[HN Gopher] Kids find a security flaw in Linux Mint by mashing keys ___________________________________________________________________ Kids find a security flaw in Linux Mint by mashing keys Author : subins2000 Score : 686 points Date : 2021-01-20 08:19 UTC (14 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | mightybyte wrote: | Years ago I taught a high school typing class in a K-12 school. | The school didn't have the funds to get a commercial typing | program so I wrote my own typing program. It evolved over time | with features to help me track the students' progress etc. One | day we had a school open house where all the parents could come | to school. We had a bunch of different activities set up in | different classrooms and I ended up getting assigned to the 3rd | grade classroom to set up my typing program so anyone coming | through could test their typing speed. It was a DOS program and I | didn't want people using anything other than my typing program, | so I modified it so you couldn't quit the typing program. Over | the course of the day the 3rd graders were hanging out in their | homeroom not really doing anything productive. Of course the | computer was a novel attraction and they were just smashing keys | and exploring my program's UI. Eventually at one point I noticed | that they had somehow crashed my program with a segfault in what | had otherwise become a pretty stable piece of software. To this | day I have absolutely no idea what the bug was. | BruiseLee wrote: | Are you sure it was a segfault? DOS did not have any memory | protection, so segfault would be impossible. Or maybe you used | some protected mode DOS extender? | tachyonbeam wrote: | What happens if you try to read from a null pointer in DOS? | vngzs wrote: | I haven't actually tried this, but based on my | understanding of the MS-DOS memory model it should read the | contents of memory at address 0. | hvdijk wrote: | This is correct, and address 0 is the start address of | the interrupt vector table, so there are good reasons why | you might read from it. | pas wrote: | You get what is at 0x0000 ? | rexpop wrote: | > The school didn't have the funds to get a commercial typing | program so I wrote my own typing program. | | Off-topic, but: | | It seems absurd, to me, that such a conclusion could ever be | reached. Obviously, from my perspective, the economies of | scale, the infrastructure, overhead, and institutional | resources available to programmers at a dedicated software | development firm would produce an application at better quality | per dollar (however you measure it) than a high school teacher | in their off-hours. To me it seems that it's certainly not | cheaper for us as a society, as a species, and only appears so | because you are under-paid. If you were paid your actual worth, | the school would say "we don't have the funds to develop this | in-house, and had to buy a commercial typing program off-the- | shelf, despite its loose fit for our use case." | | How can we, as rational members of society, abide this? | kelnos wrote: | Agreed. | | Where I work there is a tool that's used in hundreds of our | internal services. It was written in-house during one of our | hack weeks years ago, and later we open-sourced it. Despite | the fact that the org relies so heavily on it, it's | completely unfunded; two employees improve and maintain it in | our free time. (We do have a few outside contributors, too, | which is awesome!) | | That's not _exactly_ the same situation, but I think this | kind of short-sightedness is pervasive in our culture, in | every walk of life. | fmakunbound wrote: | There is no hope for us in this field, is there. | scotty79 wrote: | I once had cat walk over my keybord and do hard reset on windows | 95 in about 1 second. | | No dialogs or confirmations. Just black screen and computer | rebooting. | etxm wrote: | I worked at a finance co pa y in the early 00s. | | The QA team had a test they called "the elbow test" where they | did exactly this. | | Just kind of put their elbow randomly on the keyboard to see if | stuff would break. | mensetmanusman wrote: | Hilarious, esp. if you have kids. | | I see similar behavior with smartphones. | | 3 y.o. figure it out better than my parents because it seems | their mindset is 'do all the things' to see what the i/o | structure is. Their brain is built that way when they are so | young. | Havoc wrote: | Who needs fancy fuzzing tools anyway? | 0xTJ wrote: | Not really the same, but I had fun back in high school. Finding | the Novell messaging utility that let me send a message to (IIRC) | anyone in the school board currently logged in, though not | anonymously. | | Using some a couple lines of VBScript to change a couple registry | entries (computers didn't persist storage anyways) you could also | give your local admin privileges, to install stuff. That one got | me in a touch of trouble, and I lost my account for a couple | weeks while they "looked at my files", because I stored it on my | network drive folder. | boomboomsubban wrote: | I'm surprised nobody had "e" in their password to notice this | earlier. | scalableUnicon wrote: | Related: https://news.ycombinator.com/item?id=25801693 | plumeria wrote: | So, is this an instance of the infinite monkey theorem? | WhompingWindows wrote: | Is there an automated process security researchers use like this? | Just mashes random buttons for hours until it finds | vulnerabilities? | viro wrote: | The concept of fuzzing is similar...ish | inetknght wrote: | A piece of GNOME easily crashes and causes security issues? | | Color me surprised! /s | diegoperini wrote: | Step 1: Gather timings of key presses from a lot of kids. | | 2: Use ML to learn how to simulate it. | | 3: Sell it as a service, labeling it KaaS. | | 4: Profit, then go to jail because of a misunderstanding. | | But seriously, is there such a tool to automate this? | rusk wrote: | As others have pointed out, you are describing fuzzing but | rather than purely random you've trained your fuzzer on a | particularly troublesome set of random variables ;-) | fabianhjr wrote: | Fuzzing ( https://en.m.wikipedia.org/wiki/Fuzzing ) | PartiallyTyped wrote: | There's also model based testing and property based testing. | QuickTest in Haskell and Erlang can generate test cases for | your code. | bjoli wrote: | I have been using the name monkey-testing for this kind of | testing for as long as I can remember. There are tools to | automate it. | segfaultbuserr wrote: | People have been fuzzing user interfaces since the 80s. It was | used for developing MacPaint and MacWrite in Apple's original | Macintosh. Quote Wikipedia: | | > In 1983, Steve Capps at Apple developed "The Monkey", a tool | that would generate random inputs for classic Mac OS | applications, such as MacPaint [0]. The figurative "monkey" | refers to the infinite monkey theorem which states that a | monkey hitting keys at random on a typewriter keyboard for an | infinite amount of time will eventually type out the entire | works of Shakespeare. In the case of testing, the monkey would | write the particular sequence of inputs that will trigger a | crash. | | Read the story here: | | https://www.folklore.org/StoryView.py?story=Monkey_Lives.txt | MrDresden wrote: | I frequently use the monkey bundled with the Android tool | chain[0] to stress test my UIs. Have found numerous issues | throughout the years by using it | | [0] https://developer.android.com/studio/test/monkey | Aulig wrote: | That's really cool, I never knew about that. I'll have to | try it on my apps! | Anthony-G wrote: | Thanks for sharing that story. It's probably the reason why | Netflix decided to use "monkey" for the name of their tool to | randomly terminate service instances: | https://netflix.github.io/chaosmonkey/ | martin-adams wrote: | This reminds me of when I was about 14. I had a Tamagotchi which | I had for a record amount of time. My niece, about 2 at the time | wanted to see it so let her hold it. Within 1/2 a second, she | squeezed both buttons at the same time and crashed it. | | My daughter managed to buy 24 hours of football pass with NowTV | by pressing the same button repeatedly on the remote within about | 5 seconds. | | So a crash like this doesn't surprise me. | _puk wrote: | Hah, just reminded me.. | | My daughter, whilst roaming in the US from the EU somehow | managed to get unlimited data after her initial miserly roaming | allowance was used up.. simply by switching airplane mode on | and off repeatedly until data worked. | | I was stressing getting back home to a huge bill, but kept the | "all chargeable services have been stopped" messages just in | case. | | My final bill was PS300+, zeroed. | | Phew! | withinboredom wrote: | Also reminds me of "impossible" bug reports, only to discover | the way to reproduce them was just simply double clicking on | links and buttons. | berkes wrote: | We had some race conditions that started appearing more | often over time. Those race conditions could be triggered | by rapidly firing events on a busy backend. | | After long research, we found correlation with marketing | moving their target from only students to 'older people'. | Apparently the latter 'doubleclick' on links and buttons in | webforms far more often. At least for us they did. | josefx wrote: | > Within 1/2 a second, she squeezed both buttons at the same | time and crashed it. | | That was probably not a crash, on some that did a partial | reset. | gambiting wrote: | Does anyone know why lockscreens in Linux have been such a joke? | I remember trying Ubuntu couple years ago and when waking up my | laptop it would show me my entire desktop with all the | information displayed right there in the open for about 10-20 | seconds before suddenly engaging the lockscreen. All you had to | do was close the lid and open it again and you could just copy | whatever was on the screen before the lock screen appeared. I | guess it's because the lockscreen was a separate process that had | to start up? Still, what an awful awful design. | Illniyar wrote: | This happens to me regularly with macOS too, so perhaps it's | harder then you imagine. | speedgoose wrote: | Never happened to me on Windows, so it shouldn't be that | hard. | mmis1000 wrote: | Windows have multiple desktop sessions(the normal user | session, and the safe desktop). Even if you ever able to | crash the one that host lock screen without bsod. You still | won't be able to go back to the normal desktop. | joshuaissac wrote: | It happens to me on Windows 10 if I close the laptop lid to | lock the desktop and send it to sleep. | | When I open it again, the desktop is accessible for a few | seconds (sometimes long enough to launch programs) before | the lock screen activates and I have to input my password. | The workaround I use is to manually lock with Win+L before | closing the lid. | passivate wrote: | Would you mind posting a video? I have never seen this | occurring in any version of Windows. | sbarre wrote: | Yep, also happens to me on my macOS 10.15 iMac.. | | It will go to sleep, then when I wake it up, I get a flash of | my desktop before the lock screen shows.. | | Too fast to write anything down by hand, but you could | certainly point a 60fps camera at it and get something I'm | sure. | SamBam wrote: | Yup. On my 10.15.7 this happens frequently. Often if I open | up the laptop I can see the current contents of the screen | for a good 5-8 seconds before the lock screen shows. | | I don't think I could interact with the screen in any way, | but I could certainly take a picture of it, if I had any | private information on the screen. | monopoledance wrote: | In the past I also had some information leaks with an Nvidia | discrete graphics card, which seemed to not clear its RAM or | something. I think it even persisted over restarts or similar | complete session terminations. So I assume, driver issues may | play into this too. | astrange wrote: | Bad design in X11 which can't be fixed. | | https://news.ycombinator.com/item?id=25801693 | j-james wrote: | I'm surprised he doesn't mention XSecureLock. Its entire | focus is on preventing issues like this with modularity and | redundancy. | | https://github.com/google/xsecurelock | bionade24 wrote: | I fear it's as secure as vsftpd: Secure until a large | amount of users use it and find bugs. | datenwolf wrote: | It's not an X11 design flaw. The very concept of locking the | screen is flawed. A flaw that also haunts Wayland, BTW. | | The concept of screen lockers is having a special layer, that | can't be bypassed, which a locker creates. The whole security | then hinges on the locker not crashing. X11 does have such a | layer. Wayland compositors also implement it through such a | layer. And for either the situation is, that if the locker | crashes, that layer is destroyed by implication and the | session exposed. | | That's a flawed concept. | | What you really want is _detachable_ graphics session. On the | text console one can effortlessly use screen or tmux and to | "lock" the session simply detach and exit to the regular | login getty. | | You want _exactly_ the same, but for X11. And there 's no | obstacle in printiple to implement this. It's just that the | Xorg server can't detach. Almost all of the required code is | there, fundamentally it'd be the same code that's executed | during a VT switch. | | In the meantime one can use Xpra with Xvfb to create | detachable X11 sessions, which then however lack GPU | acceleration. | jdc wrote: | > In the meantime one can use Xpra with Xvfb to create | detachable X11 sessions, which then however lack GPU | acceleration. | | Maybe using Xdummy instead of Xvfb would work better? | | This wiki article makes such an approach look promising: | https://xpra.org/trac/wiki/Xdummy | shawnz wrote: | The architecture you're describing would also be good for | other reasons. For example, you could start a local | session, lock it, and then remotely connect to the same | session over VNC without local users at the workstation | being able to see or interfere with what you are doing, | just as on Windows. | | Mac OS almost gets this right, except it annoyingly | defaults to sharing the remote session with the local | console unless someone is already logged in locally. | surajrmal wrote: | I'm curious what other OS which avoid X11/Wayland do, such | as Android. Do they implement an architecture like what you | mention? | mmis1000 wrote: | Windows has a secure desktop that host lock screen. Crash | that gives you a bsod or at worst a blank screen (your | window did not host on it, whta did you expect?) | zadler wrote: | It's amazing to me that The most popular display managers | on Linux have this flaw. Perhaps there is a workaround | involving switching to another tty? | arbitrage wrote: | that's a really good point! your comment reminded me that | that is what we used to do in the lab at university, a | long time ago. switching to a different terminal, then | locking that, was much more fool proof. perhaps not for | security, but rather because X11 was so damned buggy and | crashy, that you might need to have access to that | terminal to get back into your workstation without | forcing a reboot. | Blikkentrekker wrote: | Perhaps outside of display servers altogether, | implementing an authentication system that keeps track of | what user currently owns what v.t., and allowing only | that user, or root, to switch to that v.t.. | toast0 wrote: | The underlying design issues are: | | a) there's no Xserver concept of a lock screen which would be | hard to fix, I suspect. How would you signal X to | lock/unlock; what would it do if the lock client wasn't | connected, etc. | | b) there's no atomic way to transfer mouse/keyboard grab to | another window, which means you can't have a reliable, crash | reduced screen locker that supervises a beautiful password | checking program; it has to be the same program. This could | probably be fixed with an X extension; yes, an extension is a | lot of work, and yes, you'd have to deal with fragmentation, | but you could keep the untoolkited password dialog in case | the extension isn't present, nobody would see it unless they | did something odd, so it's fine. | | Another issue is that I think I've seen some linux systems | don't launch the screen locker until resume, instead of | locking before suspend; that's not ideal, because the screen | locker will take time to launch and lock the screen (more so | if it's got a fancy initialization routine and is a large | binary/many libraries to load). | | An option could be running a dedicated screen lock Xserver on | a different VT, and (securely) switching to that one somehow. | But that would probably involve changes to multiple layers at | the same time, which is hard to pull off in Linux. People | would complain about the bloat of running a second Xserver, | regardless of the actual bloat or imcreased utility. | josefx wrote: | > and yes, you'd have to deal with fragmentation, | | Why not just require that it is there? Is there even a | valid reason for someone to keep the extension out unless | it is to give another "this is the reason X sucks" speech? | toast0 wrote: | Because, IIRC, xscreensaver is launched on demand (idle | timer, power management), and that's a terrible time to | detect the extension and tell a user that they won't be | able to resume their session, because their Xserver is | too old. | | Also, because of piecemeal releases, and remote X. You | might update Xscreensaver, but not your X server or | desktop environment. You might have a dedicated X | terminal which can't easily have its server component | updated, but you run remote sessions that have an updated | Xscreensaver. (Btw, if you do this, you're pretty | dedicated in 2021) | andi999 wrote: | What is todays alternative to remote sessions? | toast0 wrote: | Most of what I've seen has migrated towards a virtual | display on the session server, streamed via vnc/rdp/? to | a thin client. | m45t3r wrote: | > Another issue is that I think I've seen some linux | systems don't launch the screen locker until resume, | instead of locking before suspend; that's not ideal, | because the screen locker will take time to launch and lock | the screen (more so if it's got a fancy initialization | routine and is a large binary/many libraries to load). | | This particular issue is fixed in logind, when you ask it | to lock the season/suspend/hibernate it first calls the | lock screen, wait it to signal it finishes and them it | proceed to suspend/hibernate. | | Not saying you need systemd to fix this issue, but it is | one of the things that systemd allows you to do correctly | without reinventing the wheel. | marcthe12 wrote: | I like the dedicated VT, as DE users usually have a DM to | login and for wayland that prob must a separate VT any way. | The question is how to securely do this. | sontek wrote: | JWZ has been complaining about these screensavers for a | decade. His screensaver from 20 years ago still doesn't have | these issues. | | Its not an X11 problem. | | - https://bit.ly/3o2qekz | | - https://bit.ly/38Y6pGO | | (using bit.ly because he gives a testicle if referrer is HN | :P) | metafunctor wrote: | I don't understand the part about JWZ's testicles, so here | are the links without bit.ly tracking for those whose ad | blockers don't allow them: | | - https://www.jwz.org/blog/2021/01/i-told-you- | so-2021-edition/ | | - https://www.jwz.org/xscreensaver/toolkits.html | | [Edit]: I understand now. My browser doesn't send referrer | URLs, and I think that's the real fix instead of using | something like bit.ly! | gambiting wrote: | You still get the testicles if you click this link, at | least using Chrome you do. It's because the referrer | field is set to HN so they know where the traffic is | coming from. | tehwebguy wrote: | In mobile Safari tap and hold, then tap the preview or | the open button | asddubs wrote: | just tried it in chrome, i got only one testicle | drdec wrote: | In Firefox, right-click and open in a new private window | and the links will work. | | Just tested in Chrome and it works there as well. | ascar wrote: | Time to switch to Firefox and give Google less data. | Firefox doesn't seem to send the referrer :) | sgc wrote: | Hmmm. I think somebody is following this thread because I | got testies using ff on linux by clicking the bitly links | above. | sontek wrote: | haha, same. jwz really wants us to see the testes! | fullstop wrote: | Brave does not send the referrer as well. | sontek wrote: | Yes it does. I use brave and I get testicles if I click | the link. | fullstop wrote: | I've tested it multiple times, as have others. Perhaps | you are running an ancient version? | | https://brave.com/privacy-updates-5/ | | edit: see also: | https://www.cookiestatus.com/brave/#referrer | merlinscholz wrote: | Can confirm on android, Linux and windows | lscotte wrote: | All good with Brave as far as I can tell. I don't know | what everyone is talking about with testicles, but I | don't see any with Brave. | FriedrichN wrote: | In Firefox set network.http.referer.XOriginPolicy and | network.http.referer.XOriginTrimmingPolicy. | | Source: https://wiki.mozilla.org/Security/Referrer | [deleted] | wernercd wrote: | I'm using Chrome with uMatrix and uBlock Origin... I | assume one of those blocks the data because, somehow | strangely, I feel left out that all I'm getting is the | websites. | | I wonder why someone would setup a "bad result" for | specific referrers ... | sontek wrote: | haha, yeah. I don't like using URL shorteners either | there is just a balance to be made between them tracking | you and getting redirected to testicles. | | Can't count on everyone having referrer turned off | ohiovr wrote: | Does anyone know how to make this right? Would simply | removing the mate-screen-saver package work? | nic_wilson wrote: | To others, you'll definitely still want to copy paste that | URL into a new tab rather than clicking directly. :~) | shawnz wrote: | In fact jwz himself says in that very post that it is a | fundamental problem with X11: | | > X11 ... was designed with no security to speak of, and so | lockers have to run as normal, unprivileged, user-level | applications. ... This mistake of the X11 architecture can | never, ever be fixed. | | He also claims in the second post that Xscreensaver is | actually vulnerable to exactly the same kind of attack: | | > The xscreensaver daemon is a critical piece of security | software. The reason for this is that, as a screen locker, | any bug in the program that causes it to crash will cause | the screen to unlock. As soon as xscreensaver is no longer | running, the screen is no longer locked. Therefore, great | care must be taken to ensure that the daemon never crash. | erhan24 wrote: | Xscreensaver has crashed twice in my life and opened the | desktop. That's still a good statistic but it may have | crashed because of the animation. | sontek wrote: | Sounds like you were probably using gnome-screensaver or | some of the many other poorly written alternatives like | cinnamon that do this. I don't believe there is any way | for xscreensaver to unlock the desktop even if it does | crash | cbsks wrote: | Incorrect. It's a limitation of X11 that if the | screensaver daemon crashes, including xscreensaver, the | desktop will be unlocked. See the JWZ links that are | posted in this thread. | throwanem wrote: | Savers can crash without the screen unlocking. Are you | sure it was xscreensaver you were running, and not one of | the innumerable incompetent knockoffs? | Liskni_si wrote: | I've also seen some xscreensaver crashes a while ago: | https://news.ycombinator.com/item?id=21224179 | formerly_proven wrote: | X11 design flaws you say? | | https://github.com/swaywm/swaylock/issues/162 | https://github.com/swaywm/swaylock/issues/158 | https://github.com/swaywm/swaylock/issues/10 | bionade24 wrote: | If you've ever looked in the bugtracker of a big X11 | screenlocker, you would love to have this small amount of | bugs. In fact, some of the bugs you posted are alread | solved and I can't find one bug related to displaying. | Giving the display to the user could also lie in other code | parts. We'll see how this ends, but it's already a huge | gain that not every Everyday Linux user has experienced | such things by themselves. | chrismorgan wrote: | I'm not familiar with the details of the design flaw and | whether or not Wayland fixes it, but those links don't | contradict this being an X-specific design flaw. I get the | impression that swaylock is a direct port of i3lock, and | thus stands a fair chance of being written and architected | in an X style, rather than taking advantage of any superior | form that Wayland may support but X didn't. | | Expressed otherwise: just because someone's written one | piece of bad software for Wayland doesn't mean Wayland | doesn't allow you to write good software. (Whereas I get | the impression from what I'm reading that X makes it | impossible to write a good screen locker, if by that you | require that it be crash-proof and use the usual platform | toolkit for the UI.) | | (Remember in this that I'm saying _I don't know_. I'd like | to hear if Wayland _does_ have a good answer to this, or | from anyone with definite knowledge that it doesn't.) | waheoo wrote: | I think they're simply saying that lock screens are hard | to get right and that shitting on x11 at every chance you | get doesn't help anything. | notyourday wrote: | I do not understand. There's an xl and its PAM-checking | derivative xl-more that just work. | | They do nothing fancy - paint a window over everything and | wait for the password to be typed in. No animation. No | graphics. No anything. No enter unlock password dialog. I am | sure there could be some edge cases but I'm having a hard | time identifying them. | anthk wrote: | Slock is good. | bionade24 wrote: | Because X11 is such a joke. The problem is solved by wlroots | and layer-shell, other Wayland compositors probably have | similar things. Swaylock works 100%ly reliable until now (For | me). I had problems with every other X11 screenlocker I used in | the past. My unusual setup with a docking station and two | monitors on it often caused crazy bugs. | | Edit: For me stuff | Munksgaard wrote: | What's your take on the issues listed by formerly_proven[0]? | | 0: https://news.ycombinator.com/item?id=25844338 | bionade24 wrote: | I'll edit it to (for me). With working on an X11 desktop | everyday, it felt like everyone has at least once | experienced such an issue. | | To be fair to swaylock, they actually fixed some of those | issues, in contrast to kscreenlocker which are just | ignoring most edge-case bugs, because it's nearly | impossible to fix them. | Androider wrote: | It's still a fundamentally flawed design, because the | system fails open when the locker crashes. So it seems | Sway / Wayland actually didn't learn anything in this | area, and suffers from exactly the same problem as X11 | when it comes to the lockscreen. | PurpleFoxy wrote: | It seems like most of the complaints I see about distros have | actually been solved problems for years but held back by poor | distro defaults. | | I have been recommending fedora to people for a while because | their defaults are far more modern and sane rather than | clinging on to python 2 and X11 | josefx wrote: | Other commenters link to similar issues with Wayland screen | lockers. So I am not sure how the current shiny fixes | things. | | > python 2 | | In contrast to Wayland that can be installed in parallel to | python 3. So the only reason to remove it is if you enjoy | breaking working software. | seba_dos1 wrote: | The difference is that with Wayland there are no design | issues that prevent you from implementing it reliably and | securely; if it's broken it's an implementation problem | that can be fixed. | | Also: | | > In contrast to Wayland | | I don't think Wayland is what you think it is. | canofbars wrote: | Its not that they still had python 2, its that the binary | "python" referred to python 2 on ubuntu (it might even | still be like this) while other distros had it pointed to | python 3. | eznzt wrote: | It's complicated: https://lwn.net/Articles/780737/ | josefx wrote: | Given that python versions are incompatible by design you | should probably explicitly refer to the version your code | supports. At least that is my takeaway from this mess. | stretchcat wrote: | This whole situation is a bad trap for novices, given how | many tutorials, class slides, etc ask students to | copy/paste various invocations of pip and python that may | or may not work verbatim on their distro. | moistbar wrote: | Breaking stuff is the first step towards learning to fix | stuff. | bionade24 wrote: | But then you are breaking enterprise stuff !!!1!11! | canofbars wrote: | My favourite moment was when fedora turned on CGroups v2 | after every distro waited years for docker to update to | it. Docker was broken on fedora until you manually turned | v1 back on but then docker suddenly upgraded to support | v2. | globular-toast wrote: | I've seen Windows do that too. It's not just Linux. | | My guess is that these lock screens are all bolted on | afterwards rather than being in the design from the ground up. | AnIdiotOnTheNet wrote: | > I've seen Windows do that too. | | Really? I have never seen this in Windows. Don't get me | wrong, I've seen plenty of lock screen failures in Windows, | usually in the form of it suddenly being unresponsive, just | never anything that actually gave me access to the locked | session again. | | The closest I've seen is when using RDP, if the Window has | been minimized or hidden or otherwise has had reason not to | update its display, then locked due to timeout, it will | briefly show the last image it rendered when reactivated | before updating and showing the lock screen. | | P.S.: As other users have pointed out, Windows does have some | known lock screen bypasses using accessibility and help | dialogs, but in regards to merely crashing the lock screen, I | haven't seen it behave in an insecure way. | globular-toast wrote: | Yes, really. I don't use Windows myself, but I've seen it | happen to others. As another commenter said, it's usually | when the computer is coming out of "sleep" or something | like that. Plenty of times I've seen a glimpse of the | desktop that was long enough for me to get a vague idea of | what they were doing before the lock screen takes over. If | one was determined enough a photograph could easily be | taken in that time. | robocat wrote: | My guess would be that the video buffer wasn't cleared | before suspending. If so, on resuming there is a race | condition between painting the lock screen, and turning | on the video hardware that will show the screen memory as | it was when suspended. | AnIdiotOnTheNet wrote: | Huh, interesting. Probably explains why I haven't ever | seen it: I never use sleep. | joefife wrote: | I see this maybe once a week. It only seems to happen when | I'm waking the PC. | Jonnax wrote: | Windows 10 or some ancient version of Windows? | josefx wrote: | There had been recent bugs on windows 10 where you could | navigate your way to a desktop session through the input | assistance dialogs (mashing the shift button). They fixed | it by removing one of the links in the UI. In older Windows | I think it was a mix of help and printer dialogs. | saagarjha wrote: | I've seen this happen on macOS too. | 3np wrote: | slock has never surprised or disappointed me. | ekimekim wrote: | I've experienced an issue where the window blacking out the | screen would get moved aside, it was something to do with | plugging and unplugging monitors and somehow the screen | contents would become visible. I probably couldn't reproduce | it if I tried. | | I wasn't too concerned about it since it still blocked all | user input, but if you had sensitive info visible it could | definitely be an issue. | Kelamir wrote: | I use i3lock, no such issues with it. | boblivion wrote: | https://www.jwz.org/xscreensaver/toolkits.html Good post on the | topic | mici wrote: | This link does not show what you think it will show (pretty | much NSFW). | | The thread was linked below (or above, to this same parent), | or see: https://web.archive.org/web/20210116101222/https://ww | w.jwz.o... | gambiting wrote: | Uhm, this link doesn't lead where you think it does. Or the | owner of the website is specifically redirecting HN traffic. | ketzu wrote: | They are, if you copy paste the link you can read the | article. | cinntaile wrote: | He's specifically redirecting HN traffic, if you copy the | link you won't have any issues. | Tsiklon wrote: | Judging by the redirect to the image macro of a testicle in | an egg cup, specifically calling out HN, I think we can | assume the author of that article does not appreciate links | to his website from HN | GekkePrutser wrote: | So what. This is how the web works. If you don't want | people linking to you, don't have a website. He puts this | blog out there for people to read, is it so weird that tech | sites like HN would want to link to it? | | And really if you're being DDoSed by a small thing like HN | comment links you really have to up your game :) Wait till | you get featured on reddit (previously called slashdotting | when slashdot was still a big thing). | throwanem wrote: | He doesn't think he's getting DDoSed from here. He | doesn't _respect_ anyone who comes from here. | | Nor should he, not least because the redirect reliably | results in ~90% of comments in any thread where jwz is | mentioned being about the testicle in the eggcup rather | than anything substantial. | GekkePrutser wrote: | But he refers to DDoS specifically in his eggcup image :) | | PS: I have no idea what he means by "finance-obsessed"? I | think the community at HN is tech-obsessed which is what | I like about it. But finance? This is not yahoo finance | or wherever all the finance guys hang out. | | It sounds more like he had a clash with someone specific | on a finance-related issue and bases his view of the HN | community on that. The eggcup is a bit of an immature way | to deal with this IMO. Especially as he has good points | to make about X11 security, and this undermines them. | throwanem wrote: | Venture capital is finance. So is cryptocurrency. | | I don't know what prompted the redirect; it predates my | awareness of Hacker News. I could guess, but why bother? | The man has a nightclub to run, and I'm sure that's | plenty all by itself to fill his days. | seabird wrote: | "Finance obsessed" is a pretty accurate description of | what's going on here. A huge number of people on this | site have trouble understanding that there's a world | outside of the Bay Area where rent isn't $3000+ a month, | and that its possible run a company without involving | venture capital and ballooning to multi-million dollar | revenues in less than five years. Even the tech | discussion here revolves around this stuff -- almost | every thread has some mention of "scaling" even if what's | being discussed is a niche product that will have a | customer base of a few thousand people over its entire | life. | | I like this site a lot, but I have a lot of patience when | it comes to deciphering what is being affected by the | Software Hub City Reality Distortion Bubble. Some people | don't, hence the eggcup testicle, and people that think | something like that undermines the technical argument | aren't thinking clearly enough to even debate the | technical point with anyway. | kowlo wrote: | I clicked the link specifically seeking out this testicle | in an egg cup, however, all I got was an article on | XScreenSaver. | | How do I get the testicle in an egg cup? | ohgodplsno wrote: | Make sure your browser sends in the Referer header. | | Otherwise, this is the image that gets displayed: | | NSFW. This is a testicle in an egg cup. | | https://cdn.jwz.org/images/2016/hn.png | kowlo wrote: | Thank you! I'm using plain Safari with no extensions. | | An interesting website and blog, I like it! I wonder what | their problem with HN is, although I don't mind being a | testicle! | angled wrote: | Jamie wrote xscreensaver... | saagarjha wrote: | Safari doesn't do referrers for what I assume is privacy | reasons. | minxomat wrote: | Still happening on Linux mint for me. | f1refly wrote: | For x lockscreens this is solved by making sure the lock | launches _before_ the system is suspended, I'm not sure how | many distros do it like that though. | anthk wrote: | slock & pm-suspend. | YtvwlD wrote: | This is the default on any modern distro (which has logind). | [deleted] | josephg wrote: | Can anyone explain why a crash in xscreensaver results in the | computer being unlocked? | | It seems like this whole class of bugs could be fixed pretty | easily by having a simple process watchdog run xscreensaver as | a child process, and re-launch it if it crashes without first | signalling that the desktop has been unlocked. | josefx wrote: | > and re-launch it if it crashes without first signalling | that the desktop has been unlocked. | | Might be better to just exit the session or load a | minimalistic replacement lock program (like the original | xscreensaver) to avoid an infinite crash loop. | josephg wrote: | Maybe! An infinite crash loop is also usually better than a | security vulnerability, so I think it would be a win even | without that. | | Also this bug (and probably most other bugs xscreensaver | has had over the years) wouldn't result in an infinite | crash loop anyway. | segfaultbuserr wrote: | KDE has a failsafe mechanism. If the screen locker has | crashed, it shows a black screen of death with a huge error | message. | | > The screen locker is broken and unlocking is not possible | anymore. In order to unlock, switch to a virtual terminal | (e.g. Ctrl+Alt+F2), log in and execute the command: "loginctl | unlock session c2". Afterwards switch back to the running | session. | | I think it's a reasonable design. | bionade24 wrote: | No, it's not failsafe. I know a person where only one | screen of two got locked, the second one remained | operational. | segfaultbuserr wrote: | Okay, let's call it an "incomplete failsafe". I don't | want to discuss the correct terminology, but the idea | itself. | josefx wrote: | That might be a kde limitation in general. The amount of | "fun" I had dealing with two screens on kde is outright | endless. Not sure they even test that kind of | configuration, 640x480 pixels should be enough for | everyone. | mikeyjk wrote: | I'm using 3 monitors on KDE with Debian currently and | it's been fine for me. | | All screens lock together etc. | BoorishBears wrote: | I'm sure they're referring to the failsafe. | bionade24 wrote: | Now imagine they're powered by a docking station, you go | into suspend, put the laptop out of the docking station, | wake it up and - tadaa! This bug dissappeared but still | occurs slightly diffrent for other people. Three monitors | itself aren't more edgecase than 2. How long are you | using this setup? | | Besides screenlockers, having 2 screens with diffrent | resolutions is way worse in KDE than in GNOME. (On X11) | tremon wrote: | I don't believe the X system had/has a separate protocol for | screen locking, or if it does, that any of the programs | implement it. So xscreensaver is just another X client that | happens to draw itself full-screen on top of all other apps | and grab all user input. | | From the point of view of the display manager, a | screensaver/screenlocker crashing is just a simple app crash. | There's nothing in the protocol to suggest that this is a | security failure. | tremon wrote: | _From the point of view of the display manager_ | | Argh. That would be the window manager, of course. | tux wrote: | xscreensaver + light-locker should be okay, there is no | virtual keyboard. | | There is also xsecurelock [1] by Google. | | [1] https://github.com/google/xsecurelock | josephg wrote: | You don't need special X support for having a lightweight | process monitor. | | I'm imagining 2 processes: | | 1. Process monitor shows a fullscreen black window. | Launches xscreensaver --lock or something as a child | process | | 2. Xscreensaver shows the lock screen over the top of the | process monitor, with a password prompt | | When the correct password is entered, xscreensaver signals | to its parent process. Then both processes close | gracefully. | | If xscreensaver crashes without signalling, the process | manager silently restarts xscreensaver. | | None of that requires any changes to X. You'd just want to | be sure xscreensaver is displayed on top of the process | manager's black window. | buckminster wrote: | jwz wrote a document explaining why this is hard. (Note | that this link may result in an unsavoury redirect if you | click on it from here. You can, e.g. copy and paste it to | avoid this.) | | https://www.jwz.org/xscreensaver/toolkits.html | chaganated wrote: | I believe that's how JWZ's XScreenSaver works, but every | distro decided to re-invent the wheel there for whatever | reason, then blame it all on X11 when it inevitably fails. | smolder wrote: | I don't dispute the bad design, but FYI, there was also a very | recent exploit for accessing bitlocker drives on Windows | without login credentials, making use of accessibility features | on the lockscreen. | [deleted] | pojntfx wrote: | X11 problem. Wayland fixes that and is the default on Fedora | etc. as of 2021. | krick wrote: | Oh, so Wayland is finally ready to replace X11? | canofbars wrote: | Whether wayland is ready for you basically comes down to 2 | questions: | | * Do you use a nvidia GPU * Do you need to screen share | from electron or other x11 only applications (MS teams, | etc) | | Its ready if you said no to both of those. | xorcist wrote: | > Do you need to screen share from electron or other x11 | only applications | | Doesn't XWayland solve this? | vetinari wrote: | No, but Pipewire does, and it works under _both_ X11 and | Wayland. | | Firefox supports Pipewire, Chrome has it behind | experimental flag. Electron apps like Skype or Teams? | Forget it. | YtvwlD wrote: | No. | kevin_thibedeau wrote: | Won't it be ready when X11 apps can run inside without | issue? X servers on Windows don't have these sort of | problems. | casept wrote: | The screensharing can be worked around by building a | somewhat hacky solution (recording the desktop to an | XWayland window and sharing that, for example by using ht | tps://gitlab.com/lelgenio/dotfiles/-/blob/master/dotfiles | /...). | bionade24 wrote: | You can use MS teams in Chromium or Firefox. The secret | is that Browsers disable 3rd Party cookies per default | for a year now or so and Microsoft has not reacted to it | yet. | wilsonthewhale wrote: | I tried plasma-wayland on Arch a couple days ago. | | Log in, open firefox. Minimize the window, and the entire | machine freezes. This is on an AMD GPU as well. | | Every time I try Wayland, whether it be sway on my laptop | or plasma on my desktop, I run into snags that _did not | exist_ in X. So back to X I go. | | I'll switch to Wayland when it's ready "for real, | actually, promise", and not a moment before. Maybe when | Debian Stable switches to it by default. | cycloptic wrote: | Unfortunately the KDE wayland session is still somewhat | unstable. GNOME's wayland session is farther along in | this regard. | gspr wrote: | Screen sharing of X11 windows from a Firefox running on | Wayland works fine for me under Sway. Sharing of other | Wayland windows, or the whole screen, however, does not. | stelf wrote: | Time to make a joke about Windows lock screens? Or perhaps not... | snarfy wrote: | https://i.imgur.com/rG0p0b2.gif | nrvn wrote: | I enjoy to see my kid breaking software, POS terminals and | causing ATMs to throw error windows. Nothing critical, just funny | how random screen touching and keyboard mashing drives "serious" | software crazy. | | Fool-proof and child-proof software is yet to come. | | Hire QA kids. | 12312311241231 wrote: | Keep in mind that screensavers aren't the only untested dumpster | fire on Linux Desktops (or ~ distributions in general). | | The whole desktop architecture is out of date. I wouldn't be | surprised if someone argued that screensavers aren't important | because it's just your user data exposed, the root account is | still safe! | codeulike wrote: | It works in the movies | atomize wrote: | They learn so young these days! Never ceases to amaze me. They | are totally set up for this industry. Would hire 10/10. | tauntz wrote: | Mi kid got around the lock screen of my mac. Twice. | | It was 4-5 years ago when he was about 2. I had a 15+ character | random password (a generated one including symbols etc) so the | chances of him being lucky were rather slim. He was just mashing | button on the lock screen for less than a minute when boom, I was | suddenly signed in. The first time I thought it was a fluke. Then | it happened again after a couple of months. After that I took my | phone, sat him behind my computer and started to record him | playing with the buttons but it never happened again and my hopes | of getting a bug bounty from Apple vanished :( | apexalpha wrote: | Perhaps it was related to this bug: | https://www.wired.com/story/macos-high-sierra-hack-root/ | matsemann wrote: | Probably just hit enter when the password field was empty. For | some reason that bypassed all security on OS X. | rand49an wrote: | You used to be able to just open up recovery mode and reset | the password anyway, passwords on OS X used to be a theatre. | No idea about it now though. | thomasmg wrote: | My kid (3 years old then) found an issue in the MacOS lock | screen as well. It didn't result in a bypass, but a "Spinning | Beach Ball of Death". I could then reproduce it and even filed | an issue, but only I could reproduce (and one funny response | was: "Why would you want a screen shot of the screen sleeping? | It would just be black." - well tell that to my kid): | https://discussions.apple.com/thread/7598463 | GrumpyNl wrote: | That discussion railed of pretty quickly. | dd_roger wrote: | > https://discussions.apple.com/thread/7598463 | | Wow every new person who joins that thread misses the point | more than the previous one. This was painful to read. | young_unixer wrote: | genuine question: Is that dialabrain person an Apple | employee or just a user? | ballenf wrote: | Here's the last reply before the thread was locked: | | > I don't see the point of pressing the wrong series of key | combinations nine or more times in a row constitutes a | "Login Window ScreenShot Problem" any more than dropping my | MacBook from various heights until it breaks is a | reliability problem. | | Why do people hold computers to such a lower standard than | other complex devices in their life? (Serious question -- I | don't understand people very well here.) | | Can you imagine a car that wouldn't unlock or start if a | passerby without the key plays with the door handles too | much? If this has happened and is documented, that alone is | a testament to its rarity and people's unwillingness to | excuse the behavior. | | Unless it happened to early Tesla, because they were held | to the lower standard applied to computers and OSs. That | doesn't seem to be as true anymore, thankfully. | moistbar wrote: | >Unless it happened to early Tesla, because they were | held to the lower standard applied to computers and OSs. | That doesn't seem to be as true anymore, thankfully. | | I've definitely had my Model 3 not unlock when it should, | but I've never had it go the other way around. | thomasmg wrote: | With the current version of MacOS I have (not the latest), | one could still cause some havoc... E.g. filling the disk by | recording a movie with sound. Command+Shift+5. When mashing | the keys, sometimes after login a list of message shows up | ("Can not save the screenshot at this location"). | bjoli wrote: | My 4 year old son manages to beach-ball the big sur lock screen | about twice a week. It has resulted in lost work more than | once. | | On the previous version I believe he managed to unlock the | computer as well, just by hammering the keyboard. | slim wrote: | my kid got around a locked cash box yesterday. it's amazing how | much security is tied to ingrained behavioural patterns | [deleted] | Jerry2 wrote: | That reminded me of the Linux GRUB2 bug where you could press | Backspace key 28 times and bypass all security. [1] | | > _The source of the vulnerability is nothing but an integer | underflow fault that was introduced with single commit in Grub | version 1.98 (December 2009) - | b391bdb2f2c5ccf29da66cecdbfb7566656a704d - affecting the | grub_password_get() function._ | | [1] https://thehackernews.com/2015/12/hack-linux-grub- | password.h... | herpderperator wrote: | In middle school long ago, I was using one of the library search | computers. They ran Windows XP and were locked down to the point | where you couldn't open anything except the software that was | running and you had no access to the desktop. One day I was | rapidly mashing the "Search" button in the native book-searching | software they were using - for no reason at all - and it suddenly | opened an Explorer window out of nowhere showing everything in | the filesystem. I could reproduce it easily with rapid-enough | clicks. I still have no idea why that happened. | Haemm0r wrote: | Classic thing was to write file:///C:\ (or something similar, I | do not remember it anymore) on computers with only kiosk mode | IE on them to access the local file system. :) | mhh__ wrote: | Also powershell was usually unbanned in my experience even if | the policy disabled cmd | michaelcampbell wrote: | In the early web days, I had a public facing web site with a | link that said "I can see what's on your computer", and the | href was essentially what you posted. | | The number of emails I got from that was worth the vitriol | contained in them, including threatened lawsuits. | Hoboburger wrote: | Oh man this brings back so much nostalgia for the old school | computer exploits we used to find. | | Only approved programs software was supposed to run but you | could actually run anything as long as the .exe was on the | desktop. | | 7-zip would let you explore the entire network drive, including | teachers folders that we didn't have access to. | | Unplugging the reconnecting the Ethernet cable wouldn't | reconnect you to the teachers monitoring software. | | We had a zip filled with games like Starcraft 2, Quake 3, Halo | CE that was hidden on the shared network drive that kids around | the school would use to play and LAN with each other. | jorvi wrote: | This reminds me of the classic XP login screen bypass by | opening the help dialog, then the print dialog, then searching | for a file to open for printing, and then executing | 'explorer.exe' (I might be misremembering, this is quite a | while ago). | | I also remember figuring out how to share my USB key as a | network drive to other users. Many fun middays were had | blasting around in Halo or Soldier of Fortune II with like 10 | friends, although less fun was had when our school's sysadmin | found some lingering cache files that were owned by my id. | Darmody wrote: | If you leave a Virtual Box window open with Windows (I'm not sure | about other OS) it'll bypass the lockscreen on Ubuntu, at least | partially. | kuter wrote: | For anyone interested there is something called fuzzing that uses | _usually_ code coverage based heuristics to generate data to find | bugs. | | For example LLVM's lib fuzzer uses instrumentation to track code | coverage and mutates data to find invalid behaviour. | | https://llvm.org/docs/LibFuzzer.html | | It uses a compiler pass to insert code to branch points functions | calls etc. I think it uses genetic algorithms to increase | coverage by changing the data. | | There are others that work in similar ways one of them is. | https://github.com/google/AFL | passivate wrote: | Well, I guess the obvious question to ask is has anyone run | this particular fuzzer on the code in question? | cuillevel3 wrote: | Here is an eight year old presentation on fuzzing X: | | https://media.ccc.de/v/30C3_-_5499_-_en_-_saal_1_-_201312291... | suyjuris wrote: | I have used AFL a few times casually in some personal projects, | and it has always performed quite well for me. Of course, there | are a lot of weird cornercases which would not occur on real- | world (non-adversarial) inputs, but it also found some very | real bugs. | | (For example, I once wrote a hash table implementation where | the insertion and resizing procedures had slightly different | views on wraparound, causing failures on very specific inputs. | Another time, I wrote some code to buffer out-of-order | messages, which would only occur due to a race condition. It | was wrong. Both times I had thought carefully about the code, | and the bugs would have been painful to discover otherwise.) | Vinnl wrote: | Somewhat similar for web UIs: Quickstrom is a tool that lets | you define a set of conditions that should hold (e.g. "there | should always be an 'Add todo' button"), and then it'll | simulate behaviour that might break that condition. | | See https://quickstrom.io/ | | (I haven't used it myself yet, but it looks interesting.) | rblion wrote: | Imagine if Jurassic Park was real and this happened... | smooth__ wrote: | "It's a Linux system! I know this!" | | _smashes keys_ | | _Unlocks_ | causalmodels wrote: | The first computer I ever bricked was a my father's work laptop | running Windows 95. I was a toddler and wanted to press the | buttons. Good to see the kids are still at it! | technothrasher wrote: | I remember finding a very similar issue with XDM on a Sun 3/60 | back in about 1992. Just mash the keyboard while in the | 'password' field and it would eventually drop a root shell. Oops! | GlitchMr wrote: | I find interesting that GNOME Screensaver's security depends on | it to not crash. | | Meanwhile, in KDE the lock screen is managed by KDE Session | Management Server which ensures that lock screen cannot be | bypassed by simply crashing its process. | | The way it works is follows: ksmserver draws a black rectangle | over everything and spawns kscreenlocker. If kscreenlocker | crashes, the black rectangle is still here, and ksmserver will | spawn kscreenlocker again but this time with software rendering | (just in case it crashed due to graphics driver issue). If | kscreenlocker crashes four times then KDE Session Management | Server gives up, stops respawning kscreenlocker and simply draws | the following text on the screen. The screen | locker is broken and unlocking is not possible anymore. In | order to unlock switch to a virtual terminal (e.g. Ctrl+Alt+F2), | log in and execute the command: loginctl unlock- | session %1 Afterwards switch back to the running | session (Ctrl+Alt+F%2). | | If ksmserver itself crashes then the entire session closes. | | I'm not sure why GNOME screensaver cannot do something like this. | Lock screen crashing seems like something inevitable (especially | considering buggy graphic card drivers and so on), and it makes | sense to prepare for it so that crashes won't bypass the screen | locker. | awestroke wrote: | That does sound much more sane. | [deleted] | anticensor wrote: | Interestingly, there is a race condition in GNOME lock screen | which sometimes blocks sleep until _unlocking_. | cycloptic wrote: | >I'm not sure why GNOME screensaver cannot do something like | this. | | This actually is fixed in upstream GNOME because the | screensaver is now built into the shell. The problem here is | exclusively with cinnamon-screensaver and other components | derived from gnome-screensaver, which is unmaintained and | upstream GNOME considers it obsolete. | fao_ wrote: | [counter-factual information produced by a misreading of what | was stated in the github comments - deleted :)] | noisy_boy wrote: | > I'm not sure why GNOME screensaver cannot do something like | this. Lock screen crashing seems like something inevitable | (especially considering buggy graphic card drivers and so on), | and it makes sense to prepare for it so that crashes won't | bypass the screen locker. | | That is an option Linux Mint is considering[0] among other | options. | | [0]: https://github.com/linuxmint/cinnamon- | screensaver/issues/354... | dheera wrote: | The Gnome screensaver lock is only a fluffy fake security | mechanism. It's not real security. | | I've had many instances where my CPU was bogged down and after | hitting the keyboard I could use the computer for a good | several seconds before the lock screen popped up asking for a | password. | inetknght wrote: | I actually had this happen around Christmas (using Manjaro). I | had no idea what the message really meant or what caused it. | The instructions were at least clear enough to get back into | the running session, which is far better than, say, most of | GNOME's crap. | Blikkentrekker wrote: | Our internal research found that clear error messages | confused our users, so we removed it. | | I have no idea what _KDE_ is or does, sorry. | inetknght wrote: | > _Our internal research found that clear error messages | confused our users and removed it._ | | I can't tell if this is sarcasm or if you're serious. If | you're serious, please tell me what product you've | butchered so I can avoid it like the plague. | | Clear error messages only confuse people who shouldn't be | using the product in the first place. More importantly: a | clear error message at the cost of a few confused users is | far more important than an unclear error message that costs | even more users hours or days of trouble. | | I would far rather have a message that tells me that the | software broke because the desktop manager found a crash | loop and point me to the crash loop logs even if some other | poor unfortunate soul has no idea what a crash log is or | can't figure out how to access or understand the crash log. | Blikkentrekker wrote: | > _I can 't tell if this is sarcasm or if you're | serious._ | | It is entirely sarcastic, mocking some of _GNOME_ 's more | infamous design proclivities. | cycloptic wrote: | I'm asking nicely, can we please not do this? Let's not | exacerbate the problems of bad communication by using | more sarcasm and hyperbole. If there is some particular | thing that can be done to improve areas where there are | perceived design proclivities, can we focus on that | instead? | Blikkentrekker wrote: | But it's not constructive criticism, but humor. | | I agree that sarcasm provides for poor constructive | criticism to get a point across, but the intent was | mockery, not being helpful. | | I certainly do not believe that _GNOME_ would take the | advice of an _H.N._ post, and they are well aware of | these criticisms to begin with, as they are commonly | levied against them. | cycloptic wrote: | I don't mean criticism, we (HN users) all have heard all | the criticism a hundred times before. I mean actual | actionable feedback that someone is able to work with, | e.g. if there are problems with the design then we can | bring some concrete data that shows new, reliable | information. That means taking honest efforts to | establish two-way communication where there is none. | Blikkentrekker wrote: | > _I mean actual actionable feedback that someone is able | to work with_ | | Is this not what "constructive criticism", as I called | it, is? | | _GNOME_ is not going to listen to an _H.N._ comment an | change it 's ways, and it was never my intent to reach | them or otherwise inspire change in them. | | My intent was simply to be humorous. | cycloptic wrote: | Please don't discount yourself like that, by resigning to | the usual HN snark. I think you're smart and capable of | much more. If there is new, important and relevant | information brought to them, they will listen to that. | (This applies to most big projects I've seen, not any one | in particular. The smaller niche ones that commit to | having their small narrow audience are the ones I've seen | that tend to be resistant to new ideas) | Blikkentrekker wrote: | I doubt they scan _H.N._ comments for input or come | across them. | | If I had wanted to reach them, I would certainly do wiser | to simply send them a feature requaest bug report. | inetknght wrote: | Many developers and executives _do_ participate in social | media including Hacker News. I have seen plenty of tech- | related fixes and features that come directly from Hacker | News comments. | | In all I think the best feedback I can give _you_ would | have been to include a ` /s` to indicate sarcasm and | jest. | Minor49er wrote: | I've had similar discussions at a previous job with their | platform (it was a marketing dashboard). Management | wanted developers to suppress error messages because | users wouldn't know what to do with them. However, users | always contact the help desk when things go wrong. User | feedback became much harder for us to understand, so | issues would take much longer to resolve. Instead of | saying "I did ABC and I saw a message that said 'XYZ'", | they would say "I did ABC and it broke" | genpfault wrote: | Given the "I have no idea what KDE is or does, sorry." I | suspect it's a reference to the 'ole "I have no idea what | XFCE is or does sorry."[1][2] | | [1]: | https://trac.transmissionbt.com/ticket/3685#comment:4 | | [2]: https://web.archive.org/web/20130429182829/http://ww | w.linuxu... | johnmaguire2013 wrote: | Maybe the issue is what you consider a "clear error | message"? | | A clear error message should not necessarily clearly | explain _what_ the issue is - a clear error message should | clearly explain how to solve the issue, or at least point | the user in the direction of a solution. | inetknght wrote: | At a minimum, a clear error message should include a | contact point and what information to include. If error | logs are available, they must be available for | inspection, annotation, and approval before submission. | brnt wrote: | I have no idea why GNOME is the default DE for the big distros | (Redhat et al, Ubuntu). Technically it's evidently inferior, it | had substandard ergonomics and features like accesibility | services. I really dont get it. | Const-me wrote: | In Windows it's also good. The way it works is follows. | | The OS support multiple desktops. Similar to files or registry | keys, desktops have security descriptors attached (a data | structure keeping who's the owner, and optionally listing | users/groups with their respective permissions on the object | being controlled). | | To do anything on a desktop, like create windows, paint stuff, | or interact with windows on that desktop, user doing that is | required to pass an access check against the security | descriptor of the desktop. If failed, these GUI-related | functions gonna return "access denied" status code instead of | doing anything. | | The login screen is simply rendered on a separate desktop. That | desktop has restrictive security descriptor, most users don't | have permissions to interact with them. UAC prompts are also | displayed on another desktop, that's how it's impossible to | automate them from within a program who triggered the UAC | prompt. | | BTW, about crashing GPU drivers, on modern Windows the | condition is recoverable. The symptoms are black screen for a | second, then the OS resets the hardware, restarts the driver, | and resumes rendering of the desktop. Observed quite a few | times working on advanced GPU stuff, especially compute | shaders. | Sohcahtoa82 wrote: | > BTW, about crashing GPU drivers, on modern Windows the | condition is recoverable. The symptoms are black screen for a | second, then the OS resets the hardware, restarts the driver, | and resumes rendering of the desktop. Observed quite a few | times working on advanced GPU stuff, especially compute | shaders. | | When I mine cryptocurrency while playing games, I appear to | sometimes run out of GPU memory (Both Task Manager and MSI | Afterburner let me monitor usage) and I have experienced this | reset. It's surprisingly graceful, even when a game is | running, though NVIDIA Broadcast often doesn't like it and | needs to be restarted, and I will sometimes see lingering | graphical glitches in the game until I restart, but it's not | game breaking. | | You can also trigger a GPU reset manually with CTRL-WIN- | SHIFT-B. | dr_cypher wrote: | jwz has a lot to say about complex graphical toolkits/desktop | environments and their complex locking mechanisms. It's an | interesting series of posts. If you are not | running xscreensaver on Linux, then it is safe to assume that | your screen does not lock. Once is happenstance. Twice is | coincidence. Three times is enemy action. Four times is | Official GNOME Policy. | | https://www.jwz.org/xscreensaver/toolkits.html | xanax wrote: | I don't think that's the right link mate. I got redirected. | GlitchMr wrote: | I would recommend not linking to jwz's website. Use web | archive or something if you have to. jwz dislikes Hacker News | and intentionally shows an NSFW image when Referer header | shows Hacker News. | Stierlitz wrote: | > .. jwz dislikes Hacker News .. | | Why, what's the back story? | RichardCA wrote: | It has something to do with the 1990's dot-com culture, | like the original Netscape was somehow more pure than | what came after, and this causes him to view modern | inheritors like YC with a jaundiced eye. | | You can watch this if you have an hour. | | https://youtu.be/4Q7FTjhvZ7Y | avree wrote: | It's quite nice of Apple to strip this by default in Safari | --didn't even realize it was a thing until I switched over | to Chrome to see what you were talking about. | wutbrodo wrote: | I didn't see it in mobile Chrome (well, Brave) but I kind | of want to... | loeg wrote: | It's this: https://cdn.jwz.org/images/2016/hn.png | wutbrodo wrote: | I immediately regret this decision | | Anyway, thanks! | patrickmcnamara wrote: | I tested Safari on iOS, iPadOS and macOS and it didn't | strip the "referer" header for any of them. WatchOS did | strip it though I'm not sure that counts as Safari. | smnrchrds wrote: | Can he at least update the text? HN _was_ full of | entrepreneurs and wantrepreneurs years ago. It is mostly | big- and mid tech employees now, tech bureaucrats if you | will. | nefitty wrote: | Not to belabor the meta discussion, but your comment | sparked a question. If it is how you say, and using a | politico-economic lens, I wonder if there has been any | discernible shift in commenter attitudes as the | demographics have changed. Specifically, if the shift was | from entrepreneurs -> skilled wage workers, as you've | asserted. | | The interests of the petit bourgeoisie (entrepreneurs, et | al), the professional management class and that of | skilled workers sometimes overlap. I think those overlaps | would probably translate to some overarching strains of | belief, for example, the tendency toward libertarian | viewpoints on HN. | | Sorry for the tangent, just had to get that out of my | head! | [deleted] | toyg wrote: | This is OT, but I can't resist. I've been around HN since | 2011, and tone has definitely shifted in the last 5-6 | years. I used to stumble on HN posts that infuriated me | relatively often, it was part of the deal (i.e. | understanding how the self-appointed entrepreneurial | classes actually rationalize certain things). That | doesn't really happen anymore. | | _> those overlaps would probably translate to some | overarching strains of belief, for example, the tendency | toward libertarian viewpoints_ | | The opposite is actually true, in my experience. Hardcore | libertarian views on HN have been largely quashed into | irrelevance, they only survive in lore. New commenters | who join and expect HN to be a nest of hyper-capitalists | are quickly downvoted into oblivion. Which is not a | terrible thing in the great scheme of things, from the | personal perspective of somebody who would likely dislike | their point of view; but it has definitely taken | something away from the HN experience, and possibly | pushed some people towards worse (more radicalized) | forums. | smnrchrds wrote: | What I miss about the old HN is learning about all the | cool new programming tools, libraries, frameworks, etc | and participating in the discussions about them. These | days, you rarely see posts about programming tools, | unless it is one of the big ones like React, Qt, or | TypeScript. I used to stumble upon so many great tools on | HN, but that has become a rare experience these days. | | Is there still somewhere on the web, perhaps on Reddit or | another platform, where you can find such posts and | discussions? | HDMI_Cable wrote: | Honestly, I think that says something more about | Javascript-ifying of the web rather than HN. | nitrogen wrote: | https://lobste.rs was supposed to be something like that. | throwaway325 wrote: | >Is there still somewhere on the web, perhaps on Reddit | or another platform, where you can find such posts and | discussions? | | If they exist it would be wise not to link it here, or | else the same fate would befall the new community. My | advice is to search for a small community around a niche | topic (say a specific text editor or programming | language). | girvo wrote: | I've also been around for donkeys years, and I agree | mostly. Certain topics bring the "screw you, got mine" | opinions back out of the woodworks at times, but yeah | it's far less prevalent. | charlesdaniels wrote: | Anecdotally, I use xidle[0] and xlock[1], and have found both | to be very reliable. xidle supports locking the screen by | sending it SIGUSR1, which is really useful since you can | trigger it from a process that doesn't have DISPLAY set. | | The trick on laptops is to block on sending the signal in the | script you use to suspend, so that when the laptop resumes | the display is already locked. | | 0 - https://github.com/steinex/xidle-linux | | 1 - http://sillycycle.com/xlockmore.html | johnmaguire2013 wrote: | I use physlock[0] which locks all of the ttys. I've had no | issues. | | [1] https://github.com/muennich/physlock | smnrchrds wrote: | Never directly link to jwz from HN. | | https://web.archive.org/web/20210117212403/https://www.jwz.o. | .. | [deleted] | phendrenad2 wrote: | I wish HN would just block his site already, that damn | image is burned into my retinas after seeing it 10+ times | here. | vlovich123 wrote: | Why? | thesh4d0w wrote: | Cause he redirects based on referrer to | https://cdn.jwz.org/images/2016/hn.png | Naracion wrote: | I did not get redirected--would that be because I'm using | Brave? Or because I'm on mobile? | smnrchrds wrote: | The former. Brave has explained their referer policy | here: https://brave.com/privacy-updates-5/ | | > _When navigating to a new site, never send a referer | header._ | | JWZ wouldn't know you are visiting from HN if you use | Brave. | HDMI_Cable wrote: | What's the reason behind JWZ doing that anyways? | Alvarito050506 wrote: | Because sometimes he behaves like what's in the image. | kstrauser wrote: | Or Safari, apparently. | freebuju wrote: | Weird. Just tested this, Brave on PC redirected to the | image but not on Brave mobile | lern_too_spel wrote: | Also, if you're using a Hacker News app, it won't send a | Referer header when opening an article unless the app | authors went out of their way to implement that. I would | be surprised if any did. | notRobot wrote: | Because you won't be able to actually view anything on | the website. | [deleted] | wrsh07 wrote: | This is a good lesson in "failing open" vs "failing closed" | greypowerOz wrote: | warning: cat-like typing detected | uoaei wrote: | Linux Mint, and whatever it's built on, has been disappointing to | me. The most worrying thing I've experienced is that, when waking | up from sleep, the unlocked screen will sometimes flash before | showing the lockscreen. That is a huge no-no and really betrays | the fallibility of whatever security measures are employed. | lostgame wrote: | Huh. Am I alone in that I consistently test for a massive ton of | random key or screen presses? Either manually or through | automation? | Qub3d wrote: | For everyone linking the JWZ "I Told You So" post, the devs are | aware of it and posted a response in the GitHub issue. I | encourage everyone to read their side of the issue: | https://github.com/linuxmint/cinnamon-screensaver/issues/354... | sbierwagen wrote: | What context? Reading that issue, the content seems to be: | | 1: jwz says if you add accessibility features to a text box, | make sure they don't have any bugs that can kill a process, | since that will break screen lockers | | 2: Cinnamon adds a buggy accessibility feature to a text box | that lets you crash the screen locker | | 3: Github user clefebvre says something along the lines of "why | is jwz being so negative >:(" | | Well... you did exactly what he told you not to do. If you're | going to add accessibility features to a text box, you need to | not screw it up. If you screw it up, then it breaks the screen | locker for every user in the world, including the 99% of people | who will never use the accessibility features. | | If you make an obvious, stupid mistake, people will make fun of | you. Complaining that people are making fun of you won't do | much. Try, instead, to not make the obvious stupid mistake? | | From the issue: | | >With that said, I have on message for JWZ. Don't be that guy. | It's too easy to just tell people no to cross the street. Work | with us on building that safest path. | | Huh? What? He wrote xscreensaver 20 years ago. He's supposed to | fix buggy code written by other people until he dies? | | Why is it his responsibility to fix your code? The distro | extended his program, the extension broke. You can either | ignore the problem, remove the extension, or fix the extension. | None of these things sounds like xscreensaver's problem! | Qub3d wrote: | > Why is it his responsibility to fix your code? The distro | extended his program, the extension broke. | | cinnamon-screensaver (the repo this discussion is pertinent | to) is written from scratch. The commenter's intent here is | to suggest that JWZ has valid criticisms, but he has voiced | them before and his latest blog post doesn't add anything to | the discussion. | | This blog post, which links to the issue, creates additional | overhead for the project to deal with. Just like _this_ HN | link does. | | I think its fair for us to give them a voice in the matter if | we're showing the discussion to everyone. It would be nice to | assume people read the entire discussion but clearly, that is | not a reality. | eesmith wrote: | "written from scratch", though it does contain xscreensaver | code written by jwz ... and with a copyright changed from | BSD to GPL - https://github.com/linuxmint/cinnamon- | screensaver/blob/maste... . | | The commit is at https://github.com/linuxmint/cinnamon- | screensaver/commit/38a... where mtwebster writes: | | > We'll use the old screensaver auth code instead - this | ports gs-auth-pam.c and gs-auth.h from the old screensaver, | rodgerd wrote: | > Don't be that guy. | | Pretty rich from someone who starts with "I'll fight him in a | cage match" | dluan wrote: | Something about this exchange was extremely pleasing and calming | to read, maybe I'm irony poisoned from overly loud social media. | But this was so nice to read through. | berkes wrote: | A pleasant bugreport with no judgement or demands. | | And a quick response by the maintainer who shows thank, is | focused on a clear outcome, and shows the progress | transparently. | | I've seen too many bugreports where one, or both actors behave | vastly different. This one here should be a reference for | anyone involved in 'bugreports' in some way. | chromatin wrote: | Meatspace fuzzing | blackrock wrote: | Is this the old monkey testing technique? | joshspankit wrote: | My own anecdote: | | My daughter was 1ish at the time, and I sat her down while I | grabbed something from the fridge. Windows 98, locked. When I | came back the screensaver was on, the password dialog was still | up, _but the desktop was fully functional in front of it_. I | could navigate, open applications, and everything else. | | Still no idea how she did it, but that's not the first or last | time she surprised me :) | benibela wrote: | There is this classic: https://i.imgur.com/rG0p0b2.gif | throwanem wrote: | I think you just had to hit Escape. | | In general, the way you secured a Windows 9x box was by locking | the door to the room it was in. | z29LiTp5qUC30n wrote: | The best part is the moved to physlock, specifically the version | which you can bypass by hitting enter 3 times... | amid34d wrote: | hllo | eth0up wrote: | Physlock works comparatively well, but nothing can stop the | omniscient stupidity of, eg ctrl-alt-del 10x (or similar) | invoking reboot, which I've found no method of preventing. The | general attitude encountered when seeking a solution to this | madness is "if someone has physical access, you're pwned anyway", | which is also supremely unimaginative and omnisciently stupid. | This has gnawed at my cranial portions for years, and I now speak | forth in due fury. | | https://linuxcommandlibrary.com/man/physlock | mhh__ wrote: | Unless there's something unbelievably wacky going on, this is why | people use formal verification. | | If you can describe your program as a state machine, you can ask | an SMT solver to find any transitions that break stuff. | Unfortunately it's a lot harder to do for software than hardware | because of the plasticity people expect from the former, but | works it was it's really nice. | cuillevel3 wrote: | Right .... | | Start kiosk mode fullscreen app as a lock screen -> if app | exits -> show desktop | mhh__ wrote: | The inputs cause the transitions, but it depends on if you | can encode the states granularly enough to be invalid. | amid34d wrote: | poophbdam | Leherenn wrote: | Another tangentially linked anecdote. We had build artefacts | stored on a Samba shared drive, that were write protected, since | some people regularly used to move them instead of copying them. | Then one day, the latest build was gone again. We asked around to | see whether someone had purposefully removed the build, but no. | Turns out someone on Windows 10 had tried to cut and paste the | file, but his computer had crashed before pasting. Apparently the | permissions were only checked on paste, but the file was unlinked | on cut? | mercora wrote: | i don't think these permissions are enforced client side... I | also think write and delete are separate permissions on windows | and i am pretty sure i never lost a file on accidentally doing | only the first halt of a cut and paste aka move... so i | conclude this "someone" either had nothing to do with the | incident or removed it by accident... | Leherenn wrote: | I was surprised as well, but we could reproduce it. Delete | would not work, "normal" cut and paste would throw an error | when pasting, but cut and switch off power -> file was gone. | passivate wrote: | Sounds like something funky was going on, server side. For | file operations, I don't believe the OS does anything to | the file/folder for Cut and Copy operations, it simply | notes the handle. Its only when you paste the file is when | the operation happens. You can try this yourself, cut/copy | a large file and see if your mem usage spikes and/or | perform cut on any folder which you don't have delete | rights for. | idiocrat wrote: | Well, the original definition of the word "hacking". Hacking on | keyboard to exploit keypress timings, key combinations and key | buffer overflows. | radicalbyte wrote: | The original definition of "hacking" was "hacking code | together". Move fast and break things. There are a lot of us OG | and TNG hackers here. It's kind of the SV spirit. | | "Cracker" is the term used commonly - as in "crack the nut"; | i.e. gain access to systems / break copy protection etc. Then | you have the phone guys, the phreakers, whistling for free | calls. | dagw wrote: | Hacking (in the modern 'computer' sense) has been used since | at least the late 50s and early 60s and used to mean | experimenting with any technical machine or system. It wasn't | until the 70s when it primarily became connected with | programming. | zwp wrote: | > original definition of "hacking" was "hacking code | together" | | Hmm. Right spirit but not so much "hacking code together" | going on at MIT's Tech Model Railroad Club in 1958. | | "a project undertaken or a product built not solely to | fulfill some constructive goal but with some wild pleasure | taken in mere involvement, was called a `hack'". | | (Steven Levy, "Hackers"). | masswerk wrote: | The _Tech Model Railroad Club (TMRC) Dictionary_ [1], June | 1959, by Peter R. Samson defines (comments in italics by | PRS, 2005): HACK: 1) something done without | constructive end; 2) a project undertaken on | bad self-advice; 3) an entropy booster; | 4) to produce, or attempt to produce, a hack. | | _I saw this as a term for an unconventional or unorthodox | application of technology, typically deprecated for | engineering reasons. There was no specific suggestion of | malicious intent (or of benevolence, either). Indeed, the | era of this dictionary saw some "good hacks:" using a room- | sized computer to play music, for instance; or, some would | say, writing the dictionary itself._ | HACKER: one who hacks, or makes them. | | _A hacker avoids the standard solution. The hack is the | basic concept; the hacker is defined in terms of it._ | | ---- | | [1] "An Abridged Dictionary of the TMRC Language", 1959: | http://www.gricer.com/tmrc/dictionary1959.html | s_gourichon wrote: | A well known reference, Eric Raymond's "jargon file" a.k.a. | "hacker's dictionary" offers 9 definitions, much broader and | seemingly older than keypress timings: | http://catb.org/~esr/jargon/html/H/hack.html | | ( see also http://catb.org/~esr/jargon/html/index.html and | https://en.wikipedia.org/wiki/Jargon_File ) | viro wrote: | As an infosec person with no CVE's stories like this make me feel | like a complete failure. -\\_(tsu)_/- | smarx007 wrote: | Margaret Hamilton's daughter Lauren still takes the first place | for "kid fuzzing" the AGC IMO | https://wehackthemoon.com/people/margaret-hamilton-her-daugh... | | But this is pretty impressive as well! | carapace wrote: | Hamilton who coined the phrase "software engineering". Great | find! | johnwayne117 wrote: | and they say, "monkey testing" is underrated ___________________________________________________________________ (page generated 2021-01-20 23:00 UTC)