From owner-freebsd-security Fri Jun 1 6:56:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 2A51837B423 for ; Fri, 1 Jun 2001 06:56:54 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id PAA58944; Fri, 1 Jun 2001 15:56:48 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Peter C. Lai" Cc: Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> <3B16D9C8.2F6CE52E@ursine.com> <00cc01c0eaa2$30bd7ca0$8caa6389@resnet.uconn.edu> From: Dag-Erling Smorgrav Date: 01 Jun 2001 15:56:47 +0200 In-Reply-To: <00cc01c0eaa2$30bd7ca0$8caa6389@resnet.uconn.edu> Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Peter C. Lai" writes: > Barring a trojaned java > runtime that record all keystrokes, how else is using a trusted client > stored on a trusted machine from an untrusted terminal dangerous? I don't need to trojan Java to capture your password. All I need to do is steal your .Xauthority. I'm sure there exist easily available X keyboard capture utilities which even a script kiddie could use. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message