On Tue, 18 Jun 1996, Robert Black wrote:

> Note you should not use this as standard practice when connected to the
> internet. Doing so is roughly equivalent to having no password on any of the
> accounts you access between typing xhost + and when you kill your X server. The
> reason for this is that xhost + switches off authentication allowing anyone to
> start an arbitrary X client on your screen. Such a client could be invisible
> but record all keypresses (including ones which aren't echoed - ie passwords)
> and could also insert things into your keyboard buffer. Note that
> authentication only takes place when the client starts so typing xhost - at a
> later time does not make things secure. There are scanners used by crackers
> which are known to detect this particular hole and I personally know of at
> least two cases where it has been used to crack a machine (one was a demon
> account). With this caveat xhost + is useful for debugging.
> 

  On the subject of security, will XArm have MIT magic cookie 
authentication in the future to that we don't have to use xhost at all?

  After all xhost isn't all that secure!

Ale.