You might remember SubSeven, a backdoor doodah for Windows, and it’s associated screenshot grabber. Automate screen capture on each click and you’ve subverted the keypad.

Better, only capture screenshots of the current canvas, and then only when you’ve checked the title bar for ” Internet | Firefox”. Then, do a little image analysis to check for boxes around the pointer and perform OCR.

Presto, you can use the same pipeline you’ve used before, and save the content of password “clicks” in the keylog, right next to the username.

If you’re a CGD (.pt bank) developer, you get bonus points for hashing usernames and passwords using JavaScript *and* submitting them over SSL. Although I can no longer use Safari’s Keychain-based auto-completion (thereby increasing the chances that my bank password is spotted by a shoulder surfer), at least you’ve ensured that a locally-installed IE-proxy (like Norton’s) can’t see the information.

Trade-offs, I guess. Bad ones, in my not-very-humble opinion.

BTW, IE 6 doesn’t honor “display: block” directly on a link. There are documented hack-arounds, but 1) IE 7 probably broke them, and 2) I don’t even remember the details because I can get away with not caring for Internet Explorer’s users (in the drug-using sense).

BTW, I pay *my* stupidity tax at bet-and-lose.