1996-02-01 - Re: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling)

Header Data

From: futplex@pseudonym.com (Futplex)
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Message Hash: 7562522a2dd244c07179e7e0bd17ee2b6a00bbdb2f42a59d155d0fc459ccaa02
Message ID: <199601300412.XAA23037@opine.cs.umass.edu>
Reply To: <199601300335.WAA20456@dal1820.computek.net>
UTC Datetime: 1996-02-01 17:59:49 UTC
Raw Date: Fri, 2 Feb 1996 01:59:49 +0800

Raw message

From: futplex@pseudonym.com (Futplex)
Date: Fri, 2 Feb 1996 01:59:49 +0800
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Subject: Re: Java Sniffer (Was: Re: FV Announces That The Sky Is Falling)
In-Reply-To: <199601300335.WAA20456@dal1820.computek.net>
Message-ID: <199601300412.XAA23037@opine.cs.umass.edu>
MIME-Version: 1.0
Content-Type: text/plain


(sorry, no discussion of FV or pleasant coffee aromas in this message)

Tim Philp writes:
> I have been wondering about the possibility of using a JAVA applet to do 
> keyboard sniffing. As I am not familiar with this language, does anyone 
> know if this would be possible?

If you are running a broken or Trojan interpreter or class loader, then 
you're probably sunk regardless, because it can execute whatever deleterious 
code it wishes. 
(I say "probably" because I suppose you might have some separate watchdog 
program monitoring the actions of the interpreter. But ultimately that's just
part of an infinite regress: the watchdog could also be compromised, etc. ad

The I/O class libraries don't offer calls anywhere near as deep as the
hardware keyboard interrupts. About all you can do is read a byte or a line
of input, as in any common programming language, but that's different than
surreptitiously reading bits when they are read as input by some other 
program. I don't see how you could build a keyboard sniffer in Java unless 
you could somehow trick the interpreter into feeding an input stream to an
additional process. 

Much more likely, IMHO, than a Java sniffer is a Java Trojan horse that pops 
up an innocuous dialog box and asks you to enter some sensitive piece of
information, then sends it off somewhere. About all it takes to write that is
a modicum of skill in user interface design. You could write it in any 
programming language, but in Java it may be particularly effective, since 
people may come to expect to be prompted for sensitive info over the net by 
Java apps. Maybe the Java folks who just left Sun decided to seize the
opportunity ;>

Futplex <futplex@pseudonym.com>

Version: 2.6.2