Software like autohotkey + crypto software wallets = paranoia

[problemxyz]

Hi

Does anyone use something like autohotkey in combination with a crypto wallet on their computer? I'm too paranoid to do it, because Im too afraid the software can be used to leverage keylogging and intercept the passphrase.

Is the increaesed risk real?
In my case I would like to use Karabiner cause im on mac. Shouldn't really matter I think.
My new upcoming keyboard (Keychron Q1) will have QMK but it would be nice not having rely on QMK compatible keyboard.
While I know people get QMK keyboards for the opposite reason; to not rely on software like autohotkey. But thats just me I guess.

[Sup]

With AHK you run scripts if you really want to be sure nothing weird is happening why not open the script up and see what it all does.

[suicidal_orange]

AHK watches every keystroke to see if it needs to intercept and change it to something else - it could log anything.  On the other hand it's open source and very well known so if it did anything dodgy someone would have noticed.

Karabiner Elements is also open source, not as well known as it's for Mac but I'd still say it's big enough to be trustworthy.

Saving passwords into scripts (or however Karabiner works) probably means saving them in plain text somewhere on your computer - that is not a good idea.

[F eq ma]

Personally, I use KeePass with a yubi key token for some auto login functions.    I basically open the keepass db with an auto lock after x minutes.   I have mapped alt-cntrl-? key combo to allow auto type credentials into web pages and other portals.   It works for my use cases.   I use AutoHotKey for controlling iTunes… but that is probably a different topic.  Also, I am Windows user.

[Volny]

I use both QMK and Autohotkey. QMK is great as a base, but it can only do a small fraction of what AHK can do. I like using both but if I could only use one it'd be AHK for sure.

But while the risk of AHK or Karabiner stealing your money is is probably next to non-existent, the effect of your paranoia is real. If you're going to always have niggling doubts plaguing you then you may as well just go with QMK for the piece of mind, despite its limitations.

[problemxyz]

I'm not worried that the software or the scripts themselves would be malicious in terms of trying to get into wallets per se. And I say per se because being worried about literally everything is always the safest of course.

But as Im understanding in order for Karabiner to work on your Mac, you have to basically allow it to act like a keylogger.
And I think the real question is, is permitting one software to log your keyboard activity something that malware could escalate into permissions for keylogging other software in this case a software wallet? Or, would it be just as hard for malware to try and hack the wallet if you had permissions for Karabiner or not?

Personally, I use KeePass with a yubi key token for some auto login functions.    I basically open the keepass db with an auto lock after x minutes.   I have mapped alt-cntrl-? key combo to allow auto type credentials into web pages and other portals.   It works for my use cases.   I use AutoHotKey for controlling iTunes… but that is probably a different topic.  Also, I am Windows user.

That could answer my question if form what you say yubi key allows to bypass pressing keys and therefore keylogging.

AHK watches every keystroke to see if it needs to intercept and change it to something else - it could log anything.  On the other hand it's open source and very well known so if it did anything dodgy someone would have noticed.

Karabiner Elements is also open source, not as well known as it's for Mac but I'd still say it's big enough to be trustworthy.

Saving passwords into scripts (or however Karabiner works) probably means saving them in plain text somewhere on your computer - that is not a good idea.

Agreed not a good idea. I personally save passwords in bitwarden. Except my wallet stuff, I just write down. So it's not necessarily in the storing, or even Karabiner logging something it shouldn't. More the permissions for logging itself.

I was pretty set on getting QMK for the exact reason that Volny said; once you're paranoid there's no saving you. While Im still open to a suggestion that
Also, QMK is going to be enough for now I think. Just have my arrow keys as jkli and numpad around homerow would be grand. But I would love to not have to rely on QMK compatible keyboards.

Anyways Im starting to ramble. But you get my point by now I guess.

[Volny]

Most keyboards are programmable one way or another. So if your next keyboard doesn't support QMK it'll probably come with its own bespoke software utility that you can use to set up your layers. So the odds of you getting a keyboard that requires you to use karabiner are probably pretty low.

At one stage I had 3 keyboards/macropads plugged in that required 3 different software utilities to be running (one from Corsair, one from coolermaster, one from maxkeyboards). Plus a fourth mini macropad that didn't need software running all the time but did need it to modify its firmware. I actually grew weary of having to deal with 4 sets of idiosyncrasies and 4 separate possible failure points, so have started to phase them out for QMK only boards so they can at least all work the same way. I guess that kind of universality is what you're hoping to achieve with karabiner.

[problemxyz]

Most keyboards are programmable one way or another. So if your next keyboard doesn't support QMK it'll probably come with its own bespoke software utility that you can use to set up your layers. So the odds of you getting a keyboard that requires you to use karabiner are probably pretty low.

At one stage I had 3 keyboards/macropads plugged in that required 3 different software utilities to be running (one from Corsair, one from coolermaster, one from maxkeyboards). Plus a fourth mini macropad that didn't need software running all the time but did need it to modify its firmware. I actually grew weary of having to deal with 4 sets of idiosyncrasies and 4 separate possible failure points, so have started to phase them out for QMK only boards so they can at least all work the same way. I guess that kind of universality is what you're hoping to achieve with karabiner.

Could you be talking about the windows world though? I do also have a GMMK full size, which indeed has software but in those cases it's almost always windows only.

[Leslieann]

Most keyboards are programmable one way or another.

IF it's a major brand.
A lot of these cheap boards out of China come with either nothing or a download from a Google Drive or Dropbox and you have no idea what's in it and it's almost always Windows only.

[Volny]

Ah yeah, I hadn't thought of the software being windows only. Still, this is a hypothetical problem, right (since your current keyboard supports QMK anyway)? Like I said I'm phasing out my non-QMK boards/macropads, and while it's definitely narrowed my options a little, I haven't felt like the narrowing of options has been drastic. There are still plenty of QMK boards to choose from.


And anyway, I'm sure you'll be fine with Karabiner. I'm no security expert, but I suspect that if you're at the point where malware has gained access to your copy of karabiner, then you've already had a serious security breach, in which case the malware already has your computer on its back, karabiner or no karabiner. Though this is just my speculation - like I said, I'm no expert.

[problemxyz]

Its not access to the software that Im worried about as Ive stated. But the permission itself that can somehow be leveraged, because for Karabiner to work it needs to keylog.
And I don't have a keyboard with QMK at this moment but I did order one. Which leaves me with my other 3 keyboards that don't have QMK.

On the other hand of course. If keylogging in Karabiner would pose any security threat at all, any application that has a login system would be at risk, not just cryptowallets. Haven't looked at it that way yet.

[Leslieann]

Karibiner has a pretty good reputation, as does AutoHotKey (which also happens to be open source), both are staples for this sort of thing.
I wouldn't worry about the programs, be more worried about whoever hosts their files getting hacked and injecting code, it's happened to torrent clients in the past, however that can happen to any software, MS itself was hacked recently. There's only so much within your control.

If you're truly concerned though, run your wallet in a virtual machine. This puts a barrier between the keyboard software and the OS your wallet is running on. It could log the keys but not know what they are going to and if you change the program with focus you could completely contaminate the input to unusable.  Alternately, you could run the key program in a virtual machine and monitor the network for any traffic to see if you want to trust it.

[annyeed]

I'm not worried that the software or the scripts themselves would be malicious in terms of trying to get into wallets per se. And I say per se because being worried about literally everything is always the safest of course.

But as Im understanding in order for Karabiner to work on your Mac, you have to basically allow it to act like a keylogger.
And I think the real question is, is permitting one software to log your keyboard activity something that malware could escalate into permissions for keylogging other software in this case a software wallet? Or, would it be just as hard for malware to try and hack the wallet if you had permissions for Karabiner or not?

Personally, I use KeePass with a yubi key token for some auto login functions.    I basically open the keepass db with an auto lock after x minutes.   I have mapped alt-cntrl-? key combo to allow auto type credentials into web pages and other portals.   It works for my use cases.   I use AutoHotKey for controlling iTunes… but that is probably a different topic.  Also, I am Windows user.

That could answer my question if form what you say yubi key allows to bypass pressing keys and therefore keylogging.

AHK watches every keystroke to see if it needs to intercept and change it to something else - it could log anything.  On the other hand it's open source and very well known so if it did anything dodgy someone would have noticed.

Karabiner Elements is also open source, not as well known as it's for Mac but I'd still say it's big enough to be trustworthy.

Saving passwords into scripts (or however Karabiner works) probably means saving them in plain text somewhere on your computer - that is not a good idea.

Agreed not a good idea. I personally save passwords in bitwarden. Except my wallet stuff, I just write down. So it's not necessarily in the storing, or even Karabiner logging something it shouldn't. More the permissions for logging itself.

I was pretty set on getting QMK for the exact reason that Volny said; once you're paranoid there's no saving you. While Im still open to a suggestion that
Also, QMK is going to be enough for now I think. Just have my arrow keys as jkli and numpad around homerow would be grand. But I would love to not have to rely on QMK compatible keyboards.

Anyways Im starting to ramble. But you get my point by now I guess.

Risk is always and everywhere. You may be paranoid, but in our world you can never be too careful (check everything).