Am 08.12.2013 16:13, schrieb Nick Ingegneri:
I think that because I used "xhost +" in my original debugging example, the assumption was immediately made that "xhost +" was my primary concern. My primary concern is that disabling TCP breaks almost every possible use model except for one narrow case (ssh). Among other things, it breaks the MIT-MAGIC-COOKIE-1 mechanism. While there are very valid concerns regarding use of TCP on the internet, we have a different hierarchy of concerns regarding what happens on our internal network.
[long blahblah snipped]
If you believe Xauth Cookies alone will protect you from nastiness, think again: http://www.hackinglinuxexposed.com/articles/20040608.html - "Abusing X11 for fun and passwords."
All the nastiness shown in that write-up works *with* .Xauthority in place. And this was published in 2004, so every script kiddie, every pimple-faced youth among your trainees, every disgruntled employee knows about this. (And so does the NSA.)
Seriously, I've been in the IT Security business for quite a few years *ahem ahem* - and the real enemy usually isn't some obscure Chinese hacker, it's an employee, either a lazy and careless one or a malicious one that has been turned over by a competitor. So do not trust anyone and anything on your network. Encrypt even your internal traffic. I've even seen reports of power plugs with surge protectors containing Network sniffers. So the spying device has unlimited power supply and sits right in your network, logging all your traffic and sending it out either via innocuous http requests or via a seperate WiFi network.
And please, do not fool yourself into thinking "but we don't have anything to hide". Yes, you have. We all have. Unless you see "1984" as an instruction manual.
-Stefan