l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
May 20: Smart Static Sites with Hakyll 		Next Installfest:
Saturday, January 26th 		Latest News:
Mar. 22: Slides from "Making Predictions Using Linux and R" talk 		Page last updated:
2005 Mar 18 18:08

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

 Report this post as spam:

(Enter your email address)
Re: [vox-tech] xhost+: Why you should NEVER DO THAT
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] xhost+: Why you should NEVER DO THAT

on Fri, Mar 18, 2005 at 07:54:50AM -0500, Peter Jay Salzman (p@dirac.org) wrote:
> On Fri 18 Mar 05,  2:18 AM, Karsten M. Self <kmself@ix.netcom.com> said:
> > Mark Kim apparently insists on dispersing bad advice regarding use of
> > xhost + to allow remote X11 access.

Pete:  no need to quote 384 lines.

> If my firewall blocks tcp/udp ports 6000-6007, can you tell me how my x11
> events can be captured by someone other than my lovely wife and cat?

1.  You can never trust cats.
2.  Does your network include wireless access?
3.  Is your network radiation shielded?
4.  Is all your hard-wired network directly visually inspectable?
5.  Are foreign systems allowed on the network?

A small home LAN or an airgapped lab / classroom LAN are two of the
conditions under which I'd consider possibly allowing for non-tunneled X
access.  That said, on my own, hardwired, single-user, handful-of-nodes
LAN, on the rare cases I do run X apps remotely, I tunnel them.


The history of secure applications development is largely divided into
two groups:

 1. Those who anticipate hostile environments, design for scenarios in
    which no two components trust one another, and correctly implement
    failsafe, trust, integrity, and encryption procedures.

 2. Those who've been the source of multiple compromises.


Paranoia pays off here.  Safe practices pay off.  Even those who _are_
paranoid and cautious suffer breakins (the good ones will let you know
that this has happened).  The truely frightening are those who deny the
problem exists _and_ fail to recongize a compromise when they see it.

Mark, you listening?


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Why are you so paranoid, Mulder?
    Oh, I don't know. Maybe it's because I find it hard to trust anybody.
    - Scully & Mulder, The X-Files, Ascension

Attachment: signature.asc
Description: Digital signature

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
LinkedIn
LUGOD Group on LinkedIn 		Sign up for LUGOD event announcements
Your email address: 		facebook
LUGOD Group on Facebook

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

 Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.