bobo@RAPTOR.CRAY.COM (Bob Kierski) (11/11/89)
Recently I wrote a program, "peeping_tom,"that demonstrates what I would consider a potentially dangerous security problem with X11. This program simply selects KeyPress events from all of the active windows on a display and prints LookupString value for each KeyPress event. The true danger comes when a user performs an action which requires a password because peeping_tom will see every keystroke even if the user doesn't. I don't have any suggestions as to how this problem can be fixed. I just thought I'd make you aware that the problem exists. Have a day, bobo Bob Kierski Cray Research, Inc. 1440 Northland Drive Mendota Heights, MN 55120 Phone: (612)681-3087 Fax: (612)681-3099 Email: bobo@cray.com
rws@EXPO.LCS.MIT.EDU (Bob Scheifler) (11/11/89)
The true danger comes when a user performs an action which requires a password because peeping_tom will see every keystroke even if the user doesn't. Where have you been? There is a "Secure Keyboard" patch to the R3 xterm, distributed as official patch #2, which can at least be used for most normal keyboard entry of passwords. Our R4 server has provision for access control beyond the default host-based mechanism (you have R4beta, you should give it a try :-). It's far from perfect, far from complete, but it's OK for vanilla environments.