{"id":10285,"date":"2014-12-10T15:21:31","date_gmt":"2014-12-10T20:21:31","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=10285"},"modified":"2014-12-10T15:21:31","modified_gmt":"2014-12-10T20:21:31","slug":"insecure-keyboard-entry","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2014\/12\/10\/insecure-keyboard-entry\/","title":{"rendered":"Insecure Keyboard Entry"},"content":{"rendered":"<p><a href=\"http:\/\/bitsplitting.org\/2014\/12\/09\/insecure-keyboard-entry\/\">Daniel Jalkut<\/a>:<\/p>\n<blockquote cite=\"http:\/\/bitsplitting.org\/2014\/12\/09\/insecure-keyboard-entry\/\">\n<p>I&rsquo;ve been running my tool for a few weeks, confident in the knowledge that it will prevent me from accidentally typing my password into a public place. But its aggressive nature has also revealed to me a couple areas that I expected to be secure, but which are not.<\/p>\n<p>[&#8230;]<\/p>\n<p>The nice &ldquo;&#149;&rdquo; is new to Yosemite, I believe. Previously tools such as sudo just blocked typing, leaving a blank space. But in Yosemite I notice the same &ldquo;secure style&rdquo; bullet is displayed in both sudo and ssh, when prompting for a password. To me this implies a sense of enhanced security: clearly, the Terminal <em>knows<\/em> that I am inputting a password here, so I would assume it applies the same care that the rest of the system does when I&rsquo;m entering text into a secure field. But it doesn&rsquo;t.<\/p>\n<p>[&#8230;]<\/p>\n<p>Apple makes a big deal in a <a href=\"https:\/\/developer.apple.com\/library\/mac\/technotes\/tn2150\/_index.html\">technical note about secure input<\/a>, that developers should &ldquo;use secure input fairly.&rdquo; By this they mean to stress that any developer who opts to enable secure input mode (the way Terminal does) should do so in a limited fashion and be very conscientious that it be turned back off again when it&rsquo;s no longer needed. This means that ideally it should be disabled within the developer&rsquo;s own app except for those moments when e.g. a password is being entered, and that it should <em>absolutely<\/em> be enabled again when another app is taking control of the user&rsquo;s typing focus.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Daniel Jalkut: I&rsquo;ve been running my tool for a few weeks, confident in the knowledge that it will prevent me from accidentally typing my password into a public place. But its aggressive nature has also revealed to me a couple areas that I expected to be secure, but which are not. [&#8230;] The nice &ldquo;&#149;&rdquo; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,30,903,48,318],"class_list":["post-10285","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-mac","tag-mac-os-x-10-10-yosemite","tag-security","tag-terminal"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=10285"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10285\/revisions"}],"predecessor-version":[{"id":10286,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10285\/revisions\/10286"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=10285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=10285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=10285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}