[X2Go-Dev] Bug#354: Things you should know about X (was: Re: Bug#354: Bug#354: Make x2goagent listening to TCP connections configurable in x2goserver.conf)

[Stefan Baur]

Am 08.12.2013 16:13, schrieb Nick Ingegneri:
> I think that because I used "xhost +" in my original debugging example,
> the assumption was immediately made that "xhost +" was my primary
> concern. My primary concern is that disabling TCP breaks almost every
> possible use model except for one narrow case (ssh). Among other things,
> it breaks the MIT-MAGIC-COOKIE-1 mechanism. While there are very valid
> concerns regarding use of TCP on the internet, we have a different
> hierarchy of concerns regarding what happens on our internal network.

[long blahblah snipped]

If you believe Xauth Cookies alone will protect you from nastiness, 
think again:
http://www.hackinglinuxexposed.com/articles/20040608.html - "Abusing X11 
for fun and passwords."

All the nastiness shown in that write-up works *with* .Xauthority in place.
And this was published in 2004, so every script kiddie, every 
pimple-faced youth among your trainees, every disgruntled employee knows 
about this. (And so does the NSA.)

Seriously, I've been in the IT Security business for quite a few years 
*ahem ahem* - and the real enemy usually isn't some obscure Chinese 
hacker, it's an employee, either a lazy and careless one or a malicious 
one that has been turned over by a competitor. So do not trust anyone 
and anything on your network. Encrypt even your internal traffic.
I've even seen reports of power plugs with surge protectors containing 
Network sniffers. So the spying device has unlimited power supply and 
sits right in your network, logging all your traffic and sending it out 
either via innocuous http requests or via a seperate WiFi network.

And please, do not fool yourself into thinking "but we don't have 
anything to hide". Yes, you have. We all have. Unless you see "1984" as 
an instruction manual.

-Stefan