How to detect sneaky installs on a Mac
August 26, 2007 6:40 PM

Is there any way for me to tell if someone has installed software on my Macbook, like a keyboard logger, without my knowledge? I'm a bit of a Mac newbie, and I'm pretty sure my roomie is looking at my email to see if I've been corresponding with his ex-girlfriend (which I have NOT been doing, for what it's worth).
posted by anonymous to Technology (17 answers total) 6 users marked this as a favorite
Here's a review of MacScan, which the reviewer says is available as "try before you buy."

I haven't used it, but it may be worth a shot.

Your roommate uses your computer? You might have to just say no.
posted by The Deej at 6:51 PM on August 26, 2007


one specific thing you can look for:

Boot up your mac in verbose mode by holding down command+v after the bootup chime.

If you see an item scroll by that says "logKext" in it, then you have yourself a keylogger
posted by melorama at 6:54 PM on August 26, 2007


...Or make him his own guest account where he can't access your shits.
posted by sneakin at 6:54 PM on August 26, 2007


a few other question i have:

When you start up your mac, does it automatically log you in to your desktop? If so, thats a huge problem, especially if your account has admin privledges. Even if it didnt, your roommate can still boot your system in single user mode and pretty much do anything they want.

I would STRONGLY suggest that you enable the Open Firmware password on your system. That way you are required to enter a password just to boot the system (regardless of what OS you have installed on it.
posted by melorama at 7:06 PM on August 26, 2007


First, there's this web page, second, these lists, lists2(not likely comprehensive), and finally, what you want to do is run Activity Monitor, and see if you recognize a keylogger name in the list of processes.
posted by birdsquared at 7:15 PM on August 26, 2007


I'm pretty sure that even if you have your Mac automatically log in when you reboot, you still have to type the user password (or the admin password) when you install applications.
posted by bshort at 7:22 PM on August 26, 2007


compose an email like this:

dorothy, i think you're incredibly hot. what we did the other night, i've never felt anything like that before. you're way too good for my idiot roommate. i am so looking forward to seeing you tomorrow night, ten o'clock, at...

[select location carefully. you'll want a higher vantage point for when roomie comes nosing around after reading this, you can dump a bucket of dogshit on him]

and just unplug the phone line before you hit send. the keylogger won't know the box is offline.
posted by bruce at 7:33 PM on August 26, 2007


I'm pretty sure that even if you have your Mac automatically log in when you reboot, you still have to type the user password (or the admin password) when you install applications.

Yes, but if his account has Admin priviledges, he could easily create his own new account (also with admin privledges), hide the new account from the login window and always have a way to install programs on the machine, regardless of who the current account is logged in as. And since the auto-login bypasses the login window in the first place, the OP wouldn't be any the wiser, unless he knoew exactly what to look for.
posted by melorama at 7:49 PM on August 26, 2007


Following Bruce's line of thinking, but differing: if he is spying on you do not let him know that you know. You have the upper hand here. I wish someone would (sloppily) spy on me so that I could concoct and execute a plan to deal with it. I hope you typed this question from a different computer.
posted by hampton at 9:07 PM on August 26, 2007


Open the Terminal application, type: top and hit return. This will give you a list of all the applications that are currently running. Do a google search for anything you don't recognize to see what it might be.
posted by willnot at 9:10 PM on August 26, 2007


Friendly advice. Make sure you have an admin password your roommate does now know. As you may have discovered, one needs to know the admin pw to install darn near anything on a Mac. Then, set things up so it wants your password to log in at all. As for choosing a pw, I recommend one with both numbers and letters that you will remember but it is unlikely that someone else could guess. Your favorite food plus the middle two numbers of your SSN, maybe. Or your high school mascot and your girlfriend's birthday. You remember that, right? Oh, ooops! ;-)

Otherwise, willnot and the deej and melorama have good advice. The good news is that keyloggers and other malicious software are rare (not nonexistent, just rare) for the Macintosh. If you want to get to know OSX better and don't have money to spend, here's Google Book's rendition of David Pogue's book
posted by ilsa at 9:40 PM on August 26, 2007


willnot's advice is a bit easier if you use Activity Monitor which is in your Utilities Folder.
posted by filmgeek at 10:38 PM on August 26, 2007


Go on the offensive.. install a keylogger (Try Spector Pro) and review his activity afterwards?
posted by TravellingDen at 11:40 PM on August 26, 2007


Open the Terminal application, type: top and hit return. This will give you a list of all the applications that are currently running. Do a google search for anything you don't recognize to see what it might be.

Top will only let you see what the size of your Terminal window will show you. You want this commmand:

ps -auxc
posted by secret about box at 3:13 AM on August 27, 2007


Just hope that there aren't any keyloggers named "DashboardClient".
posted by secret about box at 3:15 AM on August 27, 2007


Put some text file in a prominent place, with a tantalizing filename. Contents: "FUCK YOU, STOP POKING AROUND MY SHIT."
posted by Xere at 3:20 AM on August 27, 2007


make him his own guest account where he can't access your shits

This is not effective if he can boot the machine from another volume.
posted by oaf at 5:00 AM on August 31, 2007


« Older Hangover question--why the "fuzzy" feeling?   |   Where to find kese? Newer »
This thread is closed to new comments.