From: "Perry E. Metzger" <perry@piermont.com>
Date: Tue, 26 Sep 95 17:27:37 PDT
To: Vincent Cate <vince@offshore.com.ai>
Subject: Re: real randomness for netscape - user clicking mouse
In-Reply-To: <Pine.3.89.9509261538.C922-0100000@offshore.com.ai>
Message-ID: <199509270005.UAA16643@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Vincent Cate writes:
> While it is true that on some versions of X you can watch mouse events on
> other peoples computers, it is also true that on some versions you can
> watch keyboard input.

On my secure systems, when a machine running X has to be on an
insecure network, I compile the X server so that it physically lacks
the ability to speak to the network -- it does all its IPC via unix
domain sockets. However, you are correct that most people don't take
precautions like I do.

> At CMU Bennet Yee wrote a program to get peoples
> passwords as they typed them in using X's poor/non-existent security back
> then.  This was before xauth. 

Xauth isn't secure, as folks have shown.

> I still think that the low bits of the mouses X and Y positions as the
> user moves the mouse around the screen are a very good source of random
> bits for Netscape.

Agreed.

Perry