Security: Absolute Client vetting or trust a remote root?

Mike Mestnik cheako+xorg-devel at mikemestnik.net
Thu Jun 7 19:38:36 PDT 2012 

On 06/07/12 21:33, Mike Mestnik wrote:
> On 06/07/12 21:07, Peter Hutterer wrote:
>> On Thu, Jun 07, 2012 at 07:03:25AM -0500, Mike Mestnik wrote:
>>> Hello,
>>>   I just got done slamming, perhaps as a troll, a lwn.net article.  I
>>> may have gone too far and I don't believe you can go to far when it
>>> comes to security.  I'm not the type to give up, you've attached with a
>>> keylogger to my X...  Well now your keylogger is attached to my
>>> sub-server and I'm going send you about a dozen fortunes, then I'll try
>>> and backhack some arbitrary code your way.  Get off my server or the
>>> hunter will become the hunted.
>>>
>>> What bothers me the most is that I'm finding out about this by reading a
>>> news article.  When did X developers stop caring about clients after
>>> they had connected?  I don't believe that malicious clients can never
>>> connect to an X server or that it would be "absolutely" possible to
>>> prevent malicious clients from connecting.  So why is it that Security
>>> in X has fallen to this level, if it has and this article basically
>>> admits that it has or will?  When did this change occur and why wasn't I
>>> told?
>>>
>>> I hope that at least a handful of you are at least mildly concerned that
>>> X might become an open playground for keyloggers and other malicious
>>> software once a client connection has been authenticated.  Is it really
>>> then intention of the X community to forgo any security post client
>>> authentication?  I hope you can at least understand where I'm coming
>>> from, to have to find out about this in a news article not related to a
>>> change in security.
>>>
>>> In shore, I believe that an ounce of prevention is worth a pound of
>>> cure.  Users should fill that ounce with there bets effort to try and
>>> keep malicious clients off the X server.  I don't believe that's enough,
>>> there has to be a cure for when this fails.  A great offense that when
>>> combined with the Users defense forms a complete team that's not only
>>> the best, but unbeatable.  I know that if keyloggers are prevented from
>>> reading anything useful that there won't be any keyloagers that break
>>> past X's authentication security.  However I also know that if there is
>>> something to be gained from forging an xauth, that hackers will be
>>> tempted and eventually success in penetrating the outer defense.
>>>
>>> Another related issue is that if it is indeed the case where an
>>> authenticated client might have free reign into all user input(where
>>> multi-touch devices are open regardless of the keyboard-focus-lock).
>>
>> the "keyboard focus lock" doesn't work as you think it does. short story:
>> there isn't really any, a malicious app can get around it and this has been
>> the case since approx 1994.
>>
> Is this to be used as an excuse to not have any security?  It sounds
> like that's what you are saying and it's vary disturbing, where would
> such an ideology end...  How far would be too far for this to spread?
> This attitude seams like it could vary easily be infinitely recursive.
> 
> I reject this concept, it shouldn't be allowed to spread any further.
> 
Not only recursive, but it'll end up being bi-directional as well.  Y
isn't secure because X needs to be secure, X isn't secure because Y
won't ever be secure.  This deal-lock shouldn't be allowed to exist,
some chicken or egg needs to be created first...  It doesn't matter
which, however if Y is new, then it should be rejected until it is
secure.  We shouldn't allow new code to be implemented that adds new
security concerns, unless it may fix older ones.

>>> This IMHO would disable(or at least render so insecure it's unthinkable)
>>> the feature of X that allows for remote clients.  I don't think a remote
>>> root should ever be trusted, even if that is you.  The simple matter is
>>> that a remote box could have been powned.
>>>
>>> http://lwn.net/Articles/485484/
>>>
>>> Please join my cause to keep xinput secure, even when malicious clients
>>
>> s/keep/make/ :)
>>
>> Cheers,
>>   Peter
>>
>>> are connected.  Actually I'd be looking for some one with more political
>>> savvy then myself, I know that I'm actually the worst person you want
>>> speaking on your behalf.
>>> Please read some of my comments on the lwn.net forum, I stand by what
>>> I've said.
>>
>

More information about the xorg-devel mailing list