Can the output to a terminal be monitored?

Tue Jun 12 02:31:42 AEST 1990

In article <1990Jun3.011111.1589 at virtech.uucp> cpcahil at virtech.UUCP (Conor P. Cahill) writes:
>In article <270 at demott.COM> kdq at demott.COM (Kevin D. Quitt) writes:
>>    Is there a way that I (as root) can "tap into" a user to monitor
>>terminal activity?  I specifcally would like to do this for the modem line.
>
>Not in software (unless you modify the software running on that port to 
>dump the data to a log file that you tail).  
>
>If what you want to do is to be able to abitrarily "tap" into a data line
>you must do it with hardware.  This can be done in several ways including
>
>
>-- 
>Conor P. Cahill            (703)430-9247        Virtual Technologies, Inc.,
>uunet!virtech!cpcahil                           46030 Manekin Plaza, Suite 160
>                                                Sterling, VA 22170 

There is another way, in software, without the need to adapt the software
running on the modemport, to monitor the terminal communication. This can
be achieved by constantly examining the kernel memory in which the getty
buffers are located. After some experiments, you can figure out where they
are located. Then, you can run a program acting as a spy. These programs
are used by crackers, and it's quite easy for them, since /dev/kmem is
world readable on most unix systems, for this is necessary for commands
like ps, which examines lots of kernels buffers also.

However, you need a lot of performance to avoid missing parts of the
communication via this line, so in practice, this method can only be used
on fast computers that are not heavily loaded, and it costs a great deal of 
CPU time, so i doubt whether it can be of use for monitoring an outgoing line.
Nevertheless, it should still be considered as a security hole, and I 
wonder if it has been fixed in rel. 4.

--
Raymond Nijssen
raymond at ele.tue.nl