections, skipping the global security for a local one.

I could add a few more arguments, but I think the point is getting clear: a somewhat useful virtual keyboard has to apply itself on many levels and be customized to the various browsers and still would only make you safe from maybe 50% of all keyloggers. Rigging together a simpler one that protects aginst maybe 20-30% would indeed be simple, but in both cases, the huge danger I see is that it would create a false feeling of being safe fom keyloggers!

More details on dow you think a [really] "secure" virtual keyboard should work are welcome of course :)

well mabe you could make like a test virtual keyboard and see how that goes and if it go good keep it if it doesnt get rid of it.

How do you define "goes good"?

Sure, it might be that people like it a lot. But user perception does not change the fact that it creates a false feeling of security.

And as for tests, sure, I could select a dozen keyloggers and say that it works perfectly from blocking 100% tested keyloggers. At the same time, I could always find a dozen that are still monitored and could say 0%. I guess that's what Kaspersky did - tested those they would counter and then labeled it "secure".

So my main issue still stands: either tell me a concept that will block a reasonably lage amount of keyloggers (for me that would be > 95%, and I highly doubt that is possible), or how this would not fool people into believing a security that it does not grant.

See, I'm no marketing person advertising something as great when I feel its not really as good for the user in the end ;)

well i don't want to annoy you with this topic so i will say no more maybe someday in the future this could be possible but not now.

It wasn't annoying, we just don't want to dissappoint or bloat with a feature that might not be as cool/effective as it sounds ;)

In fact, I even remember how I discussed various password input methods with a team member one or two years ago... he had some interesting ideas, but we went in a circile for a long time I think ;)

well with Spybot expanding as fast as it is maybe in the future like a couple of SB version later this could be implemented be for now it will just be left as a suggested idea that isn't completely safe yet because of many risks.