Defeating keyloggers, a poor proposal from Microsoft

The title of a recent Lifehacker post was very intriguing: “Keep your password safe at public computers”. The content sounded even more promising since it was about an academic paper from Carnegie Mellon University with the hearthening title: “How to login from an Internet cafe without worrying about keyloggers”.

I readily downloaded the PDF files and dived into reading it. What a disappointment! The proposed solution to defeat keyloggers was impractical and flawed in many aspects. I was amazed that a prestigious institution like Carnegie Mellon could produce such an amateurish study!

Then I took a closer look at the paper and discovered that Carnegie Mellon was not involved at all: the authors (Cormac Herley and Dinei Florencio) are from Microsoft Research and I did not found any connection with the University except that this paper was presented at SOUPS 2006, the Symposium On Usable Privacy and Security held at CMU last July (!).

The fact that CMU was not directly involved was reassuring. The fact that Microsoft is saying “use this method and you are safe from keyloggers and spywares” is quite scaring. Why write a professional looking document and present it to a conference? Wouldn’t be better to just write a short blog post and openly discuss this weak and quite old idea?

However the paper was widely linked and it has been dugg more than 1400 times, but the wrong attribution to Carnegie Mellon was never pointed out.

For those interested: the two authors delved into this idea even deeper and produced another paper about a system called KLASSP (KeyLogger Avoidance using a Shared Secret Proxy), the name says it all …

keylogger
Image from Antispam.br

Submitted by Marco on 1 December, 2006 - 19:33 |
tags: