[lug] Processor assignment

Davide Del Vento davide.del.vento at gmail.com
Fri Apr 1 20:50:18 MDT 2016


I guess the security thread you are trying to mitigate is very
different from ours. X11 may not isolate apps, so a user can look what
another is doing, or even pretend to be that user and? Guess what, the
attacker already had shell access, so he could have done whatever he
wanted (with the limit we place to them) to begin with. And the
attacked do not have any more permission than the attacker. Not sure
how a web server (in a sense "open" to talk with anybody, by
definition of the web) can be more "secure" than ssh, which by
definition is just for some, and won't even talk with you before you
auth. The former has more "surface" to be attacked. But as I already
said, security isn't my field by any stretch.

On Fri, Apr 1, 2016 at 4:38 PM, Rob Nagler <nagler at bivio.biz> wrote:
>>
>> > I bet people tunnel X11 back to their workstations, which is insecure.
>>
>> I guess it depends on what you mean by insecure and on how you do it.
>> But as I said, I am no security expert. Some of the NCAR's security
>> experts sometimes lurk on this list and might chime in.
>
>
> X11 does not isolate applications, similar to DOS. It's one big memory
> space. There are technologies to do that isolation, but I don't think they
> are that popular. Browsers have a security model which ensures isolation
> (assuming no bugs :), but with X11, there is no security model except
> "locking the front door" with a password.
>
> In my experience, a well written web server is more security than allowing
> people to ssh into a server. The Jupyter folks now offer a containerized,
> multi-user hub, which would be more secure than what reverse tunneling
> Jupyter. You can plug in any auth model so you can use OTP. This provides
> end-to-end security from the app to the server, which is less likely to be
> hacked than having an unsecured tunnel (ssh -N -l username -L
> 8888:geyser03-ib:8888 yellowstone.ucar.edu).
>
> At least that's my $.02. :)
>
> Rob
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety


More information about the LUG mailing list