Originally posted by Danny3
View Post
Announcement
Collapse
No announcement yet.
X.Org Server & XWayland Hit By Four More Security Issues
Collapse
X
-
Originally posted by ReaperX7 View PostIt took good developers off X, and allowed too many lazy developers to take over Wayland.
- Likes 8
Comment
-
Originally posted by f3nr1l
Check it out, yo, yo:
https://app.suno.ai/song/3e49c24b-90...0-cce7aa0d8e2e
Comment
-
Originally posted by kpedersen View Post
In X11, the mechanism for this kind of access restrictions is via Xauthority and the MIT-MAGIC-COOKIE. Just like Wayland, programs can only capture the screen if you give them permission (i.e Pipewire)
- Likes 2
Comment
-
Originally posted by rrveex View PostYeah. Kind of. A rogue application has access to *all your files* (and the internet), capturing the screen seems of little consequence compared to that. So you have to run untrusted stuff in some kind of restricted sandbox/container anyway. Why not let the container take care of screen access too? Forcing an over-complicated (and therefore still full of bugs) access management for interaction between trusted applications is "users are stupid, we shall protect them from themselves" attitude, which isn't ok for linux. That's windows/apple attitude. I don't want linux to be "safe for all the idiots to use" (which isn't possible anyway, except you lock everything down). I want it to be pleasant to use for computer-literate people.Javascript-based keylogger. Contribute to JohnHoder/Javascript-Keylogger development by creating an account on GitHub.
Like it or not threat models evolve over time rrveex. Problem major item users use that is web browsers is progressively getting more and more powerful. You are on this website ttveex and you use web browsers. Like it or not you can be running possible untrusted stuff all the time. Lets not forget remote desktop implemented inside browsers and other things.
Yes we do need a functional container solution for applications. Everyone on the Internet really does need it.
Lot of ways rrveex you are being the idiot. The reality is security models always need to evolve. Modern Web browsers have made it way more simple to get untrusted programs on to your computer that can do many horrible things. People lose their bank accounts/google/youtube/... online accounts all the time due to attacks against browsers.
Yes every time good new OS security thing is needed someone complains against it until either they on their friends are getting burnt by not having it. I will not say there are not bad security things that put control in hands of third party instead of end user that we should accept.
rrveex the issue with screen capture and keylogging is the possibility of getting access to like to business applications and so on. Yes local file system access is kind of bad but these other issues of key logging and screen access also have to be handled. Remember if the door to the file system in the web browser is correctly secure but the door to the screen capture and keylogging is not don't be surprised if attackers use that.
Yes it like the german fighter aircraft doing a complex move to attack bombers from under because the top and the back had too many protection guns. The huge feature set of web browsers these days makes securing them insanely hard. Yes you cannot mess screen capture and keylogging but you still need to deal with file access controls as well.
Its like back in the day my most common tool to break out of a business so called locked down computer was visual basic in MS word that thing you could even edit partition tables if you knew what you were doing. It was part of demos to show management that they could not take hands off with computer security and expect everything to end well.Last edited by oiaohm; 04 April 2024, 04:47 AM.
- Likes 3
Comment
-
Originally posted by niner View PostExcept of course that Wayland is being developed by exactly those "good developers" that have previously worked on X and that left X precisely for working on Wayland instead. So what is it? Are they good or are they lazy?
X11 protocol is a house built on highly unstable foundations.
Wayland they have tried to build on solid foundations. Yes this has creates like making house at beach with solid foundations then person cannot get into house because the sand moves and now the house does not move with the sand kind of problems.
Yes you will hear the works for me argument with X11 all the time. Then consider that the Wayland developers are paid by companies and will have to explain when some security issue happens with X11 that they cannot fix because fixing it will break the X11 protocol why they are not working on a secure solution to replace X11 if they were not working on Wayland.
niner the question most people don't ask. Is X11 protocol fixable without breaking application support? The answer is XACE that SUN did in the past is that if you attempt to fix the X11 protocol security 90+ of applications will have to be rewritten because otherwise they will not work with the added security framework to X11. At this level of disaster you might as well split the tree. Wayland being the rewritten applications and X11 being left for the broken legacy.
- Likes 8
Comment
-
Originally posted by niner View Post
Except of course that Wayland is being developed by exactly those "good developers" that have previously worked on X and that left X precisely for working on Wayland instead. So what is it? Are they good or are they lazy?
It's THIS exact bullshit that is delaying the "Year of rhe Linux Desktop". HDR and VRR are common arguments but they're fucking eye candy! Then security? Fix what is there! If Sun can do it, then update the entire stack of libraries as X11R7 and implement the new fixes while allowing a smooth transition. Nothing new has to be done, just patch for the security protocols.
Xfree86 4.x had a few years before it stabilized, but it didn't scrap the 3.x trunk of the tree just fix the tree. It rebuilt the trunk and regrew the branches as everything migrated in seemlessly while allowing some backwards compatibility. It took 5 years but everything worked. We went from static built x-servers to dynamic driver loaded x-servers.
And if anyone say "but X11 is a mess of legacy code... Blah blah blah"
WHAT ISN'T? WHAT PRAY TELL ISN'T?Last edited by ReaperX7; 04 April 2024, 04:59 AM.
- Likes 5
Comment
-
Originally posted by niner View Post
Except of course that Wayland is being developed by exactly those "good developers" that have previously worked on X and that left X precisely for working on Wayland instead. So what is it? Are they good or are they lazy?
- Likes 5
Comment
-
This is going beyond explanation and reasoning now that I will not even try to argue anything. But I really enjoy a bunch of idiots raving and whining about how good is X11. Let me pop a couple more windows on Wayland while reading about their suffering. Burn baby burn
- Likes 2
Comment
Comment