At 11:14 AM 2/4/96 -0500, A. Padgett Peterson, P.E. Information Security wrote:

OTOH, keyboard sniffing software is easy to detect because it must go resident and it must intercept the keystrokes. The fact that no software has bothered to do this does not mean that it cannot be done. The easiest way for such software to act would be to ignore the machine software and when sensitive material is to be passed, to do so via direct port (hardware) access - been a while since I looked at it but AFAIR is around port 60h. (PC type machines)

This would take care of anything sitting on Int 09 or Int 16 since it would be bypassed. Often a problem that looks difficult when viewed as a whole becomes simple once you disassemble it.

Nice try - but the virtual machine model used by intel supports interception of I/O operations. Now one could get into timing how long the I/O takes to detect interception by the memory manager but it would be a royal pain since the keyboard I/O controller latency is rather machine specific. I still think the basic 'if the machine is not secure all bets are off' premis stands. -- John Pettitt email: jpettitt@well.sf.ca.us (home) jpp@software.net (work)