Announcement

Collapse
No announcement yet.

Kernel Developers Look At QR Codes For Error Messages

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Automated kernel reporting must be opt-in

    Any form of automated bug reporting can be dangerous if not done on an opt-in basis. You might be on an IP address you can't admit to using or have your hardware tied to when such a bug is triggered and the report sent. Just imagine the result of a kernel crash report containing encryption keys that gete intercepted by NSA and forwarded to police. For me, that could trigger a raid (raid #2) in an attempt to beat my re-keying process. How about one sent while running TAILS to post dissident material under a military dictatorship like Egypt (where 529 protesters were just sentenced to death). People trust things like TAILS with their lives, and these are based on Linux.

    Automatic reporting by default has to be regarded as a "phone home" security hazard. That's why I go through both operating systems and browsers and disable all software that engages in network activity without an explicit request to do so on my part, automatic update checking included.

    Comment


    • #17
      Originally posted by Luke View Post
      Are you using a smartphone with a Google-provided or a carrier-provided operating system? If so, that's
      how Google knows. Countermeasure is to only run an OS you control, and to block Google outright in
      /etc/hosts (on a Linux-based OS) if you still get that kind of crap.

      It is very easy for Google or a phone company to drop a tracking binary with an innocuous-sounding
      name into any OS they install. CarrierIQ is a notorious example, revealed by a whistleblower from it's
      own develoment team. Carriers could even opt to use it as a keylogger.

      Remember, any operating system or hardware provided by a cellular carrier works for and is
      effectively owned by them-it is their servant, not yours.
      You completely missed the point, he never went to that website on his phone

      Comment


      • #18
        Did the QR code contain anything from Google?

        Originally posted by AJenbo View Post
        You completely missed the point, he never went to that website on his phone

        Did the QR code or anything in the website that was photographed contain something from Google?

        In fact, I would not trust a networked device with a QR code at all for security reasons, they are
        rather like blind, non-human readable hyperlinks. One more part of the smartphone, Facebooked
        world I have avoided.

        Also-I cannot read German, might have missed something in that image
        Last edited by Luke; 04-05-2014, 10:23 PM.

        Comment


        • #19
          Originally posted by Luke View Post
          Did the QR code or anything in the website that was photographed contain something from Google?

          In fact, I would not trust a networked device with a QR code at all for security reasons, they are
          rather like blind, non-human readable hyperlinks. One more part of the smartphone, Facebooked
          world I have avoided.

          Also-I cannot read German, might have missed something in that image
          The reader shows you the human readable version and asks you if you want to proceed.

          Comment


          • #20
            Originally posted by blackout23 View Post
            Also how the actual fuck does Google know which website I was taking a photo off? Damn Google you scary!
            http://imgur.com/NmBSATQ
            My guess would be that it ran an OCR algorithm on the text and then did a search on the result it may also have scanned the QR code itself and indexed it as part of it's web crawling process, and matched it up when you scanned the code. There's honestly no reason that they wouldn't do that at this point if they detected one.

            Comment


            • #21
              If it's going to be that big of a monster QR code, we're going to need to ID what QR readers for all phones (Android/iOS) can handle it. Norton Snap for iOS can't.

              Comment


              • #22
                Originally posted by Luke View Post
                Any form of automated bug reporting can be dangerous if not done on an opt-in basis.
                I think you're missunderstanding.

                The idea is not to have a crashing kernel automatically post bug reports.

                The idea is to help the average user.
                When facing a crash, the average user will simply type the error message into google to try to find a solution. (and will usually be directed to stackexchange in the process). Or ask about it, with details, on a forum.
                With a kernel crash, when the system stops being usable, the only way to do this is to painstakingly copy by hand, using eyes and keyboard, and hoping not to make a typing error. (Or taking a blurry picture with the smartphone and posting that).
                The point of QR-code is to simplify this step: instead of reading and typing letter-by-letter the error message, you scan a QR-code and get a copy-paste-able version on your smart phone.

                So there's no automatic divulgation information. the point is, for the case where the user has decided to go for a public divulgation any-way, make the information a bit more convenient to precisely copy to a forum/google search/etc.
                I reapeat: it's for cases where the user has already opted to publish information.

                About the "automatic" part:
                - QR codes are currently size-limited. You can't easily pack a whole screen-worth of text information inside a single QR-Code.
                - One possible way is to use compression. The QR-code doesn't contain the actual text. But a Bzip-ed (or XZ-ed) stream of the text. Scan the code and you get the compressed stream (while still fitting within the QR-code size limit). Then you need to decompress it to get the actual text to put into your google search/forum post.
                - subsequently, one possibility though about, is having the compressed-code be presented as an URL. QR-Code scans give out an addree like "https://kernel.org/qr?z=" followed by a base64-encoded compressed stream. If the user choses to follow this link [again, that's a user who at that point has already decided to submit the error message to google or post it publicly on a forum. At that point the only thing is that the user doesn't want to manually type the message, but want to get help in copying the text] kernel.org will do the decompression and provide the copy-pasteable form on the screen. The user only scans the QR code and follows the link, no complicated decompression step is required (but still doable for power-users)
                - and thus because message will go through a page located at kernel.org, it's possible that this QR-code-decompressing page could also gather bug statistics. That's the extent of "automatic" that is talked about here.

                Remember, this only concerns users who *DO* want to put this message publicly.
                - If they weren't scanning the QR-code, these users would be slowly typing the message into google caracter by caracter.

                If the computer contains confidential data, nothing happens:
                - when crashing, the kernel will never ever auto-publish any bug report.
                - the user simply doesn't want to divulge anything, and thus doesn't copy anything from the screen, nor does scan the QR code.
                - thus no security breach happens.

                Comment


                • #23
                  By the way, the thing you can scan from this article is here:
                  http://www.phoronix.net/image.php?id...x_oops_qr_show
                  zxing.org seems to decode it fine, and it links to https://oops.kernel.org/?qr=(lots of numbers and letters here). So the data is compressed. Though I can't open the URL itself, as it says the server just infinitely redirects to itself. Maybe due to the watermark?

                  Comment


                  • #24
                    Originally posted by GreatEmerald View Post
                    By the way, the thing you can scan from this article is here:
                    http://www.phoronix.net/image.php?id...x_oops_qr_show
                    zxing.org seems to decode it fine, and it links to https://oops.kernel.org/?qr=(lots of numbers and letters here). So the data is compressed. Though I can't open the URL itself, as it says the server just infinitely redirects to itself. Maybe due to the watermark?
                    QR has error correction build in, the watermark most likely has no ill effect but the url probably isn't real atm

                    Comment


                    • #25
                      Originally posted by AJenbo View Post
                      QR has error correction build in, the watermark most likely has no ill effect but the url probably isn't real atm
                      Yes, the URL is only a concept at the moment. The back-end on kernel.org is not ready yet and the work has not yet begun on that either.

                      Cheers,
                      Levente Kurusa

                      Comment


                      • #26
                        I'm betting Lennart Poettering is behind this...

                        Comment


                        • #27
                          Because it's a good idea?

                          Comment

                          Working...
                          X