Dr. Cohen writes: > ...I thought I would mention that detecting sniffers from a > real-world point of view is downright easy in almost all cases. > ... > All current (2) programs can be detected by comparing the OS programs > with their original distribution versions using MD5 or a similar > cryptographic checksum technique. This has been widely published for > over 5 years. I agree with the above to a point. The assumption that you are making is that you have _access_ to the system that has a sniffer installed on it. The vast majority of sniffed sessions that I am aware of have involved sniffers running on machines that the victim doesn't have access to. Picture a sniffer running on your local Internet service provider's backbone system(s). Anyone connecting into your site using a static password results in that person's password being sniffed - with no requirement for a sniffer to be running on any of the systems within your local domain. Take a look at a traceroute output from your site to <any other internet site> sometime and see just how many systems and networks your packets traverse that you have absolutely no control or authority over. How would you (legally) detect a sniffer on one of those? I do agree, however, that it is easy to detect any of the currently observed sniffers on a host that you have access to. Cheers, Ken van Wyk