Follow

Linux is so secure and private we don’t even mind showing you a brief glimpse of what was on the screen before a computer was locked when it comes back from sleep.

(In case you’re wondering what I’m talking about, it’s this: bugzilla.gnome.org/show_bug.cg – still an issue under elementary OS 6.)

@aral Yep, this has been lowkey bothering me since elementaryOS 5 - but woah this is an old bug…

@toni It boggles my mind that basic security (and accessibility) issues remain unfixed for years while folks work on new and wonderful whizz-bang visual effects. *smh*

@aral @toni Wasn't this one of the things folks said Wayland was needed to really fully fix? (I haven't seen such behaviour in many years, but I'm over in the land of Qt based desktops not GTK ones so I can't speak from personal experience.)

@keithzg @toni As far as I can see it’s not an issue on Wayland so quite possibly. But, really, it boggles the mind that a serious privacy/security bug just gets the equivalent of a shrugged shoulder for years.

@keithzg @toni I want to recommend these devices/operating systems but how can I when basic security/privacy (not to mention accessibility) remains broken (all the while folks are working on shiny-shiny graphical tweaks).

@aral @toni Well, given enough time Wayland will be everywhere, so there's that ;) Or you could use KDE :D

Snarking aside, Microsoft recently took multiple months to put out a fix for a bug known to the public that let any user escalate privileges by adding a remote printer, and last I checked the bug where certain Windows automatically-installed device drivers could be used to get a System shell wasn't fixed. That is to say, the way you can recommend is the competition is still somehow worse!

@keithzg @toni Sadly, Apple’s security isn’t worse. And they’re on the precipice of implementing privacy-violation as a feature with client-side scanning :(

@aral @toni Ehhh Apple's security isn't necessarily better, they've had more zero days in being actively exploited in the wild already in 2021 than I can remember . . .

@keithzg @toni Yeah, but that’s different; we’re talking about military/nation state attacks there not the inability to fix basic, visible, and known-for-years security/privacy flaws.

yup @aral, @keithzg and @toni it’s a very well known bug but they keep making more of it because apparently nobody listens: https://www.jwz.org/blog/2021/01/i-told-you-so-2021-edition

@aral @toni I mean I guess so, it's not like Apple hasn't been without lockscreen security bugs too, heh.

Also I dunno I'm always not too worried about what flaws exist once someone has my system in their hands, feels like the game is mostly over at that point...
@aral Anyways speaking of big corporations and security flaws, uhhh yikes: https://twitter.com/xrePCcES/status/1440795969965023233
https://twitter.com/GossiTheDog/status/1440804141060689921

"A design flaw in the Microsoft Exchange Autodiscover protocol is leaking hundreds of thousands of email passwords and Windows domain credentials". And some security researchers are saying Microsoft has been informed of this for a while and has said it's not a bug! Real recurring theme in software security . . .

@keithzg @aral @toni not so fast I've been using KDE/plasma for years and the same thing happens there too sometimes. I never bothered to look up whether there's a bug report or reported it anywhere but I'd assume there is one

@walruslifestyle @aral @toni Oh yeah I wouldn't be surprised, IIRC it's largely an issue with how these things are basically just layered atop eachother in X11, hence Wayland being the key fix. Big problem there is that Wayland is *still* not ready for truly universal use (although on some devices I've been on it for a decade!).

@keithzg @aral @toni yeah, knowing nearly 0 of what goes on in the depths of display and window managers, I always kinda assumed it was an artifact of x11 somehow 😁

@walruslifestyle @aral @toni Not a bad bet, haha! A ton of things are just artifacts of X11 somehow; hell, that there's randomly a standard HTML named colour called "dodgerblue" and it isn't even actually the right blue, yup believe it or not but that's an artifact of X11! :D https://www.latimes.com/sports/dodgers/la-sp-how-dodger-blue-became-part-of-the-internet-20171030-story.html

@aral
On the other hand: when you remote-desktop to a Windows machine, its monitor turns on and lets everyone in the office see what you're doing.

I've seen the bug you're talking about in openSuse, but I feel it's still much better than Windows, security-wise.

Which is not an excuse, of course! But I guess it's a risk if many developers get to choose what bit they take on and which they don't. Someone needs to figure out a mechanism that directs resources to such issues...
@keithzg @toni

@Mr_Teatime @keithzg @toni Not entirely relevant as I’d rather use an abacus than touch Windows ever again ;)

@aral
Haha, of course you wouldn't!

The argument I'm trying to make is that low adoption of Linux is not related to any security weaknesses, and Windows is absolutely worse in that department -- because your previous toot could be read as if you thought otherwise.

@keithzg @toni

@Mr_Teatime @aral @toni That's not how Windows remote sessions work, at least not if using the built-in RDP server; sessions are only displayed in one place, and only one session can be active at a time.

I know many businesses use third-party VNC software that functions like you describe, and (while it works sanely on Linux) I believe Chrome Remote Desktop works the same way on Windows, as I discovered to my surprise at work on a weekend trying to shut down a PC that was remotely in use!

@keithzg
Hmm... I've had several times when someone in the office said they could see my screen, and vice versa.
RDP can work without a screen attached to the remote PC, but it's also used for "remote control" sessions, so there are at least unsafe scenarios.

For Linux ... I've tightVNC is good but I've never managed to set it up so it actually works. NoMachine used to work but these days is tied to physical screens and shows your desktop at the remote location. Complete rubbish!
@aral @toni

@Mr_Teatime Ah yeah there's a screen sharing mode that Windows has that technically works that way but I see zero reason anyone would use it for solo work? Normal login using Microsoft Remote Desktop will lock any sessions other than the remote user's window, so the screen in the office will just show a lockscreen. If the screen in the office is showing what you're doing remotely you're doing something abnormal one way or another.

For Linux honestly I often just use `ssh -X`, hah!

@keithzg
hmm... I no longer work in that place, so I can't test it now. Maybe I've conflated something ... *scratches head*

The definite advantage of RDP over anything else (except ye olde noMachine 3.x) is that it "just works", and is not tied to local screen resolution.

used X2go to connect to a Linux machine because I couldn't get VNC to work, and its resolution was also tied to the remote display, even if I unplugged it...

ppl in VNC fora were like " lol y u use linux if ur too stupd!"

@Mr_Teatime VNC folks do seem to be of the curmudgeonly variety ;)

Perhaps worth noting, there's a good RDP server for Linux, on Debian-based distros the package name is just "xrdp" and you can just install that et voila, now you can connect to that Linux box using RDP just like Windows (although things are slightly different on the server side, notably multiple users can connect at the same time unlike non-Server Windows flavors, and the user RDP sessions are separate from local X11 sessions).

@keithzg
That sounds cool, thanks for the hint! I'll definitely try that out.

There's another thing about not just VNC people but most remote desktop makers, which is they seem to believe that it's all about desktop "sharing", and why would anyone not want to show the desktop on both ends? And then they don't even mention on their site which kind of remote desktop their tool provides.

@keithzg
»VNC folks do seem to be of the curmudgeonly variety«

...at the same time, I wonder why they are like that. VNC can do cool stuff. Our last cluster admin setup turboVNC, and it was amazing. 3D-accelerated full linux desktop, remotely from a headless cluster node.
He tried to explain to me how to setvit up because I wanted that on my own machine -- but I had a different distro and less knowledge of its internals ==> no chance, and no help online, either.

VNC's biggest drawback :(

@Mr_Teatime Yeah, something can be quite technically impressive, but if it doesn't have good documentation and/or is fragile across even slightly different underlying platforms, it's tough to engage with . . .

I work with computer engineers at my job, and boy howdy is "well it works for ME, why should I waste time writing down how or making sure it works elsewhere, that's not my problem" a real recurring issue! And if that kind of approach isn't nipped in the bud, it tends to blossom over time and as it flows downstream.

I'm a fairly poor programmer myself, but I try to do better in those regards. Even for tiny things I'm just doing for myself; more than once, present-me has been thankful of past-me's considerations in that regard :D ("Wait, why isn't this working? Oh, I left a README.md file, lemme check that . . . ohhhhh riiiiight!")

@keithzg @aral @toni I see it regularly running recent KDE/Plasma (Qt-based) on X11 (not Wayland)... yes, it's a 'low level' annoyance, but it does seem a bit slipshod. I gather it's not a trivial thing to fix.

@lightweight @aral @toni I wonder why I haven't seen it for ages? Admittedly my laptop uses Wayland now but I remember seeing it a lot back in the day and then never again, long before my laptop was using Wayland. I suppose since it's kinda a race on X11 between the different layers running in the session, maybe my race was just skewed enough the lockscreen always won, hah!

@keithzg @aral @toni I haven't looked into it for a long time. I see it on a desktop I've got after many years of only using a laptop... only returned to Plasma/KDE in the last year or so after a couple years' sojourn to Cinnamon. But yes, I think it's probably an X11-level issue, not desktop-level.

@wzqtparor Just using the one that came with @elementary in the same way I just use the engine that came in my car ;)

@aral someone tried to crack my root password once and they weren't able to, thankfully!! ✊ *knocks on wood*

@aral mhm, I just noticed that I unconsciously usually do "super" + "L" before closing the lid, so not overly common for me to see it, but yes, I also remember seeing this behaviour especially under high load :blobfoxthink:

On regular GNOME that is.

Is there a corresponding issue in the GNOME GitLab?

@sheogorath No idea, looks like they didn’t port their issues over to the new system or provide links to corresponding issues from the old system 🤷‍♂️

@aral @sheogorath Same behaviour here.

The original issue gitlab.gnome.org/GNOME/gnome-s was only closed with a message and the state RESOLVED OBSOLETE, despite it clearly has security implications. Here is also a CVE-2016-1000002 assigned.

I've allowed myself to recreate the issue, because I have been repeatingly annoyed by it:

- gitlab.gnome.org/GNOME/gnome-s

@yala @aral @sheogorath I'd guess it was marked as „resolved obsolete“ because I don't see that behaviour under GNOME 40; but I can confirm it for elementaryOS and Ubuntu with GNOME 38.

@cjk @yala @sheogorath Jon’s bug report states that he can recreate it with GNOME 40 in Fedora with both X11 and Wayland. (I’m actually surprised about the latter as I thought it was an X11 issue.)

@aral @yala @sheogorath Well, that's weird. On my last Arch box I definitely don't see this.

@aral #Firefox on iOS does that too, with closed private tabs.

Sometimes when I close a private tab and open a new one, I get a glimpse of the closed private tab's preview.

@aral 😅 I've noticed the specific bug you're talking about on my elementaryOS laptop. It's certainly shocking to see.

@aral still have that here on my old laptop on Debian… but it swaps so much…

@aral I haven’t looked at it, but I speculate the problem is it runs lock after suspending, while it should run before suspending.

@aral
I have the same problem on my machine, but I'm not on elementaryOS. I use larbs.xyz, which uses slock as the lock screen. I always thought this was some kinda bug on slock, but now I'm having second thoughts. Maybe this is related to the X server or something 🤔

how's the gnome desktop environment even related with the kernel linux?
when you hit a bug in another multiplatform program, say in firefox, do you also complain about unrelated software like darwin, ntkernel, or sunos?

@lxo Is Firefox a core part of your operating system? You want “Linux on desktop” to be a thing, then start seeing it as an everyday person using an everything thing would see it. No one cares about GNOME apart from hobbyists. As far as anyone else is concerned, elementary OS (or Ubuntu, etc.) has a security issue. Just like if it happened on a Mac they’d say macOS has a security issue. Try and see the forest for the leaves.

you seem to be mistaking me for someone else. linux isn't really my thing. the bug you've identified in gnome is likely also present in opensolaris, that made gnome its primary desktop environment. on gnu systems, there are multiple desktop environments to choose from. firefox-based browsers are a lot more prevalent than gnome AFAICT

@lxo I meant “you” in the general sense also :) As in “people who do.” When competing with macOS and iOS (which is what “Linux” is doing for mindshare), passing the buck upstream isn’t going to cut it. No one* cares about the innards. And that goes all the way to device manufacturers. Security/usability/accessibility issue in component X? That’s right, Brand X has a security/usability/accessibility issue. No one* knows/cares about component X.

* apart from hobbyists/developers

'fraid you've sounded a lot like the sold-out press that reports a bug in a browser extension that may be exploited on GNU/Linux as an operating system bug, but that protects the big-payout brands about bugs that are actually their responsibility. yeah, GNOME is a big player on GNU/Linux desktops, but I find it offensive that you call it Linux desktop. heck, Linux is the kernel running underneath Android, and I find it disingenuous that you dismiss the choices that the freedom we free software people fight for have brought you. it's a bug in a choice you made (or that the distro you chose made for you), but by reframing it as a bug in the platform you're doing freedom a disservice, and aligning yourself with worldview of proprietary all-or-nothing package deals. please reconsider that framing. yeah, mostly everyone doesn't know or care, but mainly because they were trained to not have that kind of choice; we have a huge task before us. wanna help us, or reinforce opposite views?

@lxo “we free software people … have brought you” – Dude, everything I do is free and open source. It’s this sort of arrogance, gate-keeping, and total ignorance about design/how everyday people use technology as an everyday thing that is the biggest impediment to “free and open” competing with proprietary solutions. Get off your high horse and learn to recognise when someone IS helping BY pointing out the flaws in your culture and approach.

I wrote "choices that the freedom ... have brought you" (should have been "has", sorry if that confused you) and "freedom we free software people fight for" (that was supposed to include you, why would you think otherwise?)

now, back to the point, an actual impediment is promoting the notion of accepting someone-else's choices instead of the notion that you can make your own. not that the software has to get to you already perfect, but that you can get any deviations from your preferences fixed regardless of whom you got the software from, or who develops it. finding out the right software component and reporting problems and requests for improvement is part of the community behavior we wish to promote. bundling it all as "[gnu/]linux desktop" does not quite do that. "you must fix this" is a common but undesirable attitude; "I think it's important for us to fix this" is less demanding, and shares more of the community responsibility. maybe make it *our* culture and approach?
Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!