Jer Jer and I like to compete. We come up with just about anything to try to better then each other with. Our regular competition is number of steps over the weekend via a fitbit challenge. I pretty much dominate and destroy Jeremy every weekend. Which makes me feel good about myself. A few days ago Jeremy suggested we complete over keys and mouse movement. We both spend lots of time at the keyboard and seemed like an interesting thing to track. At Jeremey’s urging I installed WhatPulse to track my key presses. Today I was showing Wes the heat maps WhatPulse provides showing where you mouse most and which keys you press most with pretty colours.
Then Wes said “Um, I might be a country Exchange Admin, but I don’t think installing a keylogger at work is a good idea” boy gosh golly Wes’s words sure got me thinking. I like my job and I don’t think it would be cool to break my job. Bottom line is you can’t 100% trust any code you do not write yourself. That being said, with some looking you should be able to mostly trust software. After looking around today, I’m 99% trusting of WhatPulse. Below is a quick outline of what lead me to trust their code.
- Then I searched their support forums http://whatpulse.org/forums/ to learn a bit about the product. The company has been around for a number of years, and people don’t hate them. + They also have a team of people watching people’s numbers to make sure they are not cheating / shows good intentions to me.
Next I ran ProcMon to see what and where WhatPulse was touching during a day of operations. ProcMon shows data is being written to a log file and the database and it reads some data here and there about my machine for the machine stats.
- WhatPulse uses SQLLITE for the database so I downloaded SQLiteMaestro and opened the database to see what all was stored in there. As I suspected, and as the forums indicated, the application only stores increments of key presses over periods of time. It does not store order of keys pressed. WhatPulse stores similar data about bandwidth and mouse movement. It does not look like the could be used to work out my passwords or what I’m typing – feeling better here.
- I’m comfortable with the database now, but what about random packets over the internets. Fired up Message ANALyzer and told it capture all of the packets coming from the WhatPulse app and the WhatPulse watcher application. I captured packets while running PROCMON looking for any other things that might spawn. Then I pressed pulse a few times to see what happens there. Looks to me like nothing is headed out that should not be headed out, and what’s being sent out is all headed out with SSL over port 443 so its secure.
- Next I fired up fiddler to watch the decrypted HTTPS traffic stream. Fiddler because I wanted to see what was going back and forth inside of the SSL. Unless the product is checking for updates or pulsing data to the web site I didn’t see anything going out over the course of the day making me sad face.. The packets I did decrypt all look to match the data in the database.
From here I was satisfied and comfortable enough with the product to keep using it and enjoy the pretty pictures it created about my button and mouse movement. Jer Jer suggested go big or go home and run WINDB against it and dump the active process – I did this a few times and did not find anything annoying to me. However, I forgot to screen capture the process, and I am too lazy to do it again. You’ll just have to trust me the dumps are clean. HA!!