[Raktor]

http://whatpulse.org/
&
http://whatpulse.bounceme.net/
(Use the top to register, and the bottom one for your siggy )

WhatPulse manages the number of times you click, and type any key. It is then exported to your signature.

And for all you people who are thinking "oeh mi god a keylogger, no way!", well, exactly, No way. WhatPulse is not and never will be any sort of keylogger, it does not collect the keys you type, but only how many keys you type. (see our Privacy Policy)

.

Join under team 'SeeD'. (Password is seedz0rs).

I will winz0rs!!!1!one!

[Ratty]

No! I will pwnz0r J00!!2112!!eleven!!

[Goto]

It may say it's safe, but having a programthat is monitoring your clicks and things doesn't really appeal to me.

It's still a keylogger, even if it's not a malicious one. I'd prefer not to risk it, personally.

[CongressJon]

I'm going to have to go with Goku. While I understand you find it safe, I never, ever, take any chances, especially after finding numerous keyloggers on my PC in the past.

[Ratty]

eheheheh, bigbro and i are very cautious with keyloggers

eehhehe, anywayz:

I'm going to have to go with Goku.

Goku? that a new nickname for him?

[Unknownentity]

joins... pretty cool... i am going to own u all... don't worry...

[cjjones]

I'm in... I type quite a bit online if there's anyone worth conversing with on MSN at the same time... And I plan on playing Warhammer 40K: Dawn of War quite a bit (strategy game; roll in the clicks ).

[Doomed1]

Pshaw, ye all need to join SeeD! ...In WhatPulse at least. I am still the leader clicker for now!

[Ratty]

Eh, i think im leading with the keys though

Thats what counts

[Cspace]

And for all you people who are thinking "oeh mi god a keylogger, no way!", well, exactly, No way. WhatPulse is not and never will be any sort of keylogger, it does not collect the keys you type, but only how many keys you type. (see our Privacy Policy)

You should never be so trusting, sorry to say. If one wishes to investigate the security of a closed-source program he/she should not do the investigation on the site of the program. If a program were a keylogger, the designer would definitely not say so on his/her site (in fact, probably the opposite). If the programmer is not in a country that enforces it, he/she could flat-out lie and probably nothing would happen (at least until an international law is passed).

Anything one downloads could have a keylogger, it's not very responsible to undermine the possibility.

Since so many SeeDs went on it I believe that it is someone's responsibility to investigate the program's security. Since I feel well informed in security issues I figured that I may as well do the investigation (plus it is such a geeky thing, I may as well help ya'll out with my thousands of clicks per second if it's safe ).

****************************************************

Since the program is closed-source, it is not legally possible to decompile it and see exactly what goes on in the guts of the program. It is possible, however, to see its method of transmitting. This is something I found on another website:

I investigated the client quite significantly, and I feel confident that it is not a security issue. Why?

First, I investigated into how the client transmits its pulses. It transmits the pulses to a CGI script over HTTP via GET. That is, the pulses are like so: (I replaced some characters with 'xxx' for my privacy.)


GET /cgi-bin/pulse.cgi?jh8=pp&an=jevon&pwd=lhsng7xxxxxxxxxxx
xxxxflZ&kc=lrsjt7kiIljbmoxxxxxxxxxxxxxxxxxxxxxxklilv2oxdgjVh
iQiceiiZliPmfomhdniHnxjorDgkv&tsec=1061448232
There doesn't appear to be anything suspicious from here; jh8 seems to be the update mode, an appears to be the username, pwd an encrypted (or encoded with base64) password, kc the keycount (encrypted somehow, perhaps with base64), and tsec probably the Unix timestamp of the current submitted time. Or maybe the timestamp of the last submission, so the program can work out the interval? (Thanks to Colin T. for suggesting a few tips on decoding this query string!)

Investigation on the internet also led me to believe that it was not a security issue. The WhatPulse project was based on the Project Dolphin project, which was basically the same project just with fewer features. This project was open source for a short period of time, but the project was abandoned when the author could no longer support the resource drain. Numerous articles and the length that this project has been up has also led me to believe that it is unlikely to have a sort of keylogging facility. (If I knew how to reverse assemble, I would have used this ability, too. )

This is not conclusive, but it points to the program most likely being safe. It is not enough in my mind though, so I went through numerous websites and searched for any issues which have come up.

I have found no evidence of anyone's privacy being compromised.

Then I went through their site extensively. WhatPulse is infact part of WhatNet (not just a claim). I then checked Google to see if other "WhatNet" sites exist (to see if it's a copy, it is sometimes a concern with .org addresses for their type of service). That is the only one.

Along with that, WhatNet is a known IRC network. Unfortunately I cannot determine where they are based however. They are most likely safe.

The truth is that any program you download could have a keylogger. Absolute trust should never be obtained by anyone you don't personally know, for all you know Runescape, AIM, or even Internet Explorer could be keyloggers (probably not, hehe, but I'm making a point).

After all this I will say that WhatPulse is probably safe. I will say that I am 98% sure of it. There is always that small chance that it is not, but I would probably trust it.

I am probably going to try it out, but I am just posting this to share what I found if anyone finds it important.

[CongressJon]

While I still don't entirely trust it... I've downloaded it, and I'll try it out. I doubt Norton would detect anything, but if it did, 'tis gone. Long gone. But at any rate, it's kind of fun to some degree, so I'll see how it goes, and put it in my sig. I wonder if I could get to number one... We'll see.

[MA-53]

How do you join t3h team now?

[Kowboy]

Although I trust what everyone is saying about it, being good and all, I still don't think I will download it. Only because this is a family PC, and keeping my PC secure from potential risks like this is a top priority.

I will download it (maybe) and scan it with all the programs I have, and give you guys a report on what I get. (After I read the privacy policy.)

The WhatPulse client is provided to you as it is. We are NOT responsible for any damage this application might do to your computer enviroment. Neither the WhatPulse client nor the server logs keystrokes. The client checks each keystroke as it is entered to ensure that it is a valid key, but the key itself is not stored. Only the aggregate number of valid keys entered is stored on the WhatPulse server.

Although this says its not responsible for any damage caused, it seems like tis perfectly fine to use. Its method of recording keystrokes (as stated above) just verifies that its a key, and does not store the information gathered. I would not be to worried about the "NOT responsible for damage" thing, most programs carry that label.

This post has been edited by Supernova: 16 October 2004 - 04:13 PM

[MA-53]

I joined seed, but it'll be a few hours 'afor it shows. Oh well.

[asyluman]

I did a crapload o' virus scans before and after, and the only stuff that came up were some "unnecessary" temporary files taking up space. I don't even know if Whatpulse made 'em.

Hi-ho, bronzey away!