In message <20010906223157.4C201EA@proven.weird.com>, Greg A. Woods writes:

>Note also that for keystroke timing to be of any use the attacker likely
>has to have some inside information of events on the target system,
>particularly of the exact moment when the su command was started
>(allowing them to work backwards to when the password prompt was and
>find that in the stream they've sniffed, etc.).

No -- the absence of echo packets is a pretty good indicator of a 
password being typed.  (We distinguish that from a vi or emacs session 
by its length...)

		--Steve Bellovin, http://www.research.att.com/~smb