incorrect rumor about profit updater

tntent · #1 03-20-2008, 11:27 AM

I am just asking if someone can look into a rumor that the updater is installing a keylogger on update... a wizzy on unrest claims that the profit updater installed a logger and now his accounts got hacked.

Kaldran · #2 03-20-2008, 11:41 AM

Actually I was waiting for someone to shift the blame for losing account control on the updater since I first released it

The updater is released under lgpl, so anyone is free to run through the code or compile it by themselves for security reasons.
While it would be theoretical possible to install a keylogger by compromising the web server files, this has not happened and is quite unlikely to happen as well.

For the next release the updater files will be digitally signed. While doing this has other reasons it will improve security even more, compromised files wouldn't be able to run at all.

pooka · #3 03-20-2008, 11:50 AM

To sum up what Kaldran said: No.

If you've got a keylogger you got it from somewhere else.

ObsidianDragon · #4 03-20-2008, 11:49 AM

I suspect if you install the updater from that file your new guildie emailed you or posted on your guild page, then yeah, it might have a keylogger.

Always best to download from the source

**gm9** · #5 03-20-2008, 11:53 AM

Yes, this "claim" was unfortunately already raised on the official forums as well and had previously been sent in PM's to me. Kaldran already said all there is to say.

Please check SOE's tips on how to keep your account safe. And please tell those people spreading misinformation to kindly shut up. Thanks.

tntent · #6 03-26-2008, 02:16 PM

i said pretty much the same thing. sorry for the rumor mongering.

Dechau · #7 03-30-2008, 03:31 AM

Why would anyone who put this much work into creating an UI which is if not the best there is, then in the top 3 for sure, destroy it all by putting in a logger ?

Everyone knows it would have been discovered eventually, and thus he would have lost the good reputation he spend years of building up.

Anyone who believe those rumours are just plain stupid, ofcourse there is no logger in the updater people.

Wake up and smell the coffee

Kaldran · #8 03-30-2008, 12:17 PM

I wouldn't call it stupid, but for sure it is not the best option to blame software with open source

Actually there is no need to install a key logger, I guess most people have their login credentials saved in ProfitUI's textfile for auto login anyways (which is a Bad Thing(tm) btw :P ). No virus scanner would be alarmed by an application just reading a text file...

**gm9** · #9 03-31-2008, 01:24 AM

It is never a bad thing to not blindly trust software, I tend to be pretty much paranoid with that myself. But yes, the open source aspect of Kaldran's updater does probably make you look stupid if like the person the OP mentioned you make accusations that everybody can easily show to not be true by looking at the source.

I'm not paranoid about the auto login textfile of ProfitUI however. I tend to think that if your system is compromised to the point that you caught an eq2 specific trojan that reads that file and is able to send the data out of your system then the bad guys could just as easily install a keylogger and thus target all eq2 users (as well as your login data for other services), not just those using specific custom UIs. Also I think the latter case is much more likely. So always keep your system secure.

Please note however that a malicious third party UI mod would easily be able to grab your login data and send it to a third party. I am not aware of such a malicious mod but the risk exists, so don't just blindly install mods you found somewhere on the web.