Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Phishers Using Keystroke Loggers 388

Eh-Wire writes "Keystroke loggers are rapidly becoming the lure of choice for phishers. Their advantage is that they compromise information long before the information has a chance to be encrypted. "
This discussion has been archived. No new comments can be posted.

Phishers Using Keystroke Loggers

Comments Filter:
  • Challenge (Score:5, Interesting)

    by fembots ( 753724 ) on Thursday May 05, 2005 @04:41PM (#12445383) Homepage
    Will this work against keyloggers?

    When using online banking (or anything online really), once you have entered your login correctly, the site displays a graphical challenge derived from one of your personal details, such as address, phone, birthday etc., and you use your mouse to choose the correct one and proceed.

    I guess this is similar to the additional 3/4 digits at the back of a credit card.
    • Re:Challenge (Score:2, Insightful)

      by blogtim ( 804206 )
      That's not a bad idea, though if they can log keystrokes, they can certainly log mouse movements. The problem with computer security is that everything is digitized. Even an eye scan or a fingerprint gets digitized at some point. That datastream can be captured and replayed.
      • Re:Challenge (Score:5, Insightful)

        The trick is that the web site would use the WinZip trick; the elements would be placed in random locations; after all, it's the data they need; the placement of the form elements doesn't really matter. If the phisher tried to re-create the mouse movements at a later date, they'd have a very low chance of clicking on the same radio button.
        • Re:Challenge (Score:3, Insightful)

          by gsasha ( 550394 )
          It doesn't really matter. They'll just try and click a random button. They'll succeed in 1/100, 1/1000 of tries, who cares? That's enough to have a successful phishing operation.
          Consider the current scams running through spam e-mail. The response rates from the users are miniscule, but the volumes are so large and their expenses are so low that they still stay profitable.
          And you cannot make a graphical interaction with the user complex enough to make a random guess succeed in less than, say, 1/1000 of c
      • Re:Challenge (Score:3, Interesting)

        by nkh ( 750837 )
        Logging the movement of the mouse may be too difficult to implement. In the end it's always HTTP requests sent to the server. What I would do is write a server that the key logger could connect to, the key logger would send the URL of the site being visited and the server would answer with the proper protocol to follow. The server would have a database of all the banking web sites and if a web site is missing in the DB, the phisher would add it manually to the DB. The captcha could be cracked on the local m
    • Re:Challenge (Score:4, Informative)

      by Saven Marek ( 739395 ) on Thursday May 05, 2005 @04:45PM (#12445428)
      well many of the hishers dont hack accounts with automated tools so they have your account details and then they go enter them manually and put in the graphical challenge result themselves so they can do what they want from there.

      Also most of these graphical challenges are still a limited number of preset images that are simply cycled around so its easy to detect which is which by file hashes and things like that. Not many sites generate their own live graphical challenge images.
    • I imagine it would change a bit from machine to machine, but it would be a neat idea to use a password that looked simular to what the keylogger would show for mouse data. So as long as you don't hit enter, you could confuse the phisher by making them think that you never typed a password, but moved the mouse around.

      I know I know, this is security by obscurity, but maybe this idea will spark some others that would work even better.
    • How about hardware based encryption built into the keyboard itself?
    • This is like something that was tried a while ago using graphical passwords.

      The system sends a list of images (people's faces) to the user and the user chooses one. The benefits of this are: 1) People remembeer faces better than passwords. Don't forget their password during a vacation. 2) An face is very easy to recognise, but very hard to describe. This makes it very difficult to steal or give away the password (on purpose, under duress or by mistake [including phishing]).

    • Re:Challenge (Score:5, Informative)

      by flosofl ( 626809 ) on Thursday May 05, 2005 @05:27PM (#12445889) Homepage
      When using online banking (or anything online really), once you have entered your login correctly, the site displays a graphical challenge derived from one of your personal details, such as address, phone, birthday etc., and you use your mouse to choose the correct one and proceed.

      I work for a large European bank (I work in the US, however) in IT security - specifically with authentication systems. On the surface that seems like a decent idea - but it's flawed. Let's say you present 8 images of birthdates (1 real - the rest bogus info) randomly placed each time. Someone trying to break in (who has the username/password) now has only a 1 in 8 chance of brute-forcing the second challenge. Also, if you randomly change the false images, you can do a frequency analysis because the right answer always has to be presented. If you present more images to muddy the waters, you make it more difficult and annoying for the customer (hell 8 images might do that).

      If the account has a lock-out policy, it may take a couple days for the attacker to get in this way (because he keeps locking it and you keep unlocking it), but so what? I'd be willing to spend a couple minutes a day over a week to get potential access to a couple thousand dollars. Plus if you get suspicious about the fact your account keeps locking and change the password, it doesn't matter - he has a keylogger remember?

      Really, the only real way (other than having a pristine and secure home system) to avoid this is to have the banking/financial sites use two factor authentication. Either a OTP token, a challenge response token or a USB Smart Card with a bank issued x.509v3 certificate on it. Europe uses these methods (at least our European customers do). The only reason the USA banks don't is becuase of the "convienience" factor the customers expect. They'd leave the bank in droves if you "complicated" personal banking (we already use two-factor for wholesale/corporate banking)

      • Re:Challenge (Score:3, Insightful)

        Don't be so quick to judge customers about this convenience crap. I have complained to my bank that their site isn't as secure as it should be, nor is the basic use of credit cards even remotely as secure as it should be.

        Why not give the customers the option of using a high security interface over the normal one? That way the people who dont' care about taking it up the ass can, and the people who do are covered too.

        Personally, I use a password keeper. I never type my passwords...ever. They are genera
      • Re:Challenge (Score:3, Interesting)

        if you randomly change the false images, you can do a frequency analysis because the right answer always has to be presented.

        Why is that? You could have a none of the above option.

      • Re:Challenge (Score:4, Interesting)

        by cmstremi ( 206046 ) on Thursday May 05, 2005 @06:31PM (#12446445) Homepage
        There's a bigger problem my old bank (in the US - Wells Fargo) needs to fix, in my opinion. When setting your password, they only allow letters and numerals. No 'special' characters (such as $, &, * }, `, etc.) This is a retarded limitation only because of lazy programming and it hurts my ability to choose a good password.

        When I asked them about this through their web support, they said that the money in the bank is insured so I shouldn't worry about it.

        What crap reasoning. It's hard to picture a bank with such a lazy system taking any extra steps to help their customers stay safe and secure.
    • by NigelJohnstone ( 242811 ) on Thursday May 05, 2005 @06:42PM (#12446537)
      SabadellAtlantico already has a fix similar to this.

      You enter a pin number to confirm. It says 'enter number 37 from your magic numbers card'.

      You enter it by clicking on a keypad. The location of the numbers on the keys change randomly each time. (I think they are images, but I've only seen it used so I'm not sure)

      So even if they record it with a keylogger, they are not sure what the pin number is and anyway next time it will be a different pin number.

    • Here's a question for you;

      To avoid keystroke loggers, is it possible for Firefox to contain its own keyboard handler? I don't know if this is possible in windows or not, I remember doing this back in ms-dos days. Just directly override the interrupt and read from the port.

      So, what would be cool, is if firefox had a "secure keyboard" toggle, which when turned on, disables the OS's keyboard handler and turns on its own. Is this feasible?
    • Re:Challenge (Score:4, Interesting)

      by biglig2 ( 89374 ) on Thursday May 05, 2005 @07:15PM (#12446846) Homepage Journal
      My online bank does exactly this; you have to enter a PIN using the mouse. Fiddly, but worthwhile I think...
  • Scramble your keys (Score:4, Interesting)

    by qewl ( 671495 ) on Thursday May 05, 2005 @04:43PM (#12445407)
    If you're on a PC that you suspect may contain logging equipment or trojans or anything similar, you can alawys avoid accurate keystroke logging by typing part of a password per se, and the then clicking the other side(s) to type in the rest. That way typing is scrambled. Loggers can usually record the arrow keys, but not mouse clicks.
    • by Himring ( 646324 )
      If you're on a PC that you suspect may contain logging equipment or trojans or anything similar, you can alawys avoid accurate keystroke logging by typing part of a password per se, and the then clicking the other side(s) to type in the rest. That way typing is scrambled. Loggers can usually record the arrow keys, but not mouse clicks.

      ahh, my asplode....

      Clicking the other side of what? My experience with key loggers is that they are inescapable. If you touch the key and send the signal the character
      • I think the parent poster meant to click in different parts of the password field *using the mouse*.

        Granted, not ideal, but will help against trivial keyloggers.
      • by Anonymous Coward on Thursday May 05, 2005 @04:54PM (#12445553)
        He means like if your password is password, type 'sswo' then click the front of that and type 'pa' and then click the other side and type 'rd' A keystroke logger alone can not catch that, a screen monitoring program would also be needed (which do exist), but a hacker would likely not expect that and therefore bother.
        • Why wouldn't a software keystroke logger simply hook the "focus-change" message and read the text in the control at that point? No amount of funny typing tricks would get you past that keylogger.

          • Why wouldn't a software keystroke logger simply hook the "focus-change" message

            A 'focus-change' message does not come out through the keyboard, and therefore is not logged. The best a keystroke logger can do toward a shift change is like /0K or /0M or similar for the arrow keys. I've played around with a few for fun.
      • by zulux ( 112259 ) on Thursday May 05, 2005 @05:00PM (#12445620) Homepage Journal
        Clicking the other side of what?

        He means like this:

        1) type in 'word'
        2) move the pointer (caret) to the left 'w'.
        3) Finish typing 'pass' - you now have 'password' but the keylogger recorded 'wordpass'

    • by slam smith ( 61863 ) on Thursday May 05, 2005 @04:53PM (#12445545) Homepage
      Maybe if you suspect it has trojans, keyloggers etc, you should clean/reinstall the machine before you using it for sensitive work.
    • by Anonymous Coward
      Maybe it's time for keyboards to wrap their keystrokes in a secure layer like ssh. Seems basic enough to have a generic secure input usb device like there are generic usb input devices now. Would that work? Would the kernel need to provide password hashes to programs instead of plain text passwords? This might be a way to thwart the FBI keystroke loggers. But we would need a way to verify our kernel every time we ran. Some sort of trusted computing . . . .
    • If you don't trust the computer, then use a card sized linux distribution [inside-security.de] to boot the computer. If you can't boot the computer, then wait until you find a secure terminal.

    • Good idea.

      Enter some characters in the password field. Then use the mouse to erase some of those characters. Then put the cursor in a different position than it was originally, and enter some more characters.

      ALL banks should be required by law to use randomly presented images in a challenge-response system.

      It's a pity that the only things that can be done now in the U.S. government involve paying some politician, so needed changes aren't made.
  • Talented (Score:2, Insightful)

    "These are talented people doing bad things," said Cluley. "It's a shame they can't put all that expertise to a better use than stealing money."

    The reason they are doing "bad things" is because they can't get a job in the first place.
    • Re:Talented (Score:3, Insightful)

      by pv2b ( 231846 )
      The reason they are doing "bad things" is because they can't get a job in the first place.

      Not necessarily. It could just be that phishing might just pay more than doing an honest job.
    • Re:Talented (Score:4, Insightful)

      by Avyakata ( 825132 ) on Thursday May 05, 2005 @04:48PM (#12445478) Homepage Journal
      That's not necessarily true...some people do "bad things" simply because they get pleasure from doing it. Maybe the enjoy the challenge?

      Plus, if they have enough skill to phish efficiently and successfully, then they can probably get a job somewehere.
      • Most of the people I've known who were even mildly suited personality-wise to this kind of stuff were not exactly the kind of people willing to accept a job 'somewhere.' Idealists, perfectionists, assholes, whatever, they were crippled socially in a way that kept them from fitting into most of the things people consider 'jobs.'

        They hate sitting in the cube, and all they want for eight hours is out. So they don't do it.

        They've got other talents anyways.
    • The reason they are doing "bad things" is because they can't get a job in the first place.

      Tell that to the people two doors down from me - they're dealing drugs while the local McDonald's is has a 'help wanted' sign. Go figure. The kicker - these bums are also on welfare.

      Some people would rather scheme and steak $1 instead of making $10 honestly.

      • Re:Talented (Score:4, Informative)

        by Hoi Polloi ( 522990 ) on Thursday May 05, 2005 @05:01PM (#12445630) Journal
        I think if you are going to compare drug dealing to McDonalds it is probably a case of preferring to make $100 illegally than to make $1 legally.
        • Doubt it. You have to be pretty high up to be making that kind of money. Also, you're not factoring in time spent in jail.
        • I think if you are going to compare drug dealing to McDonalds it is probably a case of preferring to make $100 illegally than to make $1 legally.

          After you deduct what they snort up their nose, have to pay their pimp, and what have you - their lifestyle sucks. Shitty cars, beatup section 8 housing, bastard children running around, cops looking for them, health problems, never been to europe, skanky infected women, no teeth, cheap rims, can't read, government cheese. No dignity.

          Drug dealing is it's own wo
          • their lifestyle sucks... never been to europe...

            And, as we all know, the average McDork manages to summer on the continent at least once every few years.
    • If parent's reasoning is correct, then we have an out for all crimes. "I became a burglar because I could pick locks but there are no locksmithing jobs." Bullshit mate!

      Criminals, particularly skilled and intelligent ones, don't just turn to crime to keep from starving. They do it for the rush or because they find regular work boring etc.

      At the end of the day, there is no real difference between phishers than pick-pockets, except that phishers are cowardly and do things remotely (and so avoid - mostly - get

    • by gosand ( 234100 ) on Thursday May 05, 2005 @05:24PM (#12445860)
      The reason they are doing "bad things" is because they can't get a job in the first place.

      Exactly. I saw this guy the other day on the street with a sign that said "Will Phish for food."

  • by coupland ( 160334 ) * <[dchase] [at] [hotmail.com]> on Thursday May 05, 2005 @04:45PM (#12445424) Journal
    This isn't a problem for me, I rearrange all the keycaps on my keyboard to protect myself. ^_^
    • Hey, me too. My QWERTY keyboard looks like a RIYOUP keyboard. Might not prevent keyloggers, but it bugs the hell out of anyone who sits down here and doesn't know how to touch type.
    • This isn't a problem for me, I rearrange all the keycaps on my keyboard to protect myself.

      I still like to do the 'switch the N and M keys' trick to annoy people who can't touch type.

      It's very amusing to see that there are a few people who completely lose their cool when they can't figure out how to type .com
    • This isn't a problem for me either. The phishers will be scratching their heads when they get back the sniffer log from my computer which only contains thousands of copies of the line 'All work and no play makes Jack a dull boy'.
  • by WillAffleckUW ( 858324 ) on Thursday May 05, 2005 @04:45PM (#12445437) Homepage Journal
    "Keystroke loggers are rapidly becoming the lure of choice for phishers.

    If we just take away the Wood on the Internets, the Loggers will go home. And then they'll stop phishing for Newbs ...

  • by SteelV ( 839704 ) on Thursday May 05, 2005 @04:46PM (#12445442)
    I've been worried about this for quite some time. I know how easy it is for someone to put a small device between the keyboard and the computer, and no one would notice it in most cases (such as at a public library, university campus, or any other place where the computers themselves are accessible and used by the general population). And even if you check the rear of the machine, it's also possible that it's been compromised by a software keylogger that is much more difficult to detect.

    I find myself, when on public machines, typing extra characters in my passwords and then using the mouse to highlight them and type over them. This makes my passwords (which are already random letters/numbers) seem longer than they really are with gibberish if they are logged as keystrokes. Unfortunately, some software keyloggers can detect exactly what the input into forms are -- this does not help with that. It is also quite a hassle, but what can I say? I'm a bit paranoid (but, I believe, right so).

    Keylogging is the easiest way to get people's information. The only solution I see is to ensure all public machines are much more secure from the user's end, and to actually have the machine itself inaccessible (i.e. locked in a drawer, etc.). I guess the only 'perfect' solution (if there is one) would be to use a keyboard that is projected from an inaccessible area, so that it cannot be tampered with whatsoever.

    Nothing's perfect, but we can do better than we're doing in public locations!

    • by RPoet ( 20693 )
      Have you considered using one-time passwords? SSH can be set up with this. It's a hassle to carry around a list of passwords, but it's definitely safer than typing your password at any old public system.
  • Yeah... (Score:2, Redundant)

    by Vthornheart ( 745224 )
    And in other news, apparently experts have come to the conclusion that the Earth is *not* flat as was previously expected, but rather it forms some sort of spherical shape. More on this news as it develops.
  • by Jailbrekr ( 73837 )
    keylogging has been around for some time, in fact I'm sure many posters here have writen their own rudimentary keyloggers at highschool just for shits and giggles. I fail to see why this is news worthy. Pretty soon they'll be talking about how these "phishers" are exploiting javascript vulnerabilities. Oh wait.....

    Phishers are virus writers with a financial motive, nothing more. In fact, most virus writers these days are financially motivated (like setting up zombie networks for extortion attempts). Why di
  • Well what if I physically rearrange the keys on my keyboard? Will that work?
    • Changing them and changing the layout in software too would defeat a hardware keylogger, at least until they run it through their table of keyboard layouts (there aren't too many). Might defeat loggers built into the keyboard drivers, which are the most insidious kind, too.
  • Informative Link (Score:4, Informative)

    by TripMaster Monkey ( 862126 ) * on Thursday May 05, 2005 @04:47PM (#12445463)

    In the interest of stimulating more informed discussion, the results of the Anti-Phishing Working Group survey can be found here [earthlink.net].
  • Pharmers (Score:3, Informative)

    by Virtual Karma ( 862416 ) on Thursday May 05, 2005 @04:47PM (#12445464) Homepage
    The new word for them is Pharmers. Read about it here [blogspot.com]
  • by Anonymous Coward
    Windows Trusted Keyboard(tm) Technology allows complete safety from keyloggers. By converting each key into an XML string to be passed via a SOAP along with domain or .NET Passport credentials... you can be completely safe from mean hackers and black-head script kiddos.
  • by Anonymous Coward on Thursday May 05, 2005 @04:48PM (#12445479)
    Whoever wrote the article obviously didn't understand what he was writing about. The keylogger phenomenon has nothing to do with phishing.

    dictionary.com entry
    Main Entry: phishing
    Definition: the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords [...]

    You can install a keylogger to steal someone's passwords, credit card numbers, etc but calling it a trojan horse or a browser/email client exploit would be much more appropriate.
  • Here's an Idea... (Score:2, Insightful)

    by megarich ( 773968 )
    Don't do any online banking....period! I'm too paranoid, anything that involves my direct bank accounts I do in person. I still do CC orders over the interet since at least with cc you can report fradulent charges and have them erased.

    I was disappointed reading the article. I was hoping they would go into more technical details like how these programs work, and how to detect some of them. As some pointed out already, the article just merely states the obvious, people using whatever tehcniques they ca

  • by swb ( 14022 ) on Thursday May 05, 2005 @04:51PM (#12445517)
    How about we not waste law enforcement [usdoj.gov] efforts on pointless enforcement efforts that will get nowhere and instead focus those efforts on internet-based crimes, such as the fraud/theft rings behind spam, phishing and other activities?
  • Klingon.

    If you are cheap, and can't afford a Klingon Keyboard, then just use klingon phrases and throughout your work and play. How are phishers supposed to know that "Bocktagh Massacre" is your username, or that "I eat raw Kitblagh." is your bank's password?

    So, until the keyloggers come with screenscrapers, I figure I'm safe no matter what computer I'm sitting at.
  • Easy Fix (Score:2, Insightful)

    by Usaflt2003 ( 881612 )
    A couple of easy ways to avoid this:

    1. Don't use public access terminals for your important transactions.

    2. Don't let you home computer become infected with tons of malware.

    3. Go back to snailmail and telephones for those transactions... ok not a great solution but a logger can't get your bank password if your sending checks to pay your bills, reading paper statements and calling the bank for your balance.
  • Secure keyboards (Score:5, Interesting)

    by ndogg ( 158021 ) <<the.rhorn> <at> <gmail.com>> on Thursday May 05, 2005 @04:54PM (#12445549) Homepage Journal
    I think it's time we started seeing encrypted keyboards, particularly if they're coupled with flash drives. With USB so abundant, finding a place to plug in shouldn't be too much of a hassle. The keyboard could contain the private key, and the flash drive would contain the public key, and the decryption would take place on the application level (e.g. PuTTy).
  • the last few days have seen some pretty lame stories being accepted, that's for sure.
  • by Second_Derivative ( 257815 ) on Thursday May 05, 2005 @04:59PM (#12445613)
    They're a UK bank that works soley over the telephone and, lately, over the internet (they're partnered with HSBC for brick-and-mortar operations such as paying in cheques). Over the phone they ask you for random letters out of your password, and they've taken the same approach with online passwords, eg:

    if my password is "spaghetti bolognese", it might request three letters out of that, say "pgg". It's still vulnerable to man-in-the-middle but keylogging alone is of limited use.

    Which makes me wonder why they don't just do man in the middle trojans which trigger off against known online banking domains...
  • Inigo Montoya: You keep using that word. I do not think it means what you think it means.

    Lure is more synonymous with "bait". Crappy email messages are the bait. The use of keyloggers as a tool is more the trap than a lure.

  • by pg110404 ( 836120 ) on Thursday May 05, 2005 @05:04PM (#12445658)
    Their advantage is that they compromise information long before the information has a chance to be encrypted.

    Ultimately how identity information is revealed aside, is this a phishing attempt or a mining attempt?

    Phishing has traditionally been initiated by a cleverly socially engineered email or some form of communication, redirecting the unsuspecting user to a counterfeit site designed to harvest that information. Like putting a worm on a hook and dropping it in the water, you hope for someone to nibble at it.

    Mining on the other hand is like picking away at the ground, in this case undetected, hoping to find that cache of gold. There's no guarantee that you'll even find anything, and once keylogging software is installed on the victim's PC, there is no user interaction with it. There is no social engineering to be done.

    So therefore, wouldn't keylogging really be more mining than phishing? Or should I stop wasting my time on /. and forget about symantics?
    • by SuperKendall ( 25149 ) * on Thursday May 05, 2005 @05:13PM (#12445742)
      Although you have a really good point abou this being mining, they could also be installing the loggers and then right away taking the user to the real bank page to have them log in - so it would still be more fishing than mining as they would know they data was going to be there right away. Then they might even abandon the logger after that.

      I don't know if they do that though, it just seems like something they would do...
  • The solution is quite simple: Require more than a simple password.

    Since remote access to bank accounts became possible, somewhere in the late eighties, every financial institution did use more than a password for authentification. Either a one time password pad or challenge/response procedure is used. This might have to do with Swiss paranoia, but I think it as an absolute necessity.

    Why oh why do US banks think they can get away with a simple, cheap password ?


  • Rapidly becoming? (Score:4, Interesting)

    by Servo ( 9177 ) <dstringf@ g m a i l . c om> on Thursday May 05, 2005 @05:15PM (#12445757) Journal
    Back in the day when phishing on AOL was completely "normal", keystroke loggers were the #1 way to go. Everybody and their brother was using it. That was 10 years ago... why do people think this is new?
  • In the 90 comments here before I started typing this, I saw no mention of one truly effective tool: A Firewall. Make sure that the one you use logs all communication attempts in AND OUT, by app, process and port - keyloggers are no good unless they can report your data to the crooks who are planning to use it. Blocking the app is usually a simple matter of a whitelist of accessible sites and/or network enabled apps - by default, the app won't be able to report your data. Of course, any user smart enough
  • Why don't you enter part of the password by copying characters from a part of a screen? My bank (LloydsTSB [lloydstsb.co.uk]) has one of those features (although you select from dropdown boxes) after the main login screen.
  • Phising is the act of sending someone an email which tricks them into visiting a phony website and entering personal details. Once you stop doing that, and just start sending out malicious trojans, you're no longer a phisher, you're just a jerk.

    This is sort of like saying "Muggers are starting to steal credit card numbers online, and are using them to commit a mugging by buying things with them".
  • Since they throw out bunches of these thing all pointed at a single ip, how difficult would it be to fill that site up with junk data. I use sygate on my windoze side and it tells me where it's trying to send the data. If we filled up their files with wrong data then they would waste time trying to break into accounts that don't exist and tip off the targets.
  • Boot from Knoppix (or any live CD you like), do your fancy secret banking, reboot, and play games in Windows or whatever BSD you are using.
  • SMS authentication (Score:3, Interesting)

    by Anonymous Coward on Thursday May 05, 2005 @05:39PM (#12445998)
    The National Australia Bank uses SMS for 2ndary authentication. When payment or transfer is made the bank issues a once-off SMS password for that transaction to a registered/authorised phone.

"An organization dries up if you don't challenge it with growth." -- Mark Shepherd, former President and CEO of Texas Instruments