Chances are if they can monitor the stream they can inject stuff, do a dsniff attack, other nifty things. The keystroke timing is cool though, and works surprisingly well (i.e. significantly narrowing the search space). Basically it's a lesson that yes traffic analysis works, and it can be combatted intelligently. Things like putting in a timing loop to openssh and delaying packets till the next 10 or 50 ms interval for example so packet timing gets delayed a bit and isn't as informative. As for guessing passwords: use ssh keys. Chances are if an attacker can get at your keys (i.e. they are your uid, or root's uid) they can also install a keylogger (as root, or as a user set your login profile to start a wrapper shell/etc). Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/