> Keylogging I understand fine... What do you mean by followed in?
> Honest question - I thought with a one-time challenge like skey,
> you'd be fairly safe? The man page doesn't mention any such
> risk, nor does the FAQ. I am completely uneducated on skey, as
> I've simply never had a need for it before. So, feel free to break
> out the cluebat and take a swing, Bob. :)
Tty/pty sniffing, and the fact that if I'm root/admin I can
do things to your devices that are displaying stuff to you, and
taking input from you.
If I control the machine I control your process and pty (or
equivalent) on the network. I.E. just because I can't get back in with
your OTP doesn't mean I can't make it look like the network is
unresponsive while I do stuff on your connection that you don't see.
Think about it this way, I used to teach smart kiddies here who
logged in to other places from my machines this lesson by grabbing
their pty, pasting in something like:
NFS server blah not responding. Still trying
then sending mail from their root account to me cc'ed to them
telling me what an asshole I was and they wished I would die, they were
going to come shave my pets, etc.
then I'd splat back at their pty
NFS server blah OK
and hand them back control of it.
Had I wanted to, and they're using OTP, instead of sending
mail I could have simply backdoored the machine right there to
let me in next time without otp, or whatever else I'd like to do.
the usual result was an ashen faced puppy in my office with they jaw
flapping within 10 minutes after they saw the email. I'd look annoyed
for a minute and then laugh like hell and tell them how I did it. Someone's
gotta educate them.
-Bob
