X2Go Bug report logs - #354
Make x2goagent listening to TCP connections configurable in x2goserver.conf

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Fri, 6 Dec 2013 11:33:02 UTC

Severity: wishlist

Tags: pending

Fixed in version 4.0.1.10

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #71 received at 354@bugs.x2go.org (full text, mbox, reply):

Received: (at 354) by bugs.x2go.org; 8 Dec 2013 19:35:03 +0000
From newsgroups.mail2@stefanbaur.de  Sun Dec  8 20:35:02 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.8])
	by ymir (Postfix) with ESMTP id 7639E5DB1E
	for <354@bugs.x2go.org>; Sun,  8 Dec 2013 20:35:02 +0100 (CET)
Received: from [192.168.0.3] (HSI-KBW-149-172-200-27.hsi13.kabel-badenwuerttemberg.de [149.172.200.27])
	by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis)
	id 0MN8wu-1VwLqG1NRw-007SGO; Sun, 08 Dec 2013 20:35:00 +0100
Message-ID: <52A4C9F2.5090904@stefanbaur.de>
Date: Sun, 08 Dec 2013 20:35:14 +0100
From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Nick Ingegneri <n_ingegneri@yahoo.com>, 
 "354@bugs.x2go.org" <354@bugs.x2go.org>
Subject: Things you should know about X (was: Re: [X2Go-Dev] Bug#354: Bug#354:
 Make x2goagent listening to TCP connections configurable in x2goserver.conf)
References: <20131206112155.Horde.SbfwdHK-kyPj8MElQt3mrQ1@mail.das-netzwerkteam.de> <52A1BBAE.90909@stefanbaur.de> <20131206120625.Horde.SkFUuwsrCrkJ3OMw64wKaA1@mail.das-netzwerkteam.de> <52A1C089.3090709@stefanbaur.de> <1386351855.74486.YahooMailNeo@web122101.mail.ne1.yahoo.com> <52A21285.7090407@stefanbaur.de> <20131206195600.GA26961@cip.informatik.uni-erlangen.de> <20131207204759.Horde.ykUqekidzsjvppwa3ypAiQ7@mail.das-netzwerkteam.de> <52A39369.8050408@stefanbaur.de> <20131207215054.Horde.bR0h7aVrFSgs8VMWz2Sp2g2@mail.das-netzwerkteam.de> <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com>
In-Reply-To: <1386515582.31556.YahooMailNeo@web122106.mail.ne1.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:t51pxeHomEecRkJMd5HXC8vCeup7DXN8zyJQ9JUqNXL
 j+YHVpKT1hIhkOFQUfpvf/kjPcPhcJAOP+YiNVdVayfJ0zYtbd
 5ClOqfw9uB7azFzIghFY/P9LEU0WeDJRzhyxjssHVQLXzLYwPT
 TVgaoxC0ODUE0gWsHx4jdXMdfmroPtfudp9ukrYjwv4diG8T3m
 iZyMGxrfky//pd7c7PbK9czeWJ3ukrUXL666VG/q7VcQyI7+SX
 otpVpD2JYIk56av4W8Vr8r3jOcK+433RBJHTGAK9FU3zHx8+Ao
 hc4ogQJriivylmdhgokGkdtl1DItPRNFCdECBsFWEPRRhOqlbX
 275ickV16ASvw4XZGK8exyQ3CPG28xPzk7DCkmc2x
Am 08.12.2013 16:13, schrieb Nick Ingegneri:
> I think that because I used "xhost +" in my original debugging example,
> the assumption was immediately made that "xhost +" was my primary
> concern. My primary concern is that disabling TCP breaks almost every
> possible use model except for one narrow case (ssh). Among other things,
> it breaks the MIT-MAGIC-COOKIE-1 mechanism. While there are very valid
> concerns regarding use of TCP on the internet, we have a different
> hierarchy of concerns regarding what happens on our internal network.

[long blahblah snipped]

If you believe Xauth Cookies alone will protect you from nastiness, 
think again:
http://www.hackinglinuxexposed.com/articles/20040608.html - "Abusing X11 
for fun and passwords."

All the nastiness shown in that write-up works *with* .Xauthority in place.
And this was published in 2004, so every script kiddie, every 
pimple-faced youth among your trainees, every disgruntled employee knows 
about this. (And so does the NSA.)

Seriously, I've been in the IT Security business for quite a few years 
*ahem ahem* - and the real enemy usually isn't some obscure Chinese 
hacker, it's an employee, either a lazy and careless one or a malicious 
one that has been turned over by a competitor. So do not trust anyone 
and anything on your network. Encrypt even your internal traffic.
I've even seen reports of power plugs with surge protectors containing 
Network sniffers. So the spying device has unlimited power supply and 
sits right in your network, logging all your traffic and sending it out 
either via innocuous http requests or via a seperate WiFi network.

And please, do not fool yourself into thinking "but we don't have 
anything to hide". Yes, you have. We all have. Unless you see "1984" as 
an instruction manual.

-Stefan


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:11:41 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.