Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

How can I be sure the AHK is safe ?


  • Please log in to reply
17 replies to this topic
FLMan
  • Members
  • 1 posts
  • Last active: May 31 2013 04:37 PM
  • Joined: 31 May 2013

If AHK can automate tasks on my computer, what safeguards are baked into AHK so that AHK cannot be hacked into by someone ?

 

My fear is that I will end with a program recording my keystrokes without my knowledge that it is being done, or that other spyware will be installed on my computer.

 

I have good internet security, but I will be telling that security that AHK is a safe program so all a hacker needs to do is a script into my computer.

 

Is there a safe practices document or some discussion about the safety of AHK ?

 

Sorry if my questions seem naive or lame, I just don't understand how AHK works. I mean it seems like spyware would do something similar to AHK, so why would'nt you just infect users with AHK installed on their computer for full access ?



JadeDragon
  • Members
  • 935 posts
  • Last active: Jun 07 2014 07:40 AM
  • Joined: 18 Jan 2013

You are responsible for your own computer security. If you have doubts about any particular user or program that user should not have free access to your machine and that program should never be installed in it. I've been using AutoHotkey for several years now and have had no trouble with it. But you may want to install a good firewall, one embedded antivirus/rootkit scanner and one or more on-demand anti-virus scanners that you can use to check any files that you download. There is only one absolutely safe way to avoid online hackers -- don't be online when they are. And there is only one way to prevent someone from installing stuff on your machine. Don't give anyone access to it.


Never assume evil intent when simple ignorance will suffice. Ignorance is an eventually curable condition with the right education. Evil intent, however, is another matter entirely. Scripts are much like children. Simple to conceive. Difficult, expensive, and time-consuming to raise. Often do the opposite of what you expect them to. Require frequent  "correction". And once they leave home you can't control them anymore. But you love them anyway.


Jack Dunning
  • Members
  • 217 posts
  • Last active: Nov 11 2015 08:40 PM
  • Joined: 08 Apr 2013

Being Open Source, there are many very capable people who have access to review the source code for AutoHotkey. If there were something nefarious being put in the code they would see it and notify the community. AutoHotkey has been used for many years without any hint of a problem caused by the main installation. The people who control AutoHotkey have demonstrated their reliability. The Open Source community is probably the most trustworthy collection of people in the computer community. I seriously doubt that you would ever see a problem with the main AutoHotkey installation--as long as you download it directly from the AutoHotkey web site.

 

As for scripts that appear to be compiled (EXE) from AutoHotkey, you are at much risk with those as any other executable that you may download. Know your source. Or even better download the AHK file, then review and compile it yourself. Since AutoHotkey is so powerful, it is quite possible that people could write scripts that will mess with your Windows computer. You best bet is to write your own scripts or get them from a source you know you can trust.


I currently do a regular blog for AutoHotkey beginners and have posted a number of AutoHotkey help pages at ComputorEdge.com. As I learn, I pass it on.

 

AutoHotkey scripts and apps for beginners and more ideas.


jethrow
  • Moderators
  • 2854 posts
  • Last active: May 17 2017 01:57 AM
  • Joined: 24 May 2009

JadeDragon & Jack Dunning summed that up well. Let me provide some additional perspectives.

Why would a hacker even hack AHK? Sure, it is probably possible. However, why not hack any other program on your computer - such as the Windows Scripting Engine, which is on every PC? Or just install their own customized spyware that's probably less detectable than AHK?

Concerning AHK itself - as Jack stated - it's open source - and multiple developers have their hand in the pot. Rule of thumb: if you have skeletons in the closet, don't let people snoop around. Best just to lock that door.



Eedis
  • Members
  • 1775 posts
  • Last active: Aug 14 2015 06:33 PM
  • Joined: 12 Jun 2009

JadeDragon, Jack Dunning, and jethrow couldn't have said it any better. I also want to point out that AutoHotkey very often produces false-positives on AV software, so be aware of that. This topic, amongst MANY others, go into detail on that. http://www.autohotke...ive#entry568856


AutoHotkey state, the forum, Poly, and Drainx1. The short story.
I love my wife, my life, my atomic-match; for giving me the greatest gift a man could ask for, such a perfect and beautiful little girl.
9rjbjc.png

tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Oct 13 2016 01:04 AM
  • Joined: 21 Dec 2007

the answer quite simply is you cant. AHK is inherently insecure and the memory is not protected


Never lose.
WIN or LEARN.

Eedis
  • Members
  • 1775 posts
  • Last active: Aug 14 2015 06:33 PM
  • Joined: 12 Jun 2009

tank.... always got to be harsh father who tells it how it is. :p

 

-Kid falls off of bike and skins knee-

Kid: "Daddy! My knee is bleeding! Will I be okay?"

Dad: "Son, your bloodstream has now be opened to the environment which inherently enables the possibility of pathogens entering your bloodstream. You could get a serious infection in your knee and we will have to amputate your entire leg."

Kid: O.O


AutoHotkey state, the forum, Poly, and Drainx1. The short story.
I love my wife, my life, my atomic-match; for giving me the greatest gift a man could ask for, such a perfect and beautiful little girl.
9rjbjc.png

fischgeek
  • Moderators
  • 1074 posts
  • Last active: Jul 07 2015 06:27 PM
  • Joined: 20 Apr 2009

lol!



JadeDragon
  • Members
  • 935 posts
  • Last active: Jun 07 2014 07:40 AM
  • Joined: 18 Jan 2013

Gotta love it! Tank is the guy who would tell horrifying ghost stories around the campfire during a camp out and then all the kids would be awake all night listening to the scary sounds outside the tent. Tank, you're incorrigible. Never change that.


Never assume evil intent when simple ignorance will suffice. Ignorance is an eventually curable condition with the right education. Evil intent, however, is another matter entirely. Scripts are much like children. Simple to conceive. Difficult, expensive, and time-consuming to raise. Often do the opposite of what you expect them to. Require frequent  "correction". And once they leave home you can't control them anymore. But you love them anyway.


tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Oct 13 2016 01:04 AM
  • Joined: 21 Dec 2007

its not that but i wanna sleep and its the youths turn to watch


Never lose.
WIN or LEARN.

Sjc1000
  • Members
  • 572 posts
  • Last active: Mar 11 2017 11:41 AM
  • Joined: 06 Feb 2012

Just use protection :p 


Also, this may be of use. http://www.autohotke...n-a-script-for/


Sjc1000 - Insert inspirational quote here!

PLEASE find me on the IRC if you have questions. I'm never on the forum anymore.

 


Lexikos
  • Administrators
  • 9844 posts
  • AutoHotkey Foundation
  • Last active:
  • Joined: 17 Oct 2006

If AHK can automate tasks on my computer, what safeguards are baked into AHK so that AHK cannot be hacked into by someone ?

 

Specifically?  None.

 

AutoHotkey itself isn't vulnerable to network attacks, since it doesn't accept network connections unless a script specifically instructs it to.  In that case, what damage a network attack could cause would depend entirely on what that specific script does with its network connection.

 

Like most processes running on your computer, it is vulnerable to other processes running on your computer, but those other processes could just do their damage directly anyway.

 

You are most likely only at risk if you run a script written by someone else, but no more than if you ran any other program.  Less so, since you can read the script and see exactly what it does (or in the event that you don't understand the script, you can choose not to run it).

 

 

Being Open Source, there are many very capable people who have access to review the source code for AutoHotkey. If there were something nefarious being put in the code they would see it and notify the community.

 

It would be naive to think that any software labelled "open source" is necessarily safe.  If I were putting nefarious code into AutoHotkey, I could simply withhold that part of the source code.  The only way around that is to download the source code, review and compile it yourself.

 

 

AHK is inherently insecure and the memory is not protected

 

No more or less than any other user-mode process on the computer.
 



tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Oct 13 2016 01:04 AM
  • Joined: 21 Dec 2007

i was just being dramatic ....


Never lose.
WIN or LEARN.

Jack Dunning
  • Members
  • 217 posts
  • Last active: Nov 11 2015 08:40 PM
  • Joined: 08 Apr 2013

@Lexikos:

 

It would be naive to think that any software labelled "open source" is necessarily safe.  If I were putting nefarious code into AutoHotkey, I could simply withhold that part of the source code.

 

Of course you're right. To a certain degree any trust is based upon naïveté. What I like about Open Source is that people like you who have spent years dedicated to improving the software are not likely to risk their integrity and reputation by committing such an act. It could happen, but the probability is low.


I currently do a regular blog for AutoHotkey beginners and have posted a number of AutoHotkey help pages at ComputorEdge.com. As I learn, I pass it on.

 

AutoHotkey scripts and apps for beginners and more ideas.


VxE
  • Moderators
  • 3622 posts
  • Last active: Dec 24 2015 02:21 AM
  • Joined: 07 Oct 2006

I won't reiterate other posters' descriptions of exactly what AHK is and how it can be used, but I will address what I see as the misconception behind the OP.

 

... so why would'nt you just infect users with AHK installed on their computer for full access ?

 

This "question" smacks of a prejudice against AHK programmers (or programmers in general). My guess is that prejudice comes from a lack of understanding. Lack of understanding can also give rise to unfounded fear.

 

So, to answer your question: AHK's developers and active community members offer their time and effort free of charge for one reason above any other: to help you solve problems.

 

Other reasons may include personal growth, the challenge of difficult problems, or just a desire to give back to the community that helped them. The bottom line is that dubious 'hackers' with nefarious intentions simply aren't attracted to participate in this community.

 

AHK is already a vital component of businesses around the globe. Its gentle learning curve and ROI (time saved v.s. time spent learning) make it particularly attractive to business-oriented people who are tech-savvy, but aren't programmers.