Hello, I just got done slamming, perhaps as a troll, a lwn.net article. I may have gone too far and I don't believe you can go to far when it comes to security. I'm not the type to give up, you've attached with a keylogger to my X... Well now your keylogger is attached to my sub-server and I'm going send you about a dozen fortunes, then I'll try and backhack some arbitrary code your way. Get off my server or the hunter will become the hunted.
What bothers me the most is that I'm finding out about this by reading a news article. When did X developers stop caring about clients after they had connected? I don't believe that malicious clients can never connect to an X server or that it would be "absolutely" possible to prevent malicious clients from connecting. So why is it that Security in X has fallen to this level, if it has and this article basically admits that it has or will? When did this change occur and why wasn't I told? I hope that at least a handful of you are at least mildly concerned that X might become an open playground for keyloggers and other malicious software once a client connection has been authenticated. Is it really then intention of the X community to forgo any security post client authentication? I hope you can at least understand where I'm coming from, to have to find out about this in a news article not related to a change in security. In shore, I believe that an ounce of prevention is worth a pound of cure. Users should fill that ounce with there bets effort to try and keep malicious clients off the X server. I don't believe that's enough, there has to be a cure for when this fails. A great offense that when combined with the Users defense forms a complete team that's not only the best, but unbeatable. I know that if keyloggers are prevented from reading anything useful that there won't be any keyloagers that break past X's authentication security. However I also know that if there is something to be gained from forging an xauth, that hackers will be tempted and eventually success in penetrating the outer defense. Another related issue is that if it is indeed the case where an authenticated client might have free reign into all user input(where multi-touch devices are open regardless of the keyboard-focus-lock). This IMHO would disable(or at least render so insecure it's unthinkable) the feature of X that allows for remote clients. I don't think a remote root should ever be trusted, even if that is you. The simple matter is that a remote box could have been powned. http://lwn.net/Articles/485484/ Please join my cause to keep xinput secure, even when malicious clients are connected. Actually I'd be looking for some one with more political savvy then myself, I know that I'm actually the worst person you want speaking on your behalf. Please read some of my comments on the lwn.net forum, I stand by what I've said. Thank you. _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
