> Sorry if I'm late to this subject, but I had a light bulb go off > recently WRT X keyboard sniffing and I was hoping one of you might be > able to help. > I've known about 'xkey' and the like for several years now, and have > a pretty good understanding of host vs. user based authentication as > it relates to the X server. Um, I thought there was no user-based authentication, only host-based or magic-value-based. > I had believed that X keyboard sniffing was made slightly harder by > the obscurity of programs like 'xkey'. It probably is, "slightly" being the operative word. > But to my amazement, I found that [...] 'xwininfo' and 'xev' can be > used to sniff keystrokes, [...]. > But is there anything else I can do, short of removing 'xev' that > would make sense? Even removing xev won't help much, because the worst attacks come from far away, from hosts you have no control over. > So is there anything I can do? Use something more closely approximating real authentication. Leave your host access list empty, and use xauth-style authentication. Or use a front-end a la xc and let it do the authentication; this has the advantage that it can also monitor. Cheswick and Bellovin argue against this, on the grounds that it make the front-end program more complex and buggier...but any monitoring is better than none, is my point of view. der Mouse mouse@collatz.mcrcim.mcgill.edu