On Jun 18,  2:24pm, Ale Terlevich wrote:
> Subject: Re: Network thingies not working
>
>
> On Tue, 18 Jun 1996, Robert Black wrote:
>
> > Note you should not use this as standard practice when connected to the
> > internet. Doing so is roughly equivalent to having no password on any of
the
> > accounts you access between typing xhost + and when you kill your X server.
The
> > reason for this is that xhost + switches off authentication allowing anyone
to
> > start an arbitrary X client on your screen. Such a client could be
invisible
> > but record all keypresses (including ones which aren't echoed - ie
passwords)
> > and could also insert things into your keyboard buffer. Note that
> > authentication only takes place when the client starts so typing xhost - at
a
> > later time does not make things secure. There are scanners used by crackers
> > which are known to detect this particular hole and I personally know of at
> > least two cases where it has been used to crack a machine (one was a demon
> > account). With this caveat xhost + is useful for debugging.
> >
>
>   On the subject of security, will XArm have MIT magic cookie
> authentication in the future to that we don't have to use xhost at all?

Try switching it on... I was under the impression it worked, but I don't have
much occasion to use it. It certainly has been working in some previous
incarnations.

>   After all xhost isn't all that secure!

This is true.

I have now got my hands on some non-US XDM-AUTHORIZATION-1 code which is DES
based and a lot better all round. This will appear RSN, honest ;-)

Cheers

Rob

--