This is cool, but seems overly complex. A few friends and I played "capture the ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		subway on Dec 17, 2012 \| parent \| context \| favorite \| on: Linux terminal keylogger in userspace This is cool, but seems overly complex. A few friends and I played "capture the flag" with our personal systems, and a few times passwords were obtained with a simple shell function wrapping sudo. The first time the function ran (based on whether or not the output file in /tmp existed) and 1/5 times after that, it would simply use read -s, and and write the password to the output file. The other 4/5 times it ran, it would simply 'exec /usr/bin/sudo "$@"'. People don't seem to think twice about failing a password auth.

gst on Dec 17, 2012 [–]

I used a very similar approach in the mid-ninties to get full root access to all of our high-school's systems (which was technically not even illegal at this time and place). The output file used a simple single-character XOR obfuscation, to make it a little bit less obvious if someone looked at the log file.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact