Re: Gnome-terminal: secure keyboard?
- From: jg pa dec com (Jim Gettys)
- To: Dax Kelson <dkelson inconnect com>
- Cc: Jim Gettys <jg pa dec com>, David Coe <david coe someotherplace org>, Miguel de Icaza <miguel nuclecu unam mx>, gnome-list gnome org
- Subject: Re: Gnome-terminal: secure keyboard?
- Date: Thu, 3 Jun 1999 14:27:30 -0700
> From: Dax Kelson <dkelson@inconnect.com>
> Date: Thu, 3 Jun 1999 14:26:06 -0600 (MDT)
> To: Jim Gettys <jg@pa.dec.com>
> Cc: David Coe <david.coe@someotherplace.org>,
> Miguel de Icaza <miguel@nuclecu.unam.mx>, gnome-list@gnome.org,
> recipient list not shown:;@pa.dec.com;
> Subject: Re: Gnome-terminal: secure keyboard?
> -----
> Jim Gettys said once upon a time (Thu, 3 Jun 1999):
>
> > > - Jim
> > > Jim, I'm not sure you're talking about the same thing I was
> > > talking about, but I may be wrong.
> > >
> > > In xterm, when you set 'secure keyboard' (in the
> > > CTRL-leftbtton menu), no other X app can
> > > receive keystrokes until you set it back to normal. It's
> > > used when entering plaintext passwords, etc. so that rogue
> > > app's can't snoop on what you're typing, I believe. Xterm
> > > swaps the foreground and background colors to remind the
> > > user s/he's in that mode.
> >
> > You are right: I'm talking about something slightly different, that
> > a terminal emulator should not trust any event that has the "send event"
> > flag set, or it is prone to attack by someone trying to get control
> > of your machine (which is why that flag is in the protocol in the first
> > place).
> > - Jim
>
> That breaks stuff like Xvoice which is a voice recognition dictation app
> that uses the IBM Linux ViaVoice SDK. It sends synthetic xevents to apps.
>
>
Xvoice should be fixed, ASAP... There are several X extensions for
synthesizing input: XTEST is the most appropriate, and is widely
deployed...
This is what Bob Scheifler's a2x program that uses DragonDictate uses
for input; SendEvent is the wrong mechanism.
See: http://www.cl.cam.ac.uk/a2x-voice/ for a2x and code which
synthesizes input properly for speech recognition...
Not ignoring keyboard input in particular that has been sent by SendEvent
is a major security problem....
- Jim
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]