Kids find a security flaw in Linux Mint by mashing keys

The two articles are beautiful and beautiful correct.

The weblog publish from JWZ is bitter, not constructive and contains some nonsense.

We had been wanting ahead to it. You develop not streak telling folk I suggested you so for 20 years after which not lift the different to attain it once extra when it happens again. And it did happen again, yes, so skills the second. Let’s enjoy one extra I-suggested-you-so second, if it’ll abet us react noteworthy extra and make issues higher for 5.0, let’s embody it.

Will enjoy to you are seemingly to be not working XScreenSaver on Linux, then it is miles receive to take that your mask doesn’t lock.

No. As talked about above KDE has a clear locker and so has mild-locker, so no, XScreensaver shouldn’t be the sigh fabricate which is receive from library/toolkit crashes.

Chances are you’ll perhaps settle that in 2004, which is now seventeen years ago, I wrote a document explaining why I made the fabricate alternate-offs that I did in XScreenSaver, and in that document I predicted this trusty trojan horse as my instance of, “here’s what’s going to happen while you happen to develop not attain it this draw.”

He did indeed and that fabricate different made a range of sense. It offered a increased level of safety although he did not address the wants folk had.

JWZ’ message of wisdom desires to be extra pragmatic if it desires to be heard and introduced critically. If I verbalize you “develop not streak out of your space, it is probably going you’ll perhaps die” and arrive to your funerals 17 years later to verbalize your associates I had suggested you so, properly, obvious, I may enjoy a level but who cares? Of us are alive to to play with knives, streak out of their dwelling, drive autos speedily on highways and streak across the avenue. Telling them it be inherently unsafe correct misses the level if that’s what they’re alive to to attain. Of us desire a beautiful lock mask, they attain. So let’s work on that.

I wish JWZ had regarded as a fabricate that blended safety and a properly off greeter, because at the time it would enjoy offered a resolution alongside with the warning. In its save the warning used to be misplaced for the reason that offered resolution did not address the need. And by the level we had alternate choices, the warning had been largely brushed off because it wasn’t pragmatic.

mild-locker and KDE they give the impact of being to enjoy gone extra than JWZ’s reflexion and offered a resolution to the true consumer’s need while keeping the promise of safety.

When we first saw and shipped mild-locker this did not hit us, because we had already replaced xscreensaver with that it is probably going you’ll perhaps have the flexibility to judge picks (gnome-scrensaver and mate-screensaver at the time), i.e. we had already accredited the protection menace to address the need that used to be left vacant. By the time we saw the likes of mild-locker, that warning used to be largely forgotten about. Or not it is correct, and it be a pity.

When cinnamon-screensaver used to be written it used to be changing gnome-screensaver, and again it did not enjoy that warning in mind because at the time we hadn’t regarded as doing what mild-locker did, and doing what xscrensaver did (i.e. going toolkitless) merely wasn’t acceptable.

And they went and made that happen.
All all over again and again.

Moral, they did, and we did correct now. Because they needed to. JWZ misses the level on this. Chances are you’ll perhaps additionally’t ask folk to not attain what they’re alive to to attain and what they ask to be capable to attain. If they’re alive to to contaminated the facet toll road, it is probably going you’ll perhaps must make it receive for them to attain so. And also you know what? It might perhaps perhaps enjoy to never be as receive as NOT crossing the facet toll road. Having some realizing man telling them NEVER TO doesn’t abet, in any recognize.

Every time this trojan horse is re-introduced, somebody pipes up and says something like, “So what, it used to be a pc virus, they’ve mounted it.” That’s in point of fact missing the level. The level shouldn’t be that this type of trojan horse existed, but that this type of trojan horse used to be even that it is probably going you’ll perhaps have the flexibility to judge. The exact trojan horse here is that the fabricate of the machine even permits this class of trojan horse. It is miles unconscionable that somebody designing a significant portion of safety infrastructure would fabricate the machine in this type of plan that it doesn’t fail receive.

I’m able to see where JWZ is coming from. Though I might like to illustrate GNOME rewrote their resolution from scratch (I’ve no thought what fabricate they used by the vogue), and so did we. I’m not obvious these GNOME devs are the identical as sooner than and we completely don’t seem like. We’re indeed making mistakes folk did sooner than us, and we did repair that trojan horse beautiful speedily and patted ourselves on the attend when it used to be performed, but I develop not mediate it is probably going you’ll perhaps have the flexibility to bid we’re overjoyed and calling it “job performed”. This straight away makes us mediate as how we are able to forestall it from happening again, we enjoy that separation of greeter/locker on our roadmap and it is completely noteworthy deliberate to head ahead for 5.0.

An incendiary weblog publish and your complete social media hype that goes with this would perhaps also completely abet in making us care noteworthy extra, but the mere proven truth that this occurred in our code (here’s OUR code correct now, not correct gnome-screensaver or something from upstream we would correct ship) and with our fabricate is enough to make us are alive to to overview it.

Especially once I enjoy given them nearly 30 years of prior work demonstrating easy suggestions to attain it correct, and a two-a protracted time-used document clearly explaining What Now not To Close that coincidentally used this very trojan horse as its illustrative strawman!

Xscreensaver did not attain it correct. Now not crossing the avenue shouldn’t be the safest solution to contaminated the avenue.

He uncovered an subject, he did not give a resolution. There’s a need which is rarely addressed here, there is a hazard which is, there is a resolution which has been given by other tasks, not xscreensaver. It might perhaps perhaps enjoy to enjoy to be properly audited, but to me mild-locker and KDE appear to enjoy the sigh resolution at the second both in terms of safety and in terms of components.

This identical trojan horse retains cropping up in these other mask lockers for numerous reasons.

Writing safety-significant code is exciting. Most folk can not attain it.

Locking and authentication is an OS-level distress. And while X11 is at the coronary heart of the OS of a Linux desktop pc, it used to be designed with no safety to talk of, and so lockers must run as frequent, unprivileged, consumer-level applications. That makes the distress even more difficult.

This error of the X11 architecture can never, ever be mounted. X11 is too used, too ossified, and has too many quagmire-trapped stakeholders to ever make any most important adjustments to it again. That's why folk protect searching out for to change X11 -- and failing, because it be too entrenched. 

As in any recognize times, these bugs are gruesome because terrifying safety is worse than no safety. Will enjoy to you knew for a proven truth that your mask did not lock, it is probably going you’ll perhaps behave accurately. Perchance you’d log off while you happen to walked away. Perchance it is probably going you’ll perhaps not use that pc for obvious issues. But a security placebo makes you behave as if it be receive when in actuality it is not.

I fully have faith all of this.

One among the infuriating parts of these recurring bugs is that the mask-locker fragment of XScreenSaver shouldn’t be even the stress-free fragment! I attain not skills engaged on it. I never enjoy. I added it based on ask and necessity, not because it sounded like a fair time.

I’m able to impress this. I hate engaged on safety myself, I mediate most of us attain. We like doing frigid issues with technology not restrict ourselves because a couple of folk abuse all the issues they’re going to and extinguish the occasion if we develop not force ourselves to take into consideration every small draw they’re going to use A or B towards other folk.


Xscreensaver has been a gargantuan accomplishing. We enjoy been shipping it for some time and it made users overjoyed at the time. Or not it is miles also the codebase for its fork gnome-screensaver, which folk enjoy been the use of for years. In picture a accomplishing we owe it lots. The fabricate picks its dev made had been inspirational also because they defined the hazard of relying on libs and toolkits in something like a locker, which needed to be as crashsafe as that it is probably going you’ll perhaps have the flexibility to judge. It failed in providing a resolution to a need folk had although while persevering with to address that hazard.

I may streak even extra. What JWZ did in xscreensaver is the source to a key precept we use very most frequently (alt

Read More

Recent Content