Bugtraq mailing list archives
Re: X keyboard sniffing
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Fri, 24 Feb 1995 11:01:48 -0500
Sorry if I'm late to this subject, but I had a light bulb go off recently WRT X keyboard sniffing and I was hoping one of you might be able to help.
I've known about 'xkey' and the like for several years now, and have a pretty good understanding of host vs. user based authentication as it relates to the X server.
Um, I thought there was no user-based authentication, only host-based or magic-value-based.
I had believed that X keyboard sniffing was made slightly harder by the obscurity of programs like 'xkey'.
It probably is, "slightly" being the operative word.
But to my amazement, I found that [...] 'xwininfo' and 'xev' can be used to sniff keystrokes, [...].
But is there anything else I can do, short of removing 'xev' that would make sense?
Even removing xev won't help much, because the worst attacks come from far away, from hosts you have no control over.
So is there anything I can do?
Use something more closely approximating real authentication. Leave your host access list empty, and use xauth-style authentication. Or use a front-end a la xc and let it do the authentication; this has the advantage that it can also monitor. Cheswick and Bellovin argue against this, on the grounds that it make the front-end program more complex and buggier...but any monitoring is better than none, is my point of view. der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: X keyboard sniffing der Mouse (Feb 24)
- Re: X keyboard sniffing Stephen Gildea (Feb 24)
- httpd ... *Hobbit* (Feb 24)
- Re: httpd ... Rens Troost (Feb 26)