Vincent Cate writes:
While it is true that on some versions of X you can watch mouse events on other peoples computers, it is also true that on some versions you can watch keyboard input.
On my secure systems, when a machine running X has to be on an insecure network, I compile the X server so that it physically lacks the ability to speak to the network -- it does all its IPC via unix domain sockets. However, you are correct that most people don't take precautions like I do.
At CMU Bennet Yee wrote a program to get peoples passwords as they typed them in using X's poor/non-existent security back then. This was before xauth.
Xauth isn't secure, as folks have shown.
I still think that the low bits of the mouses X and Y positions as the user moves the mouse around the screen are a very good source of random bits for Netscape.
Agreed. Perry