Berkeley CSUA MOTD:Entry 22378
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/08 [General] UID:1000 Activity:popular
7/8     

2001/9/11 [Computer/SW/Security] UID:22378 Activity:very high
9/10    Why does OpenSSH default to "ForwardX11 no"?  Given X11's lack of
        encryption, isn't this the best way to do X11?
        \_ X programs can do more than just open windows on your desktop --
           they can also do things like capture images of your display (as
           xwd does) or intercept the keystrokes you type (as most window
           managers do).

           This means that, while it's safe to telnet to a random machine you
           don't trust -- it can't do anything to your local account -- it's
           *not* safe to ssh with X forwarding to a random machine, since
           that machine could (say) start monitoring the passwords you type
           into other windows.
        \_ Yes, but they believe X11 forwarding should be something you
           request as it can open security holes if you do it wrong.
           \_ So what can I do wrong when using SSH's X11 port forwarding
           \_ So what kind I do wrong when using SSH's X11 port forwarding
              that would open a security hole?
                \_ xhost +, which would then allow anyone on the remote machine
                   to snoop everything you type, completely destroying the
                   usefulness of ssh
                   \_ This doesn't make sense. Why would someone who is using
                      ssh want to use xhost at all and if you do "xhost +"
                      it shouldn't matter whether you use ssh or not because
                      either way there is a huge wide open hole at this point.
           \_ less things to try to hack.  period.
2025/07/08 [General] UID:1000 Activity:popular
7/8     

You may also be interested in these entries...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
2012/7/13-8/19 [Computer/SW/Security, Computer/Companies/Yahoo] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...
2012/7/18-8/19 [Health/Men, Computer/SW/Security] UID:54438 Activity:nil
7/18    "Largest penis record holder arouses security suspicions at airport"
        http://www.csua.org/u/x2f (in.news.yahoo.com)
        \_ I often have that same problem.
        \_ I think the headline writer had some fun with that one.
           \_ One time when I glanced over a Yahoo News headline "U.S. busts
              largest-ever identity theft ring" all I saw was "U.S. busts
	...
2012/4/23-6/1 [Computer/SW/WWW/Browsers] UID:54360 Activity:nil
4/19    My Firefox 3.6.28 pops up a Software Update box that reads "Your
        version of Firefox will soon be vulnerable to online attacks."  Are
        they planning to turn off some security feature in my version of
        Firefox?
        \_ Not as such, no, but they're no longer developing this version,
           so if a 3.6.x-targeted hack shows up, you're not going to get
	...
2011/11/8-30 [Computer/SW/Security, Computer/SW/OS/Windows] UID:54218 Activity:nil
11/8    ObM$Sucks
        http://technet.microsoft.com/en-us/security/bulletin/ms11-083
        \_ How is this different from the hundreds of other M$ security
           vulnerabilities that people have been finding?
           \_ "The vulnerability could allow remote code execution if an
               attacker sends a continuous flow of specially crafted UDP
	...
2011/11/11-30 [Computer/SW/Security] UID:54224 Activity:nil
11/11   MacOSX's Sandbox security hole:
        http://preview.tinyurl.com/7ph2wtg [arstechnica]
	...