| |||||||||||||
GNOME 3.4 releasedGNOME 3.4 releasedPosted Mar 28, 2012 16:48 UTC (Wed) by drdabbles (subscriber, #48755)In reply to: GNOME 3.4 released by drago01 Parent article: GNOME 3.4 released
This is perhaps one of the most foolish things to ever be implemented. CTRL+ALT+DEL is synonymous with a badly behaving computer, and in my mind at least for cultural reasons should be avoided.
Making Gnome easier to use is a fantastic goal, but obscuring certain things like shutdown or reboot behind a key combination, the requirement of an extension, or the changing of a setting is a _really_ bad idea. It's been discussed at least a thousand times, so I'll leave it there.
(Log in to post comments)
GNOME 3.4 released Posted Mar 28, 2012 17:51 UTC (Wed) by mpr22 (subscriber, #60784) [Link] CTRL+ALT+DEL is synonymous with a badly behaving computer Synonymous for you, anyway. The cultural connotations of symbols are neither time-invariant nor space-invariant, and the symbol "Ctrl-Alt-Delete" has had an assortment of connotations over the course of the more than 25 years I've been aware of it.
Cultural connotations Posted Mar 28, 2012 21:04 UTC (Wed) by man_ls (subscriber, #15091) [Link] Any of those connotations were positive? For me (and my blissful ignorance of CTRL+ALT+DEL for many years, at least in practice, until I entered the corporate world) all of them are negative-to-pure-evil-incarnate.
Cultural connotations Posted Mar 29, 2012 2:04 UTC (Thu) by drdabbles (subscriber, #48755) [Link]
I understand the historical and current purpose and meaning of CTRL+ALT+DEL. I, too, have been in the industry for a while. But the fact remains that the general feeling of CTRL+ALT+DEL is a combination to be used when something has gone wrong.
To attach that stigma and historical baggage to something used to simply signal your UI shell that you want to reboot, logout, or shut down is unintuitive to uses moving from the windows world to the Linux desktop. You and I perfectly understand, because we're advanced users. My girlfriend simply wouldn't get it.
Cultural connotations Posted Mar 29, 2012 9:52 UTC (Thu) by khim (subscriber, #9252) [Link] I understand the historical and current purpose and meaning of CTRL+ALT+DEL. It does not looks this way from this side. Have you actually tried to see just what you get in Windows Vista or Windows 7 when you press ALT+CTRL+DEL? Take a look on bottom right corner. To attach that stigma and historical baggage to something used to simply signal your UI shell that you want to reboot, logout, or shut down is unintuitive to uses moving from the windows world to the Linux desktop. What? Why? Why is it fine in Windows world, but not in Linux world? Do you mean they can only find red “power” button in bottom right corner and can not find it when it's closer to the center of the screen?
Cultural connotations Posted Mar 29, 2012 10:28 UTC (Thu) by mpr22 (subscriber, #60784) [Link] For me, the strongest connotations Ctrl-Alt-Delete has had are:
GNOME 3.4 released Posted Apr 3, 2012 14:31 UTC (Tue) by sorpigal (subscriber, #36106) [Link] The only connotation it has for me is "Something the user is not likely to type by mistake." When you want to be sure it was a deliberate action it *may* be because it does something drastic. Linux's magic sysrq behavior serves exactly the same purpose.
GNOME 3.4 released Posted Mar 28, 2012 21:09 UTC (Wed) by elanthis (guest, #6227) [Link]
To people who last used a Windows computer in the Win9x days, perhaps.
On the modern incarnations of that OS, Ctrl-Alt-Delete is the "System Menu" command. It is that command specifically because the OS specially catches that key combination and does not pass it on to any application, nor allow any application to alter the behavior of the command (short of modifying system DLLs and such, of course).
One of the uses for it is on the login screen. Pressing ctrl-alt-delete there is a safety feature. Since no application can catch/override it, you can guarantee that if you press the key combination, you will either see the real login screen (not some malware pretending to be the login screen) or the system menu (if you were in fact not at the real login screen).
This is one of the several ways in which modern Windows incarnations are actually more secure than Linux. On Linux, there's basically no way to be sure that the screen you're looking at is really your desktop or admin panel or whatever and not some other malware that injected itself via the a hole in the non-sandboxed Firefox processes Linux users are still primarily using as their Web browsers.
XACE and SELinux were supposed to fix this for Linux years ago, but they're still unused and in most WMs completely unimplemented. And to implement them properly, the kernel itself really does need to take control of ctrl-alt-del and ensure that only very select applications can respond to it (the login screen or a fixed system control panel).
GNOME 3.4 released Posted Mar 28, 2012 21:32 UTC (Wed) by Pawlerson (guest, #74136) [Link]
I didn't know the system with the holes being open since a dos era can be more secure. I also don't get it how the system that doesn't get updates to security holes in hours, but months can be more secure. I also don't understand how it is possible 100 holes can make you more secure than 10? Rather than spreading FUD would you be so nice and enlighten me?
http://www.h-online.com/security/news/item/Study-analyses...
GNOME 3.4 released Posted Mar 29, 2012 7:26 UTC (Thu) by imgx64 (guest, #78590) [Link]
This sort of condescending attitude isn't very productive, is it? Just because Windows is less secure than Linux overall, doesn't mean we can't learn a lesson or two from it.
So, is there a way, when I sit on a computer, to know that I'm entering my password in XDM and not in some other program a malicious user ran?
GNOME 3.4 released Posted Mar 29, 2012 15:43 UTC (Thu) by cortana (subscriber, #24596) [Link]
alt+prtsc+k, I believe. But it's only suitable for logging in, and not for unlocking your session, because when you press it it kills everything in the current virtual console, and relies on init (or some other daemon) restarting a trusted instance of the login/?dm.
GNOME 3.4 released Posted Mar 29, 2012 15:52 UTC (Thu) by dgm (subscriber, #49227) [Link]
> So, is there a way, when I sit on a computer, to know that I'm entering my password in XDM and not in some other program a malicious user ran?
Well, let's go bit by bit.
1. Ctrl-Alt-Del is only a relatively safe. The code that handles it is secure only because it belongs to the Windows kernel, but it resides in a file on the filesystem, and in memory addressable by code running in ring-0. So any exploit that gives you write permissions for that file, or ability to run ring-0 code (install a driver) can allow you to subvert it. Unfortunately there's a TON of such exploits, so I guess this only serves to prevent wannabe hackers and pranksters.
2. Is your login the only password you type on your computer? I bet not. What about all those? Depending on the software you use and web sites you vist it can be a considerable number of passwords entered. And probably those include the ones a malicious program would really be interested in, actually.
3. And yes, there is: configure your XDM so that it looks different from the default. Don't forget to mark the configuration files to be only readable by root.
GNOME 3.4 released Posted Mar 29, 2012 16:48 UTC (Thu) by abo (subscriber, #77288) [Link]
None of which is a valid argument against implementing similar functionality in GNU/Linux/X/GNOME, preferrably using the same key combination. It makes a whole lot of sense.
GNOME 3.4 released Posted Mar 29, 2012 21:46 UTC (Thu) by blujay (guest, #39961) [Link]
Eh, I'm not so sure. If malware can inject itself like that, it can already have its way with your data and run whatever code it wants. Would it really need to escalate to root?
I hate having to press Ctrl+Alt+Del to log in. It's an awkward, two-handed chord, and Windows uses it as a crutch because of its inferior security model. Sure, if Linux had such a system from the kernel up through X, it'd be a tiny bit more secure--but with the fundamentally more secure model, and by using trusted binary repositories, I don't think it's necessary. Besides, what are you going to do, press Ctrl+Alt+Del every time you have to type your password? Ugh!
BTW, SELinux on Ubuntu works quite well with Firefox. I can't vouch for how well it stops exploits, but it's there, and is kept up-to-date by Ubuntu.
GNOME 3.4 released Posted Apr 7, 2012 6:09 UTC (Sat) by abo (subscriber, #77288) [Link]
I agree with all of that, but it's still useful in cases where you let untrusted run with full screen access (webapp/flash, remote desktop etc) and with multi-user machines (you trust the admin but not all the other users).
GNOME 3.4 released Posted Mar 30, 2012 1:49 UTC (Fri) by cortana (subscriber, #24596) [Link]
In a Windows setting where you use Ctrl+Alt+Delete (workstation joined to a Windows domain), the only password that matters _is_ the user's password. In this setup, this password gets you access to everything via Windows Integrated Authentication (basically kerberos).
GNOME 3.4 released Posted Mar 29, 2012 16:31 UTC (Thu) by Pawlerson (guest, #74136) [Link] This sort of condescending attitude isn't very productive, is it? Just because Windows is less secure than Linux overall, doesn't mean we can't learn a lesson or two from it.Yes, you are right, but I know the person I was replying to. The problem is every argument falls on deaf ears in this case and the FUD is being spread. ;)
GNOME 3.4 released Posted Apr 5, 2012 12:21 UTC (Thu) by elanthis (guest, #6227) [Link]
> Yes, you are right, but I know the person I was replying to. The problem is every argument falls on deaf ears in this case and the FUD is being spread. ;)
You absolutely do not know me, in the least. You have never met me, never had a conversation with me, and couldn't guess my motivations or beliefs to save your life.
That said, there's no FUD here. Windows is more secure in that it offers user-facing security features that Linux never has. There's absolutely no argument here. Sure, maybe Windows -- offering tons of features and subsystems that the Linux desktop does not -- has more lines of code and hence more places for mistakes to be made is truth, but that's entirely different than the _design_ of Windows being one focusing on desktop security, where as Linux focuses on ancient POSIX-compatible time-shared system security.
On the desktop, security is not "user A cannot negatively affect user B." On the desktop, security is "user A accessed something that could find a hole in random application he's using, but that still shouldn't negatively affect user A."
Linux has almost no solution here, besides adding SELinux (only even used on one major-ish distro) and some weak sand-boxing. Windows has numerous features that help to ensure that even if the sand-boxing mechanisms (which, according to more than a few places, are more complete and secure on Windows than on Linux) are broken, the conscientious user still has means to do a basic sanity test of the screen he's staring at.
Yes, the Windows mechanisms can be hacked by modifying Windows, but then the same can be said about Linux. I've seen root-kit'd Linux systems. They're a thing. Maybe you're not aware.
But hey, claim you know me, say that basic facts are "FUD," and then try to discredit me. That's the kind of response reasonable people expect out of folks who make emotional -- rather than logical -- attachments to technology, and isn't doing "your side" (which I'd say I'm on; I don't post here just to make fun of people, but rather to point out the dumb things that the Linux community could be doing better with) any favors. :(
GNOME 3.4 released Posted Apr 5, 2012 16:33 UTC (Thu) by khim (subscriber, #9252) [Link] That said, there's no FUD here. Oh, but there is. Right here: Windows is more secure in that it offers user-facing security features that Linux never has. Security can not be measured by counting features. In fact often additional features make security worse, not better. Windows ACL model is quite powerful and convenient, but I'm not sure it offers better security. It's complexity is it's worst enemy. When I try to remove SYSTEM-owned file in FAR from Administrator account it explains to me that it can not be done. Unless I'll give permission agree to “try harder” - then it repeats with DEBUG permissions and file is gone. That's not security, that's snake oil. That's entirely different than the _design_ of Windows being one focusing on desktop security. Windows is designed for convenience, not for security. Sure, Windows NT was designed with some good security ideas in mind, but when it become obvious that they hurt performance and usability most of them were abandoned and subverted. Only after huge outcry when totally insecure design of Windows XP (let's not even talk about Windows 9X, ok) created plethora of malware Microsoft started adding features which can provide real security on desktop. Some of them are genuinely useful, some are more of snake oil. Linux has almost no solution here, besides adding SELinux (only even used on one major-ish distro) and some weak sand-boxing. Actually seccomp sandboxing can be quite robust, but hard to use. There are interesting development in this direction under Linux which makes it more useful. But hey, claim you know me, say that basic facts are "FUD," and then try to discredit me. FUD education 101:
Basic fact: in Windows you can do X, Y and Z, in Linux it's impossible. Where are your facts? Here is an example of your “fact”: On Linux, there's basically no way to be sure that the screen you're looking at is really your desktop or admin panel or whatever and not some other malware that injected itself via the a hole in the non-sandboxed Firefox processes Linux users are still primarily using as their Web browsers. First of all it mixes the issues (Chrome uses pretty robust sandbox on Linux), then it includes true statement (yes, Windows's Ctrl-Alt-Del is pretty robust protection against some kinds of attacks) but omits an important detail (in Windows Vista and above you don't need to press Ctrl-Alt-Del before you'll be asked to enter Admin's password). The sad truth is that Ctrl-Alt-Del was useful security feature in Windows NT 3.1, but over time Microsoft worked long and hard to make it less and less useful. Today Microsoft have trained users to enter password after screen “flash” instead of doing it after Ctrl-Alt-Del. Which turned Ctrl-Alt-Del from genuine protection to snake oil security. This “fact” is FUD, plain and simple. Good, high-quality FUD (it includes genuinely true statements and lies mostly by omission), yes, but it does not make it less FUDish.
GNOME 3.4 released Posted Apr 3, 2012 7:35 UTC (Tue) by lindi (subscriber, #53135) [Link]
Very good question. I've been searching for a solution for quite some time.
If you just want to login securely then the best solution is to bind some key to just restart your display manager. My own prototype for this is
http://lindi.iki.fi/lindi/git/xsakd.git
but the idea is simple: it is just a daemon that reads /dev/input/by-path/platform-i8042-serio-0-event-kbd so there is no way to inject a fake key press programmatically. I wrote this to test how to make a variant of sudo that would not expose my password to all X clients:
http://lindi.iki.fi/lindi/git/sido.git/
GNOME 3.4 released Posted Mar 28, 2012 21:40 UTC (Wed) by Pawlerson (guest, #74136) [Link]
And about the part about sandboxing... I would like to know how sandboxing is helpful on Windows?
http://www.h-online.com/security/news/item/Pwn2Own-ends-w...
"Mozilla Firefox fell to the team of Willem Pinckaers and Vincenzo Iozzo, who together took second place overall in Pwn2Own. Their single zero day vulnerability in Firefox involved a use-after-free problem which evaded DEP and ASLR protections in Windows 7."
I wouldn't ever trust Windows. I'm sure my system is far more secure with Apparmor profiles rather than Windows' sandboxing.
GNOME 3.4 released Posted Mar 29, 2012 1:34 UTC (Thu) by Fowl (subscriber, #65667) [Link]
Firefox isn't currently sandboxed on any platform.
IE and Chrome, which are, have had vulnerabilities mitigated by sandboxing in the past. It's not perfect of course, but now you have to find an elevation of privilege vulnerability to get your remote code execution vulnerability to take over the system.
GNOME 3.4 released Posted Mar 28, 2012 23:19 UTC (Wed) by pboddie (subscriber, #50784) [Link] One of the uses for it is on the login screen. Pressing ctrl-alt-delete there is a safety feature. Since no application can catch/override it, you can guarantee that if you press the key combination, you will either see the real login screen (not some malware pretending to be the login screen) or the system menu (if you were in fact not at the real login screen). This feature actually has a name and satisfies some "secure computing" criteria, but from vague memory I thought that Ctrl-Alt-Delete in a Windows session brings up the task manager, or perhaps asks you if you want the task manager. Is that the "system menu"? And out of interest, how can no application be able to trap that combination? Surely these are all normal keys. Nevertheless, Ctrl-Alt-Delete still has negative connotations. Maybe all our systems should have a BBC Micro-style Break key or a Torch Triple-X-style "soft" power button for situations like this.
Secure Attention Key Posted Mar 29, 2012 1:14 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
The phrase you're groping for is 'Secure Attention Key' (in some older systems it was literally one key press). Linux has some rudimentary low-level support for this capability but it never seems to have ascended into an end user feature of any consequence. No application can trap the SAK combination because long before any code runs that lets userspace applications fiddle with the key presses, the kernel has noticed that the SAK has been pressed and short-circuited to a path that just handles this special case.
In Windows when you press the SAK it forcibly summons a separate desktop, which you can think of as being kind of like a separate X server process. This desktop is "owned" by the System user, roughly equivalent to Unix root, so anyone with permission to tamper with it could just have replaced the entire OS kernel or whatever they wanted.
On the system desktop lives the login dialog (when nobody is logged in), the lock dialog (when somebody is logged in, but their password is needed to resume their session) and that dialog which offers you choices like changing who is logged in or starting a task manager. Because they live in a separate desktop, ordinary programs can't tamper with them and are only just barely aware they exist.
Within a single desktop (or indeed an X session) ordinary programs can snoop all keypresses, silently take pictures of other windows, send fake keypress or mouse click events, initiate phony drag-and-drop operations, impersonate other programs (e.g. popping up a SSH passphrase dialog) and other nasty tricks. They cannot, however, prevent the SAK from summoning its secure desktop.
Secure Attention Key Posted Mar 29, 2012 15:45 UTC (Thu) by cortana (subscriber, #24596) [Link]
To be fair, it's probably pretty trivial to bypass the SAK. Simply present the user with a notice that they must press Ctrl+Alt+Insert to unlock and/or log on to their computer. Most will just follow the instructions without a second thought!
Secure Attention Key Posted Mar 29, 2012 17:31 UTC (Thu) by mathstuf (subscriber, #69389) [Link]
But Windows would intercept it. If the user is already logged, in they get that menu that can start the task manager (I forget what else is there). The rogue application doesn't have a choice as to what Windows does with the combo (short of locking the session or logging out which would likely be fairly blatent behavior). It certainly can't snoop the keypresses on that alternate desktop (I would sincerely hope). So, since the rogue application never gets the password, I don't see how it's being bypassed.
Secure Attention Key Posted Mar 29, 2012 17:47 UTC (Thu) by khim (subscriber, #9252) [Link] You've just proved cortana's point. Note how he suggested to write Ctrl+Alt+Insert instead of Ctrl+Alt+Delete - and you've missed it. Sure, a lot of peoples will miss it, too, but since it's possible to detect Ctrl+Alt+Delete (VMWare does that), program should just close that window and wait for the next opportunity. Eventually user will actually read the text, will press the Ctrl+Alt+Insert and will give the password program is seeking.
Secure Attention Key Posted Mar 30, 2012 1:13 UTC (Fri) by tialaramex (subscriber, #21167) [Link]
Mmm. Maybe. I think Microsoft's intention, and it has been somewhat successful, is to inculcate the Ctrl+Alt+Delete muscle memory into the wider user population beyond the group where it's actually in any way relevant to security (on a home machine where the main user and operator is also the only administrator, tricking the user with such a dialog is almost besides the points)
So you may find that in practice the story goes
User 1: "Oh, a message..." (doesn't read properly) Ctrl+Alt+Delete
Someone would have to do an experiment to check, but this wouldn't be the first time it turned out users are (in a sense) too dumb to fall for a clever trick.
Secure Attention Key Posted Mar 30, 2012 1:41 UTC (Fri) by cortana (subscriber, #24596) [Link]
I think there will be ten users who fall for it for every one that raises a ticket with IT. I was less of a pessimist in this regard before I saw this video: http://www.thoughtcrime.org/software/sslstrip/. It's not directly related to the use of secure attention keys, but if users who care enough about their privacy to use tor don't notice that their URL bars say 'http' instead of 'https' then what hope does the average corporate user who just wants to log into their damn computer with a minimum of hassle to do their job?
Secure Attention Key Posted Apr 15, 2012 16:12 UTC (Sun) by tialaramex (subscriber, #21167) [Link]
I'm familiar with the fact that users are oblivious to the URL scheme (other things real users don't pay any attention to, in a test where they're entering their own, real banking credentials include: those images that confirm the remote site knows who you are by acting as a shared secret, a warning icon in the URL bar, and a dialog saying that the connection is insecure)
I wasn't relying on users to notice that something is wrong so much as for them not to notice that anything has changed. The users I deal with don't _seem_ to read that message about pressing Ctrl-Alt-Del and you can't stop it working, so it seemed to me that if people just press it by reflex everything works out OK. Judging from the other reply though, I was wrong.
Secure Attention Key Posted Mar 30, 2012 5:50 UTC (Fri) by khim (subscriber, #9252) [Link] Someone would have to do an experiment to check, but this wouldn't be the first time it turned out users are (in a sense) too dumb to fall for a clever trick. Experiment showed resounding success. Only instead of “press Ctrl+Alt+Insert” they used trojans with some nonsensical premise in text and “send SMS to XXX-XXX-XXXX” (paid number, obviously) ending. Apparently this business scheme is quite profitable.
GNOME 3.4 released Posted Mar 29, 2012 9:59 UTC (Thu) by khim (subscriber, #9252) [Link] From vague memory I thought that Ctrl-Alt-Delete in a Windows session brings up the task manager, or perhaps asks you if you want the task manager. Your memory is not incorrect, just obsolete. Nowadays (starting from Windows Vista) it brings up menu which includes things like “Lock this computer”, “Switch user”, “Log of”, “Change a password”, and, yes, “Reboot” and “Shutdown”. “Start Task Manager” is also there, but it's the last item in the list and is probably there for historical reasons.
GNOME 3.4 released Posted Mar 29, 2012 21:38 UTC (Thu) by pboddie (subscriber, #50784) [Link]
As I noted, I think it gave a choice of things: this was with Windows XP and 2000. Still, it's like the panic key combination.
Yes, while the pundits have been racking up the hits deliberating on the issue of Linux being ready for the desktop or not for the past n years, I've been actually using it, meaning that even in work environments I've not had to worry about what Microsoft have changed with which dialogue in whichever version of Windows that is being rolled out with widespread user re-training (which of course comes at no cost whatsoever because "it's still Windows" whilst any Linux deployment can't be done even if it looks like the current version of Windows because "it would cost too much to re-train everyone").
I'd like my memory of Windows key combinations to fade further into obsolescence!
|
|||||||||||||