Re: X keyboard sniffing

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

> Sorry if I'm late to this subject, but I had a light bulb go off
> recently WRT X keyboard sniffing and I was hoping one of you might be
> able to help.

> I've known about 'xkey' and the like for several years now, and have
> a pretty good understanding of host vs. user based authentication as
> it relates to the X server.

Um, I thought there was no user-based authentication, only host-based
or magic-value-based.

> I had believed that X keyboard sniffing was made slightly harder by
> the obscurity of programs like 'xkey'.

It probably is, "slightly" being the operative word.

> But to my amazement, I found that [...] 'xwininfo' and 'xev' can be
> used to sniff keystrokes, [...].

> But is there anything else I can do, short of removing 'xev' that
> would make sense?

Even removing xev won't help much, because the worst attacks come from
far away, from hosts you have no control over.

> So is there anything I can do?

Use something more closely approximating real authentication.  Leave
your host access list empty, and use xauth-style authentication.  Or
use a front-end a la xc and let it do the authentication; this has the
advantage that it can also monitor.  Cheswick and Bellovin argue
against this, on the grounds that it make the front-end program more
complex and buggier...but any monitoring is better than none, is my
point of view.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu