Re: real randomness for netscape - user clicking mouse

[Jiri Baum <jirib@sweeney.cs.monash.edu.au>]

-----BEGIN PGP SIGNED MESSAGE-----

Hello Vincent Cate <vince@offshore.com.ai>
  and cypherpunks@toad.com
  and jsw@neon.netscape.com
 
Vincent Cate <vince@offshore.com.ai> wrote:
[about getting entropy from mouse]
> You must get the random bits from something that nobody else could watch. 
...
> other hand, an attacker would have to have broken the machine to get the
> mouse info
...

Not really... Have you ever been on an X system with host-based
security (as opposed to xauth)? Anyone who has user login rights
to the machine you're on (*) can just telnet in and open windows
on your screen, blink the leds on your keyboard, install
fonts, confine the mouse to a given screen area, etc.

I understand that normally they can get a copy of every
X event you get (and filter them), but I've never tried...

(*) More accurately, any of the machines you can run X programs from.

Mouse events might not be as secret as we would like...

Jiri
- --
If you want an answer, please mail to <jirib@cs.monash.edu.au>.
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)
PGP EF0607F9 (but it's at uni so don't rely on it too much)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMGYpmyxV6mvvBgf5AQFkxwQAif9RTKJRW9IhZxd1zp4kmEdHbf4IkdMX
OgEhgeMf6d9+iyTnwZJjR/YvSOsonueKHxR+gmQWotf5r9Y7FmLCFLxw8U0F5AF3
wUjQtqnTlWEU5jt57bn3KZFs5EFqdKKAgj9J7qLlflKd2Bm0mAXK4S8mWIP2U7xu
Sl5UbU3KcqE=
=zlW+
-----END PGP SIGNATURE-----