From newsgroups.mail2@stefanbaur.de Sun Dec 8 20:35:02 2013 Received: (at 354) by bugs.x2go.org; 8 Dec 2013 19:35:03 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.8]) by ymir (Postfix) with ESMTP id 7639E5DB1E for <354@bugs.x2go.org>; Sun, 8 Dec 2013 20:35:02 +0100 (CET) Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0MN8wu-1VwLqG1NRw-007SGO; Sun, 08 Dec 2013 20:35:00 +0100 Message-ID: <52A4C9F2.5090904@stefanbaur.de> Date: Sun, 08 Dec 2013 20:35:14 +0100 From: Stefan Baur User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Nick Ingegneri , "354@bugs.x2go.org" <354@bugs.x2go.org> Subject: Things you should know about X (was: Re: [X2Go-Dev] Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf) References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> In-Reply-To: <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V02:K0:t51pxeHomEecRkJMd5HXC8vCeup7DXN8zyJQ9JUqNXL j+YHVpKT1hIhkOFQUfpvf/kjPcPhcJAOP+YiNVdVayfJ0zYtbd 5ClOqfw9uB7azFzIghFY/P9LEU0WeDJRzhyxjssHVQLXzLYwPT TVgaoxC0ODUE0gWsHx4jdXMdfmroPtfudp9ukrYjwv4diG8T3m iZyMGxrfky//pd7c7PbK9czeWJ3ukrUXL666VG/q7VcQyI7+SX otpVpD2JYIk56av4W8Vr8r3jOcK+433RBJHTGAK9FU3zHx8+Ao hc4ogQJriivylmdhgokGkdtl1DItPRNFCdECBsFWEPRRhOqlbX 275ickV16ASvw4XZGK8exyQ3CPG28xPzk7DCkmc2x Am 08.12.2013 16:13, schrieb Nick Ingegneri: > I think that because I used "xhost +" in my original debugging example, > the assumption was immediately made that "xhost +" was my primary > concern. My primary concern is that disabling TCP breaks almost every > possible use model except for one narrow case (ssh). Among other things, > it breaks the MIT-MAGIC-COOKIE-1 mechanism. While there are very valid > concerns regarding use of TCP on the internet, we have a different > hierarchy of concerns regarding what happens on our internal network. [long blahblah snipped] If you believe Xauth Cookies alone will protect you from nastiness, think again: http://www.hackinglinuxexposed.com/articles/20040608.html - "Abusing X11 for fun and passwords." All the nastiness shown in that write-up works *with* .Xauthority in place. And this was published in 2004, so every script kiddie, every pimple-faced youth among your trainees, every disgruntled employee knows about this. (And so does the NSA.) Seriously, I've been in the IT Security business for quite a few years *ahem ahem* - and the real enemy usually isn't some obscure Chinese hacker, it's an employee, either a lazy and careless one or a malicious one that has been turned over by a competitor. So do not trust anyone and anything on your network. Encrypt even your internal traffic. I've even seen reports of power plugs with surge protectors containing Network sniffers. So the spying device has unlimited power supply and sits right in your network, logging all your traffic and sending it out either via innocuous http requests or via a seperate WiFi network. And please, do not fool yourself into thinking "but we don't have anything to hide". Yes, you have. We all have. Unless you see "1984" as an instruction manual. -Stefan