Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: X keyboard sniffingder Mouse (mouseCollatz.McRCIM.McGill.EDU)
Fri, 24 Feb 1995 11:01:48 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Jordan Hayes: "Re: NCSA httpd 1.3"
- Previous message: *Hobbit*: "Maybe *THIS* will help."
- Maybe in reply to: Paul Howell: "X keyboard sniffing"
- Next in thread: Stephen Gildea: "Re: X keyboard sniffing"
> Sorry if I'm late to this subject, but I had a light bulb go off > recently WRT X keyboard sniffing and I was hoping one of you might be > able to help. > I've known about 'xkey' and the like for several years now, and have > a pretty good understanding of host vs. user based authentication as > it relates to the X server. Um, I thought there was no user-based authentication, only host-based or magic-value-based. > I had believed that X keyboard sniffing was made slightly harder by > the obscurity of programs like 'xkey'. It probably is, "slightly" being the operative word. > But to my amazement, I found that [...] 'xwininfo' and 'xev' can be > used to sniff keystrokes, [...]. > But is there anything else I can do, short of removing 'xev' that > would make sense? Even removing xev won't help much, because the worst attacks come from far away, from hosts you have no control over. > So is there anything I can do? Use something more closely approximating real authentication. Leave your host access list empty, and use xauth-style authentication. Or use a front-end a la xc and let it do the authentication; this has the advantage that it can also monitor. Cheswick and Bellovin argue against this, on the grounds that it make the front-end program more complex and buggier...but any monitoring is better than none, is my point of view. der Mouse mousecollatz.mcrcim.mcgill.edu