User: Password:
Subscribe / Log in / New account


The perils of desktop tracking

By Jonathan Corbet
April 18, 2012
One of the first things most of us learn about computers is that they are not particularly smart; they only do the things that they have been told to do. Sometimes telling a computer to do something can be a long and repetitive process, bringing into question the benefits of the whole exercise. As developers work to improve the experience of using computers, they find themselves trying to enable those computers to make more educated guesses about what the user may want to do. The technology to make those guesses is improving, but it brings risks as well as benefits. How much do we really want our computers to know - and tell - about what we are doing?

The Zeitgeist project aims to make desktop systems more helpful by keeping close track of what the user has been doing. Its developers describe it this way:

Zeitgeist is a service which logs the [user's] activities and events, anywhere from files opened to websites visited and conversations, and makes this information readily available for other applications to use.

Zeitgeist is ostensibly independent of any specific desktop, but it seems to be driven more from the GNOME side of the house than any other. The fact that it has recently been entirely rewritten in the Vala language and proposed as an official GNOME module tend to reinforce that impression. Canonical has been putting in some of the development effort and Unity makes use of Zeitgeist. Tools like the GNOME Activity Journal also obtain information from Zeitgeist.

The Zeitgeist use cases page makes it clear that the plan is to create a comprehensive mechanism for the tracking, analysis, and sharing of user activity. Some examples include:

Tim and Joe are doing research on dinosaurs for a school project. They both set their browser activities to shared and always know what pages the other one is looking at. Using IM they can easily talk about them without having to exchange links.

Daniel was at a conference a week ago and wants to remember what computer resources (files, websites, contacts, etc.) he used there. He opens the Journal, sets up a location filter and thanks to geolocation data gets a list of everything he wants.

Undoubtedly there are a lot of useful things that can be done with this kind of tracking data. But there is also a possible down side; what happens if a detailed log of a user's activities gets into the wrong hands? The Zeitgeist "about" page has a rather unsatisfactory response to this concern: don't run untrusted applications on your system. Certainly that is good advice, but it also misses part of the point.

One can easily imagine an untrusting employer routinely examining the activity logs on all of its computers; it would be a shame, after all, if an employee were to be doing something unproductive on the job. This kind of information would be even more useful to governments that, for good reasons or bad, seek to know what somebody has been up to. The activity log could be a gold mine for inquisitive spouses, concerned parents, or curious roommates. This log could also open up a victim's life to any sort of successful malware attack. The advice to avoid running untrusted applications really only addresses the last of those concerns, and it is a partial response at best.

A somewhat improved response can be seen in this post from Zeitgeist developer Seif Lotfy. He has been working on the Vala port of the "activity log manager" (ALM), a tool for controlling the information tracked by Zeitgeist. Using ALM, it is possible to configure the system to forget events after a specific period of time - or to disable logging entirely. It is also possible to turn off logging involving specific types of files (videos or email messages, say), directories, or applications. After a proper bit of configuration, one's boss can see that flurry of spreadsheet activity but will remain unaware of all the time spent in a web browser.

This kind of configurability is a step in the right direction, but it is still a partial response at best. There will undoubtedly be legions of users who are unaware that this logging is happening at all; they are unlikely to find the utility to fine-tune that logging. Even users who want the functionality provided by this logging may find themselves reconsidering after their activity is exposed to the wrong person.

For a certain class of user, the answer will be to simply turn off features like Zeitgeist altogether - once they become aware of such features. But even the most paranoid among us find ourselves, at times, wishing that our computers were a little smarter in their interaction with us. Many (probably most) of us want the computer to understand how we work and to make that work easier and less repetitive. So, increasingly, those computers will observe what we do and build their own models of who we are and how we work. Progress toward the creation of those models appears to be outpacing the work to protect them; experience suggests that this problem will only be addressed after some people have learned about the issue the hard way.

Comments (20 posted)

Brief items

Security quotes of the week

The "cybersecurity" industry has become an increasingly bloated "money machine" for firms wishing to cash in on cyber fears of every stripe, from realistic to ridiculous. And even more alarmingly, it has become an excuse for potential government intrusions into Internet operations on a scope never before imagined.

There are warning signs galore. While we can all agree that SCADA systems that operate industrial control and other infrastructure environments are in need of serious security upgrades -- most really never should have been connected to the public Internet in the first place -- "war game" scenarios now being promulgated to garner political support (and the really big bucks!) for "cyber protection" have become de rigueur for agencies and others hell bent for a ride on the cybersecurity gravy train.

-- Lauren Weinstein

By the time of my arrival, the agency was focused almost entirely on finding prohibited items. Constant positive reinforcement on finding items like lighters had turned our checkpoint operations into an Easter-egg hunt. When we ran a test, putting dummy bomb components near lighters in bags at checkpoints, officers caught the lighters, not the bomb parts.
-- Kip Hawley, former head of the US Transportation Security Administration (TSA)

This is the fundamental political problem of airport security: it's in nobody's self-interest to take a stand for what might appear to be reduced security. Imagine that the TSA management announces a new rule that box cutters are now okay, and that they respond to critics by explaining that the current risks to airplanes don't warrant prohibiting them. Even if they're right, they're open to attacks from political opponents that they're not taking terrorism seriously enough. And if they're wrong, their careers are over.
-- Bruce Schneier

Comments (none posted)

Critical Flaw Found In Security Pros' Favorite: Backtrack Linux (threatpost)

A local privilege escalation flaw in wicd (wireless interface connection daemon) was found as part of an "ethical hacking" class using the Backtrack security-oriented Linux distribution. While Backtrack is singled out in the threatpost article, the flaw really resides in wicd and is likely present in other distributions: "The security flaw was discovered in a Backtrack component known as the Wireless Interface Connection Daemon (or WICD). The latest version of Backtrack does a poor job "sanitizing" (or filtering) inputs to the WICD DBUS (Desktop Bus) interface - a component that allows different applications to communicate with each other. That means that attackers can push invalid configuration options to DBUS, which are then written to a WICD wireless settings configuration file. The improper settings could include scripts or executables that would be run when certain events occur - such as the user connecting to a wireless network, according to the post, whose author asked to remain anonymous."

Comments (none posted)

New Security Sensor Gives Admins Better View of Network Attacks (eWeek)

EWeek introduces Hone, a security tool developed by the US Department of Energy (DOE). "Hone gives users a “’glanceable’ type of view of what’s happening on the network and what’s happening on the machine,” [Hone creater Glenn Fink] said. Hone also is a tool that has uses beyond understanding and responding to attacks, Fink said. It can be used to help programmers debug new networked applications being developed. In addition, security administrators can use data from Hone to ensure that only certain processes on their systems can communicate with the network, and to monitor what their systems are doing, which would help them identify such threats as viruses, spyware and rootkits."

Comments (8 posted)

New vulnerabilities

apache2: insecure default configuration

Package(s):apache2 CVE #(s):CVE-2012-0216
Created:April 16, 2012 Updated:April 19, 2012
Description: From the Debian advisory:

Niels Heinen noticed a security issue with the default Apache configuration on Debian if certain scripting modules like mod_php or mod_rivet are installed. The problem arises because the directory /usr/share/doc, which is mapped to the URL /doc, may contain example scripts that can be executed by requests to this URL. Although access to the URL /doc is restricted to connections from localhost, this still creates security issues in two specific configurations:

- - If some front-end server on the same host forwards connections to an apache2 backend server on the localhost address, or

- - if the machine running apache2 is also used for web browsing.

Systems not meeting one of these two conditions are not known to be vulnerable. The actual security impact depends on which packages (and accordingly which example scripts) are installed on the system. Possible issues include cross site scripting, code execution, or leakage of sensitive data.

Debian DSA-2452-1 apache2 2012-04-15

Comments (1 posted)

cumin: cross-site scripting

Package(s):cumin CVE #(s):CVE-2012-1575
Created:April 12, 2012 Updated:April 18, 2012

From the Red Hat advisory:

Several cross-site scripting (XSS) flaws were found in the MRG Management Console (Cumin). An authorized user on the local network could use these flaws to perform cross-site scripting attacks against MRG Management Console users.

Red Hat RHSA-2012:0477-01 cumin 2012-04-12
Red Hat RHSA-2012:0476-01 cumin 2012-04-12

Comments (none posted)

gajim: multiple vulnerabilities

Package(s):gajim CVE #(s):CVE-2012-1987 CVE-2012-2093 CVE-2012-2086 CVE-2012-2085
Created:April 16, 2012 Updated:August 15, 2012
Description: From the Debian advisory:

CVE-2012-1987: gajim is not properly sanitizing input before passing it to shell commands. An attacker can use this flaw to execute arbitrary code on behalf of the victim if the user e.g. clicks on a specially crafted URL in an instant message.

CVE-2012-2093: gajim is using predictable temporary files in an insecure manner when converting instant messages containing LaTeX to images. A local attacker can use this flaw to conduct symlink attacks and overwrite files the victim has write access to.

CVE-2012-2086: gajim is not properly sanitizing input when logging conversations which results in the possibility to conduct SQL injection attacks.

CVE-2012-2085: unspecified

Gentoo 201208-04 gajim 2012-08-14
Mageia MGASA-2012-0161 gajim 2012-07-13
Fedora FEDORA-2012-6001 gajim 2012-04-27
Fedora FEDORA-2012-6061 gajim 2012-04-27
Debian DSA-2453-2 gajim 2012-04-19
Debian DSA-2453-1 gajim 2012-04-16

Comments (none posted)

kernel: remote denial of service

Package(s):kernel CVE #(s):CVE-2012-1583
Created:April 18, 2012 Updated:June 12, 2012
Description: Systems running IPv6, and which have the xfrm6_tunnel module loaded, can be forced to crash by a remote attacker.
Red Hat RHSA-2012:0720-01 kernel 2012-06-12
Scientific Linux SL-kern-20120419 kernel 2012-04-19
CentOS CESA-2012:0480 kernel 2012-04-18
Red Hat RHSA-2012:0480-01 kernel 2012-04-17

Comments (1 posted)

moodle: many vulnerabilities

Package(s):moodle CVE #(s):CVE-2012-1155 CVE-2012-1156 CVE-2012-1157 CVE-2012-1158 CVE-2012-1159 CVE-2012-1160 CVE-2012-1161 CVE-2012-1168 CVE-2012-1169 CVE-2012-1170
Created:April 12, 2012 Updated:May 22, 2012

From the Red Hat Bugzilla entry:

MSA-12-0013: Database activity export permission issue (CVE-2012-1155)

MSA-12-0014: Password and Web services issue (CVE-2012-1168)

MSA-12-0015: Backup and private files issue (CVE-2012-1156)

MSA-12-0016: Default repository capabilities issue (CVE-2012-1157)

MSA-12-0017: Personal information leak issue (CVE-2012-1169)

MSA-12-0018: Course information leak in Gradebook export (CVE-2012-1158)

MSA-12-0019: Overview report and hidden course issue (CVE-2012-1159)

MSA-12-0020: Forum subscription permission issue (CVE-2012-1160)

MSA-12-0021: Course information leak through tags (CVE-2012-1161)

MSA-12-0022: Security conflict in Web services

MSA-12-0023: External enrolment plugin context check issue (CVE-2012-1170)

Fedora FEDORA-2012-7597 moodle 2012-05-22
Fedora FEDORA-2012-5268 moodle 2012-04-12
Fedora FEDORA-2012-5267 moodle 2012-04-12

Comments (none posted)

phppgadmin: cross-site scripting

Package(s):phppgadmin CVE #(s):CVE-2012-1600
Created:April 12, 2012 Updated:April 18, 2012

From the Red Hat Bugzilla entry:

An cross-site scripting (XSS) flaw was found in the way phpPgAdmin, a web-based PostgreSQL database administration tool, performed presentation of the default list of functions, being present in the database, to the user upon request. A remote attacker could provide a specially-crafted web page, which once visited by an unsuspecting, valid phpPgAdmin user could lead to arbitrary HTML or web script execution in the context of logged in phpPgAdmin user.

openSUSE openSUSE-SU-2012:0493-1 phppgadmin 2012-04-12

Comments (none posted)

swftools: code execution

Package(s):swftools CVE #(s):CVE-2010-1516
Created:April 18, 2012 Updated:April 18, 2012
Description: The swftools package has code execution vulnerabilities exploitable via a hostile PNG or JPEG file. This package appears to be unmaintained, and there is no fix available currently.
Gentoo 201204-05 swftools 2012-04-17

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds