[Konsole-devel] [Bug 68742] Information leak of keystrokes.

Hugo van Galen hugo at homebaze.net
Sat Nov 22 12:21:00 UTC 2003 

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
     
http://bugs.kde.org/show_bug.cgi?id=68742     




------- Additional Comments From hugo at homebaze.net  2003-11-22 13:20 -------
Subject: Re:  Information leak of keystrokes.

I am sure of that because,

- This behavior does not happen on my normal console, without X being 
run. No matter if I telnet or SSH, my keystrokes are not there.
- I've eliminated X windows as a cause, because I have not seen the 
keystrokes I do in my IRC client or mail client & browser.

In the meanwhile friends of mine and I have performed some tests on 
other machines, and I have also noted that this same behavior seems to 
happen in xterm and gnome-terminal, so I was thinking maybe this bug 
lies in the way the stdin and stdout are piped from the `real' shell 
process that runs to the graphical one. But that is still no reason to 
step back from this issue.

I totally see the logic that my commands are there because of my history 
buffer or because it has to be drawn on the screen, but I mean, I'm even 
seeing the typo's in am making.

Even if it is in the fact it is an internal kernel buffer, or because of 
memory not being cleared after you are done with it, the flaw lies in 
the way it is used. It seems to me there can be a workaround implemented 
for this.

I am a paranoid computer user, and in regards to security and privacy I 
am not at all impressed with this behavior, and this issue seriously 
refrains me from using these programs. I was very happy with all of 
Konsole's features, until this.

Users privacy must be protected. No matter how you look at it, root has 
no business with their keystrokes.

And wouldn't it be cool that you can say in the ChangeLog that you've 
solved a major privacy issue, fixing an information leak that the other 
terminal emulation programs still suffer from, which can have serious 
security implications? :)

PS: Sorry for the HTML embedded message earlier.

Waldo Bastian wrote:

>------- You are receiving this mail because: -------
>You reported the bug, or are watching the reporter.
>     
>http://bugs.kde.org/show_bug.cgi?id=68742     
>
>
>
>
>------- Additional Comments From bastian at kde.org  2003-11-22 12:37 -------
>What makes you think that the memory where these keystrokes appear are part of Konsole and not an internal kernel buffer, for example the one associated with stdin of the ssh process.
>  
>

More information about the konsole-devel mailing list