Re: Gnome-terminal: secure keyboard?

[jg pa dec com (Jim Gettys)]

> From: Dax Kelson <dkelson@inconnect.com>
> Date: Thu, 3 Jun 1999 14:26:06 -0600 (MDT)
> To: Jim Gettys <jg@pa.dec.com>
> Cc: David Coe <david.coe@someotherplace.org>,
>         Miguel de Icaza <miguel@nuclecu.unam.mx>, gnome-list@gnome.org,
>         recipient list not shown:;@pa.dec.com;
> Subject: Re: Gnome-terminal: secure keyboard?
> -----
> Jim Gettys said once upon a time (Thu, 3 Jun 1999):
> 
> > >                                 - Jim
> > > Jim, I'm not sure you're talking about the same thing I was
> > > talking about, but I may be wrong.
> > >
> > > In xterm, when you set 'secure keyboard' (in the
> > > CTRL-leftbtton menu), no other X app can
> > > receive keystrokes until you set it back to normal.  It's
> > > used when entering plaintext passwords, etc. so that rogue
> > > app's can't snoop on what you're typing, I believe.  Xterm
> > > swaps the foreground and background colors to remind the
> > > user s/he's in that mode.
> >
> > You are right: I'm talking about something slightly different, that
> > a terminal emulator should not trust any event that has the "send event"
> > flag set, or it is prone to attack by someone trying to get control
> > of your machine (which is why that flag is in the protocol in the first
> > place).
> > 			- Jim
> 
> That breaks stuff like Xvoice which is a voice recognition dictation app
> that uses the IBM Linux ViaVoice SDK.  It sends synthetic xevents to apps.
> 
>

Xvoice should be fixed, ASAP...  There are several X extensions for
synthesizing input: XTEST is the most appropriate, and is widely
deployed...

This is what Bob Scheifler's a2x program that uses DragonDictate uses
for input; SendEvent is the wrong mechanism.
See: http://www.cl.cam.ac.uk/a2x-voice/ for a2x and code which
synthesizes input properly for speech recognition...

Not ignoring keyboard input in particular that has been sent by SendEvent
is a major security problem....

				- Jim