Why Screen Lockers On X11 Cannot Be Secure

jones_supa writes: One thing we all remember from Windows NT is the security feature requiring the user to press CTRL-ALT-DEL to unlock the workstation (this can still be enabled with a policy setting). The motivation was to make it impossible for other programs to mimic a lock screen, as they couldn't react to the special key combination. Martin Gräßlin from the KDE team takes a look at the lock screen security on X11. On a protocol level, X11 doesn't know anything of screen lockers. Also the X server doesn't know that the screen is locked as it doesn't understand the concept. This means the screen locker can only use the core functionality available to emulate screen locking. That in turn also means that any other client can do the same and prevent the screen locker from working (for example opening a context menu on any window prevents the screen locker from activating). That's quite a bummer: any process connected to the X server can block the screen locker, and even more it could fake your screen locker.

Umm..and telnet is insecure.

[heavy_metal_drinker]

Flashback from the 90's: Telnet and X11 are inherently insecure - where's the news in that?

Re:Umm..and telnet is insecure.

[Dog-Cow]

Wow. Way to totally misunderstand everything.

X11(R6) is a protocol.
XFree86 and XOrg are implementations.

Re:Umm..and telnet is insecure.

[Burz]

Qubes graphics virtualization appears to prevent this attack, since there is no way a VM client can use specific X features (it can only report bitmap deltas to dom0) and it can't force a full-screen window (the user even has to jump through hoops to make that possible).

Re:Umm..and telnet is insecure.

[omnichad]

XFree86 is a port of X(11). The protocol it uses has also taken the same name.

Re:Umm..and telnet is insecure.

[ihtoit]

I'll take AC flame war for 200, Alex?

Re:Umm..and telnet is insecure.

[blackomegax]

Awesome. By the time Qubes hits a mainstream OS i'll be dead and buried..

Re:Umm..and telnet is insecure.

[Burz]

Its designed to run Windows 7 as a guest OS.

Re:Umm..and telnet is insecure.

[hcs_$reboot]

The news is that nobody uses telnet anymore (ssh), while X11..

Re:Umm..and telnet is insecure.

[hcs_$reboot]

Flashback from the 90's: Telnet and X11 are inherently insecure - where's the news in that?

We're still expecting X12 any time now.

Re:Umm..and telnet is insecure.

[delt0r]

I was going to say the same thing. We know how insecure X11 is. Don't we? Well i though everyone did.

Re:Umm..and telnet is insecure.

[Zeromous]

I love you too Penguinisto

Re:Umm..and telnet is insecure.

[PincushionMan]

Yes, but only without 3D acceleration. Xen and CubesOS don't support it. Sure, you can browse the web, but anything that requires 3D, like videos and games are not really feasible. Even newer versions of Excel need 3D rendering. Don't even think of running it in a VM (Hypervisors within Hypervisors).

You'll have more luck 3D-wise with a Hyper-V server combined with Windows new RemoteFX technology. I know that this is unpopular option, and if anyone can set me straight on hypervisors and 3D for Windows guests not running on Windows hypervisors, please do. I've researched KVM, LXD, Jailhouse, or ESX, and of those, only ESX has experimental Windows 3D guest support.

Re:Umm..and telnet is insecure.

[Burz]

Qubes handles video playback just fine even at FHD (although within a frame, to show security context).

The MS Office website says Excel requires DirectX "for acceleration". IOW, it runs without acceleration if DirectX hardware is not available. Its not something I really notice, given that Excel mainly deals with text on a grid.

If you really need 3D, Qubes can handle it as long as you supply an additional GPU that behaves well with an IOMMU, such as an Nvidia Quadro. Otherwise, you have to wait for ITL to incorporate GPU virtualization into the Qubes codebase... but virtual GPU tech has only been demonstrated by GPU vendors very recently.

Granted, 3D is an important feature in PCs today, but the inability to /safely/ incorporate it thus far highlights the kind of negligence that has held sway in the computer industry.

You'll have more luck 3D-wise with a Hyper-V server combined with Windows new RemoteFX technology. I know that this is unpopular option, and if anyone can set me straight on hypervisors and 3D for Windows guests not running on Windows hypervisors, please do. I've researched KVM, LXD, Jailhouse, or ESX, and of those, only ESX has experimental Windows 3D guest support.

Most hypervisors are designed for the convenience of users and sysadmins to either run another OS, or better manage server resources... Securing desktop PC features is secondary at best with them.

Re:Umm..and telnet is insecure.

[drinkypoo]

I've researched KVM, LXD, Jailhouse, or ESX, and of those, only ESX has experimental Windows 3D guest support.

Xen supports VGA passthrough, but it's kind of wacky.

KVM supports SPICE consoles, which will do video properly, but won't do 3d. Maybe someday.

Virtualbox claims to have a direct3d/opengl layer, but I've literally never had it work.

VMware Player and Workstation have a working direct3d/opengl layer. It's good enough for civ iv but not for simcity 4.

If you want free-as-in-beer virtualization with working 3d, you want vmware player.

So to cicumvent the screen locker...

[Viol8]

... there has to be a trojan on the system or at least something connected to the X server over the network.

Hmm. I think by this time your security is already out the window and a borked lock program is the least of your worries.

Re:So to cicumvent the screen locker...

[TWX]

Well, one of the flaws in X11 is how one receives remote screens to your X-server, and if people allow localhost to send screens to the session, then if someone compromises a local unprivileged account they could set up a fake lock screen on an admin's session so that when the admin enters his password they get the text he typed.

I see how this could be a problem, but given that desktop Linux isn't all that widespread I see bigger problems in arenas that are much more pressing.

Re:So to cicumvent the screen locker...

[Qzukk]

This has been solved by everyone not following tutorials from the 80s asking them to use xhost + to allow everyone everywhere to connect to your display.

Re:So to cicumvent the screen locker...

[bondsbw]

Hmm. I think by this time your security is already out the window and a borked lock program is the least of your worries.

Just because an application is running on your system doesn't mean it has elevation. But if it pretends to be your lock screen and convinces you to put your password into it, it may be able to gain that elevation.

Re:So to cicumvent the screen locker...

This was fixed decades ago. Don't issue xhost + and you should be fine. X uses auth tokens that are files in /tmp with mode 600.

Re:So to cicumvent the screen locker...

[wiredlogic]

Sometimes xhost is still necessary when dealing with old hardware. I have a logic analyzer that remote displays using X11R5. It doesn't play nice unless the server has been opened up with xhost.

Re:So to cicumvent the screen locker...

[Uecker]

Exactly. That you should only use ssh to tunnel X and only between trusted hosts is well known. It would be nice if you could run untrusted clients on X (and the X security extension was meant for this), but nobody seems to work on this. This would be vastly more useful IMHO than re-building everything on top of a dumbed down protocol: Wayland.

The solution the Wayland guys offer for remote desktop: Use RDP. As if this proprietary protocol from Microsoft never had security problems....

Also, for a different perspective. Look at this:
http://media.ccc.de/browse/con... ... and don't jump to conclusions based on the title. Just watch and pay attention especially with respect to the comments about security of core X11 vs. Qt. And then maybe don't use KD anymore.

In my opinion, breaking compatibility with the X protocol would be the biggest strategic blunder Linux community coud do. Even bigger than messing with the GUI in stupid ways exactly when everybody using Windows is frustrated with the GUI

Re:So to cicumvent the screen locker...

[goose-incarnated]

Also, for a different perspective. Look at this: http://media.ccc.de/browse/con... ...

Because talking head delivering 60 seconds worth of information spread out over 10 minutes is so much better than a readable, grep-able transcript.

Re:So to cicumvent the screen locker...

[ilsaloving]

Reminds me of my university days...

When someone walked away for an extended period without locking their terminal, one of us would sneak over and do a quick 'xhost +' and then wait for them to come back.

Once they sit down and start working again, we would run 2 dozen copies of neko on their terminal, resulting in a mass of little animated kittens chasing their mouse cursor.

Ah, the lost days of innocent fun.

Re:So to cicumvent the screen locker...

[srmalloy]

... there has to be a trojan on the system or at least something connected to the X server over the network.

Not always; sometimes it's just bad design. At a previous job many years ago, I recall being able to demonstrate getting past the screen lock on Perq computers by taking advantage of processing lag -- when you hit the key combination that would bring up the password input to unlock the screen, it would briefly clear the screen lock and show the desktop -- with full access to the computer until the screen lock process updated and showed the password prompt, which blanked the rest of the screen. Doing this repeatedly, you would first open a new shell window, then run a ps -ef command to show the active processes, look up the process for the screen lock, and then do a kill -9 on the screen lock process, which got you back to the desktop. We wrote this up and sent it to Perq, and they went back and altered the screen lock code so that it didn't display the desktop when you hit the unlock key combination.

Re:So to cicumvent the screen locker...

[HiThere]

So what you're saying is that there is old hardware that will only work if you make your system insecure. OK.

FWIW, I don't consider any system that allows remote sessions to be secure. Period. So you need to isolate such systems. (This isn't an argument that you shouldn't run such systems. Just that you should take precautions.)

As an aside, I think that allowing compressed files to be expanded with the execute bit set is also a security hazard...just one that's probably worth the cost. In most circumstances. (And hazard isn't the same as hole. Not quite.)

Re:So to cicumvent the screen locker...

[nedlohs]

We always just added

echo "sleep 1" >>$HOME/.bash_profile

to their .bash_profile (or the equivalent if they were using something other than bash).

And might have sometimes done:

cp /bin/sh /somewhere/world/write/readable/sh-[username]
chmod 4755 /somewhere/world/write/readable/sh-[username]

Re:So to cicumvent the screen locker...

[OhSoLaMeow]

Reminds me of my university days...

When someone walked away for an extended period without locking their terminal, one of us would sneak over and do a quick 'xhost +' and then wait for them to come back.

Once they sit down and start working again, we would run 2 dozen copies of neko on their terminal, resulting in a mass of little animated kittens chasing their mouse cursor.

Ah, the lost days of innocent fun.

We'd run `xset s 1` so that the screen saver would kick in after one second of inactivity.

Re:So to cicumvent the screen locker...

[complete+loony]

Sometimes I was far more subtle. I'd start slowly cycling the background color, one RGB increment at a time...

Re:So to cicumvent the screen locker...

[thegarbz]

... there has to be a trojan on the system or at least something connected to the X server over the network.

No the problems go far deeper than that. Effectively any program can prevent the screenlocker working accidentally or on purpose. Likewise the screenlocker can prevent any program from working accidentally or on purpose (i.e. open the laptop lid, unlock, and only then the convenient volume buttons will work).

Best of all the purpose of the lockscreen is to secure the user session while they aren't at the keyboard. I fondly remember back in the day someone showing off the X11 lockscreen and saying that I can't use the computer as him because he locked it. I hit ctrl+alt+backspace which killed the X11 session and automatically restarted it, logged in as the user who was now dumbfounded.

X11 has always had these problems. The protocol really isn't designed to handle such concepts.

Re:So to cicumvent the screen locker...

[Culture20]

Xroach: places animated roaches under their open windows and the roaches scatter when the windows are reduced or closed.

Re:So to cicumvent the screen locker...

[Rennt]

Spoofing a lock screen will only get you the password of the account you've already trojan'd, it can't give you magic root access.

Re:So to cicumvent the screen locker...

[parenthephobia]

Unless you can get an administrator to log in.

Re:So to cicumvent the screen locker...

[Rennt]

Get root to log into X11? Without local access to the administrator and a rubber hose I don't fancy your chances. Of course, that still isn't privilege elevation.

Re:So to cicumvent the screen locker...

[maestroX]

:)
xmelt, xflip
old HP-UX had X open by default.

Re:So to cicumvent the screen locker...

[Rakarra]

As an aside, I think that allowing compressed files to be expanded with the execute bit set is also a security hazard...just one that's probably worth the cost

I'm generally fine with that, but I am very much against putting '.' in the PATH, as I've seen others do.

Re:So to cicumvent the screen locker...

[ilsaloving]

Ooooooooooh..... That's evil. :)

Re:So to cicumvent the screen locker...

[complete+loony]

I also had a script that would tweak the beep pitch and duration and play the close encounters theme. With the option of using a different xserver for each beep. Combined with a script that would use finger to display a map of the terminals people were connected from, and terminals that were xhost+ when noone was logged in ....

Uh, okay?

[TWX]

I certainly get the technical explanation. Given that I don't think Deskop Linux will EVER be mainstream, this seems like something we've lived with for an incredibly long time, and doesn't affect very many people or systems.

If someone wants to fix it, cool, but it's not really going to bother me very much if this behavior continues.

Re:Uh, okay?

[Enry]

What? I was assured that THIS was the year of the Linux Desktop!

Re:Uh, okay?

[TWX]

Every year is the year of the Linux desktop. And none of them are.

Re:Uh, okay?

[bondsbw]

It is. They just failed to mention that it was is a year on Pluto.

Re:Uh, okay?

[GoodNewsJimDotCom]

It doesn't bode well for Linux that it is also not the year of the Windows Desktop or Apple Desktop. It is the year of the smart phone. The year of the desktop may never return. Desktops are better suited for developers and smart phones are better suited to consumers.

Re:Uh, okay?

[mrchaotica]

It is the year of the Linux desktop! It's just that the Linux in question uses Chrome instead of X11 as its GUI.

Re:Uh, okay?

[jfengel]

They had to push that back. This is the year of Linux on the Flying Car. We'll get to Linux on the Desktop right after that.

Re:Uh, okay?

[Immerman]

It is! Unfortunately the Desktop is itself rapidly fading in favor of the laptop, and desktop Linux has power management issues that make it substantially less suitable for mobile applications..

Re:Uh, okay?

[bluefoxlucid]

What about Steam on Linux, Microsoft charging a yearly subscription for Windows 10*, and nobody wanting to pay to continue using the computer they already bought?

*Windows 10 upgrades within the first year of release come with a free lifelong subscription until Windows 10 is discontinued. Corporate subscription is per-user on unlimited devices, rather than per-device.

Re:Uh, okay?

[Ultra64]

Microsoft charging a yearly subscription for Windows 10*

False.

http://www.pcgamer.com/microsoft-windows-10-will-not-be-sold-as-a-subscription/

Re:Uh, okay?

[TheSunborn]

No no, that is a misunderstanding. This year is the year of a linux desktop. Not The linux desktop.

Re:Uh, okay?

[Lumpy]

It is. Chrome OS, which is Linux is in wide spread use.

Re:Uh, okay?

[Aighearach]

What? I was assured that THIS was the year of the Linux Desktop!

THIS is the year of the Arduino desktop.

But I hate that commercial OSS crap, so I'm sticking to roll-your-own AVR boards.

Re:Uh, okay?

[Aighearach]

They use a secure screen locker that integrates into their corporate what-the-what. What they don't do is use the password-protected screen saver that is bundled with the window system as if it was a security device.

Re:Uh, okay?

[Kjella]

It doesn't bode well for Linux that it is also not the year of the Windows Desktop or Apple Desktop. It is the year of the smart phone. The year of the desktop may never return. Desktops are better suited for developers and smart phones are better suited to consumers.

Developers and a ton of other professionals. If Linux/FLOSS could replace Windows, Office, Outlook/Exchange, Sharepoint and SQL Server that's probably 15 of Microsoft's $26 billion dollar revenue. Open source has not managed to commodify basic business and collaboration tasks, despite so many years of trying. It's not all about smartphones and tablets.

Re:Uh, okay?

[ihtoit]

Chrome's an XSA? I thought it was a browser?

That and what happened to Wayland and Mir as X11 replacements?

Re:Uh, okay?

[greg1104]

2015 is actually the year of Linux on the hoverboard.

Re:Uh, okay?

[Zontar+The+Mindless]

Then for you, as it is for me, it's Year Ten of the Linux Desktop.

Re:Uh, okay?

[mrchaotica]

My point is that the "year of the Linux desktop" won't be because of "normal" Linux, but rather Chrome OS.

Re:Uh, okay?

[delt0r]

I know this is said in jest...but

I only use linux desktops. Why do i need to care about what others use? Interoperability should mean we don't need the year of whatever whenever.

Re:Uh, okay?

[frank_adrian314159]

You know, I haven't used Outlook in a year and a half. Gmail and Google Calendar seem to be doing fine for me.

not the point

[lister+king+of+smeg]

Isn't the point of a screen locker to keep a person from accessing my computer while I step away for a moment (to go to the bathroom or refill my coffee mug.) not to prevent programs from accessing things?

Re:not the point

[CastrTroy]

The problem is that if you walk away and think that the screen locker will kick in, and somebody comes by while it is still unlocked, they can run a program that will look the the screen locker when you come back, but in reality will actually just be recording your user name as password so the intruder can use this. They'll get the password, and come back at a time when they have more time to do their dirty work. Ideally, you should lock your computer as soon as you get up, but that's what happens in an ideal world, and security has to work under non-ideal circumstances.

Re:not the point

[phantomfive]

Yes. What you see here is feature envy.

Windows used to have so many keyloggers (it was really insecure around 1999 and 2000) that they added the ctrl-alt-delete functionality to make sure only the Windows kernel could grab your password when you logged in, not some keylogger. Now these guys are feeling jealous about that.

I've heard of this as a justification for replacing X11 with Mir/Wayland or whatever, but obviously if this is a desired feature, the solution is to merely add an extra function call to the X11 API rather than rewriting the whole thing. Problem solved, if there is one.

Re:not the point

[MadCow42]

Example that might make more sense:

You download a program that appears legit (and may be mostly legit, or be a hacked version of a legit program), and are running it.

The program senses inactivity, opens a contextual menu on the screen to prevent the REAL screensaver from kicking in, and opens it's own fake screensaver instead.

When you get back to the computer, it prompts you to input your credentials.

Voila... it now has your credentials, and can wreak utter havoc and destruction (depending on your permissions).

Re:not the point

What do you mean "think it will kick in"? Activate it when you get up from your desk, period. For Windows it's an easy "winkey+L" combo as you get up from your desk. Done, workstation is secured and locked. That's our company policy anyway, you're supposed to lock your workstation when you step away. A timed lock screen is pointless, stupid and just gets in the way. If your mouse just happens to bounce a little, it'll reset the "inactive screen timeout".

Re: not the point

[Teranolist]

Thats why you lock your screen manually BEFORE you leave the machine...

Re:not the point

[preaction]

No, X11 was designed without screen locking in mind.

Re:not the point

[smash]

"merely add a function to the X11 API" is the problem. X11 is ancient, full of bloat that no one uses any more and not designed with core concepts in mind that are desirable in a modern operating system. Really, look up some youtube presentations from the Wayland guys - who actually work on X11 and listen to what they have to say regarding the complexity and brain damage in X11. It works, but sometimes, even the guys who maintain it don't know exactly why.

The X11 display server is a liability and needs to die. It should have been taken out behind the shed and shot about a couple of decades ago. That doesn't mean that "oh noes i will lose my remoting!", that can be implemented in it's replacement via a shim, the same way any X display server works for Windows or Mac.

Re:not the point

[jythie]

Pretty much this. Security often involves a trade off, and this type of screen locking performs well for the level of security it was intended to establish.

Re:not the point

[spike+hay]

Good luck ever actually getting rid of it, considering it is what every *nix gui app runs on. Even if the switch to Wayland happens, most people will still be stuck with using XWayland constantly for a decade.

Re:not the point

[Todd+Knarr]

You download a program that appears legit (and may be mostly legit, or be a hacked version of a legit program), and are running it.

But why would I do that? Almost all the programs I use come from the repository, and to get me to download one they'd have to compromise the repository first (which is possible, but not nearly as easy as just advertising a program for download). The rest are again ones I download from known sources, usually the developers' own official site, and again it's not trivial to compromise those sites.

The situation you propose only happens in the world of Windows where downloading random software from untrusted/unknown sources is routine. And if you're routinely doing that, you've got more problems than just a way to bypass the screen lock. The best way to avoid shooting yourself in the foot is to not blithely follow instructions but to stop and ask "Wait a minute, why are they asking me to aim a loaded gun at my foot and pull the trigger?". And if after pondering that question you still think following the instructions is a good idea, please report to HR for reassignment as reactor shielding.

Re:not the point

[phantomfive]

Oh, Wayland........maybe after I do systemd, I'll work on a code review of Wayland. :)

All the same, if some guys can't figure out how their code works, I don't really expect them to go out and do something better in another project. I expect them to make the same mistakes again. Joel makes some good points. He says,

"when you start from scratch there is absolutely no reason to believe that you are going to do a better job than you did the first time. First of all, you probably don't even have the same programming team that worked on version one, so you don't actually have "more experience". You're just going to make most of the old mistakes again, and introduce some new problems that weren't in the original version. "

Maybe Wayland will be better, that would be great. Odds are against it though, because of how rewrites usually go.

Re:not the point

[Carewolf]

If you have a laptop it will usually lock when you close the lid, but as the summary said, if a context menu is open it might be prevented. The same when you click the lock key, if you don't check and see that it really launches and locks the screen, it might be that it is not locked.

Re:not the point

[Kaenneth]

I don't have a Windows key, you insensitive clod.

(IBM Model M keyboard from 1996)

Re:not the point

[jakimfett]

So...what you're saying is "people who aren't security conscious continue to be vulnerable to attacks that exploit their sloppiness and/or lack of attention"?

Shocker.

Re:not the point

[codeButcher]

but in reality will actually just be recording your user name as password so the intruder can use this. They'll get the password, and come back at a time when they have more time to do their dirty work.

That's why I always first try to unlock with "password123" when I get back from the bathroom break I could no longer postpone.

Re:not the point

[Creepy]

Or security at all, really. X11 is vulnerable to packet sniffing as well (which still requires trust on the host). Really, the solution is use X over ssh, which is also how I start all terminal sessions, as well.I personally usually run from a Windows PC using XMing and PuTTY, but I'll occasionally use an actual box (I use a lot of headless boxes and VMs, though).

Re:not the point

[rgmoore]

Even if the switch to Wayland happens, most people will still be stuck with using XWayland constantly for a decade.

They may be stuck with XWayland for a handful of apps that aren't being updated, but the work to let modern desktop environments run on Wayland instead of X11 is quite far along. Once the basic KDE and GNOME libraries are ported to Wayland, anything that uses those higher level libraries rather than talking directly to X will run under Wayland without needing any intermediary like XWayland. It's possible to log in and run under Wayland rather than X11 today; I have done it on my Fedora box.

Re:not the point

[lister+king+of+smeg]

You download a program that appears legit (and may be mostly legit, or be a hacked version of a legit program), and are running it.

But why would I do that? Almost all the programs I use come from the repository, and to get me to download one they'd have to compromise the repository first (which is possible, but not nearly as easy as just advertising a program for download). The rest are again ones I download from known sources, usually the developers' own official site, and again it's not trivial to compromise those sites.

The situation you propose only happens in the world of Windows where downloading random software from untrusted/unknown sources is routine. And if you're routinely doing that, you've got more problems than just a way to bypass the screen lock. The best way to avoid shooting yourself in the foot is to not blithely follow instructions but to stop and ask "Wait a minute, why are they asking me to aim a loaded gun at my foot and pull the trigger?". And if after pondering that question you still think following the instructions is a good idea, please report to HR for reassignment as reactor shielding.

Exactly. I just looked at my programs list installed 99% of non game software came from the repository, the games were installed via steam which is in turn in the repository. the remainder (vmware player, and chrome) is delivered via HTTPS from the official site or from the git repository.

Re:not the point

[mlts]

If someone gets physical access to my machine while I'm away and the screen locker has not activated, regardless of OS I am on, I am screwed. Be it Windows where a utility can be run to hook into the keyboard, OS X and a .kext that flashes a custom ROM to the keyboard so it doubles as a keystroke logger, AIX could have the bootlist modifed to boot from an unauthorized rootvg, Solaris could have the root role moved to all users, and so on.

Realistically, X-Windows authentication and running rogue clients has been a non-issue since the late 1990s. By default, X is locked down quite tightly, taking an explicit "xhost +" to undo those measures. Even when SSH-ing into a remote machine, by default, the X-windows port is not authorized or forwarded unless both the client and server are explicitly changed to permit this. These days, relatively few applications are X-windows clients, other than legacy stuff. Most enterprise level items (be it an Isilon, VNX, VMWare vSphere, tape silo, and so on) either have a dedicated client, allow SSH in, or have a web page for their configuration. The last time I've used a X-Windows client from a remote machine was running the NetBackup administrative client application from a master server, because it was the most reliable way I could watch what was going on.

One cannot make light of security holes, but there are things to work on and ones that are too difficult for an attacker to ignore. It takes some explicit commands to force X-windows to allow clients other than from the local machine to connect (including disabling the kernel packet filter or actively allowing connections through it.) So, someone connecting remotely to an X server before xlock activates can be a hole... but it is something extremely hard to take advantage of.

Re:not the point

[Scoth]

Windows has had the ctrl-alt-del to log in/unlock since literally the first version of Windows NT, 3.1, in 1993. That's a long time to have feature envy, though I suppose it's possible. I generally wonder if the average user is clever enough to understand the implication anyway - if you put up a fake login dialog on Windows just past the ctrl-alt-del, I bet most users would just fill it out and go with it rather than think they're under attack.

Re:not the point

[DrXym]

"the solution is to merely add an extra function call to the X11 API rather than rewriting the whole thing. Problem solved, if there is one."

X11 is an arcane and largely obsolete framework. The fact it needs so many damned extensions to be any way functional is precisely the reason that developers are keen to get rid of it. It's not secure, it's filled with arcane and obsolete code and it's terribly inefficient both locally and remotely. Fortunately it'll be moved aside and replaced by wayland over the next few years.

Re:not the point

[serviscope_minor]

Well, yes.

However, that only works if the attacker already has arbitrary local code execution. If they can do that then they can trojan every single program, by diddling with the PATH environment variable and/or pissing with LD_PRELOAD.

Basically yes, it's a hole but one that only kicks in if you're fucked 6 ways to Sunday already.

Or if you've done xhost+ and disabled your firewall. But that hasn't been the default in years.

Re:not the point

[Immerman]

I don't know - every program that I've ever restarted from scratch has turned out far more powerful and flexible with a far smaller codebase than the original. Lessons learned from the first go-round and all that. With a better understanding of the problem space comes a better ability to address it efficiently.

Re:not the point

[DrXym]

"Good luck ever actually getting rid of it, considering it is what every *nix gui app runs on. Even if the switch to Wayland happens, most people will still be stuck with using XWayland constantly for a decade."

Virtually every *nix app runs over abstraction layers such as QT, GTK, Pango, Cairo etc. Assuming there are wayland backends for these layers then porting isn't as hard as you think. There may be vestigal bits of X to clean up and some edge cases that need more effort (screengrabbers, video players, browser plugins etc.) but porting the majority of apps will just port over. Aside from that, if you *did* have some ancient X app you could still fire up X over wayland just for that.

X will probably stick around as a core component for a few more years in most dists and then it'll be pushed off to the side as an optional package, available for those who want it but not installed otherwise because it won't be needed.

Re:not the point

[PrimaryConsult]

Those bluetooth locker programs are handy for this, once your phone / headset / whatever is out of range of your computer the lock screen automatically comes on. Some can also be configured for unlock (though that seems like it would add another possible attack surface).

I feel like there would be a market for small bt keychain dongles for this exact purpose.

Re:not the point

[phantomfive]

You're probably referring to software that was small enough for a single person to understand easily.

Re:not the point

[LordLimecat]

Be it Windows where a utility can be run to hook into the keyboard....OS X and a .kext that flashes a custom ROM to the keyboard so it doubles as a keystroke logger

Not without admin.

Re:not the point

[sjames]

Of course, I'm betting that if something fakes a screen locker in Windows, the user will obediently enter their user/pass to unlock it anyway. They won't press ctrl-alt-del unless instructed to by the lock screen.

Re:not the point

In 1993, Windows NT 3.1 was released. Not to say that the non-NT product line ended at the same time.

I knew someone who was in some Microsoft Developer Network program back then and he got stacks of new OS release disks all the time, meant to allow application testing. I remember installing those early NT releases just to play around. I think these may have included pre-releases since a goal of MSDN was to get apps read for new OS releases.

However, I was already having my year of the Linux desktop by then, so I never did anything serious with Windows NT.

I remember Linux also had magic SysRq keys to do the same SAK (system attention key). But, as the article says, I don't think this ever got integrated into a proper locking protocol for X Windows sessions.

Re:not the point

[operagost]

Security features and policies are two different things. If you can solve a vulnerability with a feature, you do it. Policies are for things that don't have a technological solution, like social engineering. People should lock their workstations, but they don't always. Instead of remarking on how lazy or dumb they are, Microsoft created a solution 22 years ago.

Also, policy doesn't fix this scenario with a shared computer: a malicious employee, instead of logging off after his shift, runs a fake logon screen malware to collect credentials from other users. Those other users may be privileged or, even if unprivileged, have their identities be used as cover in later attacks.

Re:not the point

Now everyone knows my password, thank you very much.

Re:not the point

[operagost]

This feature goes back to at least Windows NT 3.5 in 1994, and perhaps even Windows NT 3.1 in 1993. The summary also implies that it always needs to be enabled, which it does not as it is the default when joined to a domain (and I think it is also the default on Enterprise and Server editions).

Re: not the point

[Lumpy]

Not mine, when I get up the prox card reader sees that I am not near the workstation and instantly locks, it will not even offer an unlock until I am within proximity again.

Really cheap to put in place less than $10K for the whole company. and increases security 80 fold. Problem is most IT departments are not savvy enough to do it nor convince management that it's more important than a new Jaguar for the Director of marketing. Heck my old Dell laptop supported it.

Re:not the point

[operagost]

Windows NT 3.1 didn't have an NT kernel? Color me confused.

No, scratch that-- color you wrong.

Re:not the point

[phantomfive]

Yeah, I think you are right.

Once you have a key logger on your system, securely unlocking the screen is not your biggest problem. (And for that matter, if someone has physical access to your computer, they can put a USB keylogger between the keyboard and the computer).

Re:not the point

[phantomfive]

Privilege escalation exploits are a dime a dozen. Not even OpenBSD claims to be able to prevent those.

Re:not the point

[Cro+Magnon]

I don't even have to hit "winkey+L" anymore. I'm supposed to login with my Lincpass card, and when I leave my desk, I take the card out of the slot, and it locks the screen.

Re:not the point

[Aighearach]

What you call bloat, I call existing legacy features.

Re:not the point

[Aighearach]

If by obsolete you mean, "the thing actually in use."

Re:not the point

[Uecker]

I don't think so. I am actually much more afraid that we actually get Wayland soon by default, but gradually lose backwards compatibility to rarely used but hard-to-replace applications (and of course network transparency). I seriously do not see that we will gain anything.

Re:not the point

[ihtoit]

perhaps some sort of reminder is in order for such people. Like, start sacking people who leave their workstations vulnerable.

Re:not the point

[ihtoit]

BT range is too high. What you need is something with near-contactless verification (RFID), swipe verification (smart card or chip card) or biometrics. That GUARANTEES that an authorised person is in front of the terminal and not just within 30 feet.

Re:not the point

[ihtoit]

July 1993 NT3.1 went RTM.

Re:not the point

[ihtoit]

typical stores in 1993 didn't deal with server/workstation platforms, they dealt with commodity platforms such as the DOS-based Win3.x but more often at that time DOS 6.x or if you were lucky and loaded, RISC OS 3. If you wanted a workstation you would usually go to a big house and have the system built under a maintenance contract and lease both hardware and software.

Re:not the point

[phantomfive]

Yes, that is exactly my point.

Re:not the point

[antdude]

Well, not everyone remembers to press winkey+L. We do forget once in a while. At my former workplace, it is a 10/ten minutes idle time. :(

Re:not the point

[thegarbz]

Isn't the point of a screen locker to keep a person from accessing my computer while I step away for a moment (to go to the bathroom or refill my coffee mug.) not to prevent programs from accessing things?

Indeed but fundamentally if you can't lock out other software from accessing things then you can't prevent other software from responding to user inputs. Several years ago a colleague who for some reason just discovered screen locking was showing off his secure system. I hit ctrl+alt+backspace and the X11 session restarted sans any running application including the screenlocker logged in as the user.

The piece of software at the time preventing me from accessing the computer as the user was worthless.

Re:not the point

[thegarbz]

So...what you're saying is "people who aren't security conscious continue to be vulnerable to attacks that exploit their sloppiness and/or lack of attention"?

You joke but think about an un-educated but security conscious example. In windows the OS lock screen reigns supreme. Windows+l, or closing the lid works in every scenario, it doesn't matter if I have full screen video, context menus, a program preventing sleep / screensaver functions the computer will lock on an external event.

Now you have a linux desktop. Your employees are security conscious but not necessarily smart. The receptionist needs desperately to go to the bathroom, does what she does to lock the screen but it doesn't work. Now do you think that someone will sit there waiting for IT support to tell her why her *worthless lockscreen isn't showing up while needing to go to the bathroom? Of course not.

Security is always defeated by if it's function is complex / unreliable from an end user point of view. Any security that significantly negatively impacts the user will be met with circumvention attempts.

*I say worthless because while I haven't used locked screens recently I remember a few years ago I bypassed an Xfree86 lockscreen by force closing the X11 session using ctrl+alt+backspace. The end result is X restarting and dropping me onto the desktop logged in as the user.

Re:not the point

[Eythian]

People aren't perfect all the time, all it takes is one slip-up.

Re:not the point

[ihtoit]

I don't know what I'm doing differently, but on my Windows netbook when I close the lid it tries to hibernate. This fails if there is a file open for editing and changes aren't saved (or there's a frame server running in Virtualdub or something) - the UI sits there waiting with a save file prompt. I've had the battery die after a four hour journey with the thing slowly cooking itself in my leg pocket.

Re:not the point

[ihtoit]

Apple ditched X11 at 10.5, I don't know what they use now but X11 legacy functionality is achieved with a third party app now.

Re:not the point

[ihtoit]

I thought Ubuntu was moving over to Mir in the back end of 2012?
Or maybe my memory's faulty.

Re:not the point

[ihtoit]

or OS/2 3.0 and back as far as the NT draft specification in 1989?

Re:not the point

[smash]

... and this will still be preferable to running full fat X11.

Re:not the point

[parenthephobia]

*I say worthless because while I haven't used locked screens recently I remember a few years ago I bypassed an Xfree86 lockscreen by force closing the X11 session using ctrl+alt+backspace. The end result is X restarting and dropping me onto the desktop logged in as the user.

I can't believe that this would happen unless the computer is configured to automatically log in, in which case you already don't care about security. In a secure X11 environment it should be that ctrl+alt+backspace leaves you at a login screen. Or does nothing because it's been disabled so that a random passer-by can't throw away all your unsaved changes.

Re:not the point

[smash]

Why are you so paranoid about losing network transparency, when I can do that with an X display manager on my Mac, WIndows, etc. that never even had a native X11 server to start with?

Re:not the point

[smash]

It's XQuartz, which is open source that they contribute to.

Re:not the point

[smash]

The problem is that the core design of X11 was decided upon about 30 years ago and the computing landscape has moved on significantly. During the past 30 years, there have been thousands of hacks to add new functionality to existing code-paths which are no longer relevant to today's environment - but necessary to be "X11" compatible.

Re:not the point

[phantomfive]

If you're talking about the x11 stipple functions, then they're not a reason to replace X11 either, just ignore them until no one uses them, then remove them. If people are using them, then there's a reason to not remove them.

Being old is not a reason to replace software. Being new does not make software better.

Although, if you'd like to tell me how the computing landscape has moved on significantly, I'm sure I'd be entertained to hear it.

Re:not the point

[thegarbz]

Hibernate != lock.

Locking a screen maintains all the programs in the background and happens without consideration of what is running. The hibernation process is a bit more like shutting down and standby. Both of them have the same hooks into processes just like the screensaver does. There are ways that programs need to interact with these systems to prevent them from happening so you don't for instance end up with a screensaver in the middle of watching a movie, or hibernate the system while in the middle of a download.

You may notice that if your laptop hibernates due to low battery it will ALWAYS hibernate, just that hibernating due to closing the lid is not a priority given above apps that would not handle the result gracefully.

Re:not the point

[thegarbz]

Depends if you use the graphical system for login now doesn't it?

By my experience Ctrl+Alt+Backspace has never logged out the user. It's either restarted X or dropped you back to where you were before typing StartX.

Re:not the point

[smash]

It has moved on in heaps of ways. Clients are far more powerful and capable of far more processing. 3d acceleration has become commodity. Compression, pixmap caching, etc. are now commonplace. Power consumption is a concern. Security is much more of a concern - bundling so much code into the X server, with the level of security access it has is a bad idea.

You just need to open your eyes and look at well... virtually any other GUI system from the last 10-15 years and see how most of them leave X11 for dead in terms of security, performance, etc.

The much vaunted "network transparency" of X11, the feature everyone whines that they will lose - is crap and done better by plenty of other software, from VNC to ICA to RDP...

Re:not the point

[benjymouse]

Yes, that is exactly my point.

Nice try. But no, you are BSing.

Scoth: "Windows has had the ctrl-alt-del to log in/unlock since literally the first version of Windows NT, 3.1, in 1993. "

You: "In 1993, Windows didn't have an NT kernel."

AC: "In 1993, Windows NT 3.1 was released. Not to say that the non-NT product line ended at the same time."
(AC factually correct here: Windows NT 3.1 was released in July 1993)

operaghost: "Windows NT 3.1 didn't have an NT kernel? Color me confused. No, scratch that-- color you wrong."

You: "Go to a typical computer store in 1993, ask for Windows, and they wouldn't give you an NT kernel."
(now you try to deflect; why bring in the "typical computer store"? the issue was *Windows NT*)

So, your claim was that Windows NT didn't have an NT kernel. The TFA was about Windows NT, and Windows NT certainly HAD the NT kernel, it certainly HAD the "attention sequence" Ctrl-Alt-Del, and it certainly WAS released and available.

And you are dishonest.

Re:not the point

[benjymouse]

You download a program that appears legit (and may be mostly legit, or be a hacked version of a legit program), and are running it.

But why would I do that?

Ok, try this: You browse the Internet using Firefox. Lots of vulnerabilities discovered each month, 4 remote code executions already in 2015. An attacker has infected an add or a legitimate or fringe site you visit. Attack code executes and the attacker now runs his code in your Firefox. The malicious code hooks into X. The code can intercept the lock screen, but it can *also* monitor each and every keystroke entered into ANY other window - including terminal windows - without you noticing it. Lock the screen and unlock it and your password is compromised. Run a sudo in a terminal window and you are pwned!

How's that?

Re:not the point

[DrXym]

X is filled with APIs and functionality that no modern desktop has used in years. It requires numerous extensions to support a modern desktop experience but with serious caveats (e.g. compositor's extra latency and issues translating coordinate systems). Every app and widget set avoids X as much as possible by using middleware libraries to avoid this brain damage. Every app is pushing pixmaps around for the most part. Network performance is crippled by the amount of stuff being pushed and the amount of bidirectional messaging that goes into supporting. It has a woeful security model.

It may be in use but doesn't stop it being obsolete. Fortunately most dists will flip the switch and use wayland over the next year or two. And not before time.

Re:not the point

[bingoUV]

So where resume from hibernate is set to appear with a locked screen, closing the lid means hibernate + lock screen. Closing the lid, to be not "defeated by if it's function is complex / unreliable from an end user point of view"[sic] needs to make sure that hibernate + lock screen "reigns supreme" once lid is closed. But it doesn't. So MS windows isn't any better from your own perspective.

Same is the case where closing the lid means suspend+lock. Or someone going away from the system after Start -> shutdown, or Start -> shutdown -> restart assuming autologin is not enabled. A short lived bug which you lived with for a long time doesn't make it the expected behaviour rather than a bug.

And you are wrong about ctrl-alt-backspace not logging out the user from X. In run level 3 + startx, it doesn't log out from the text terminal which started startx, but that is a well known security reason to run in run level 5, where user X session is always logged out unless auto-login is enabled.

Ever since run-levels stopped being that important, ctrl-alt-backspace has been by default disabled by most distributions. Still *DM login has this security advantage over text login + startx as is well known.

Re:not the point

[Aighearach]

Some of us use most of it, and we've been using it the whole time. It isn't obsolete at all, it is the most popular thing. You envision people stopping using it, but that is not the present tense.

Re:not the point

[LordLimecat]

To make the point, a guy even wrote a trivial app to do this (I forget his name). He was well slandered for daring to point out the insecurity that is Windows.

Gonna need a source on that. I've written joke apps that intercept keystrokes (making them do strange things to screw with people) and they will simply not work if you do not have admin rights. Intercepting anything keyboard or hooking anything requires elevation.

The short of it is, if someone can run arbitrary code in your session you are done.

Thats true as regards your personal data, but not as regards the system as a whole. If you're saying "any access to a system = root access", thats a pretty serious claim; I think the people running shared servers might take issue with that as would VMWare, Citrix, and Microsoft.

Re:not the point

[ihtoit]

+1 informative

Re:not the point

[thegarbz]

What? You're still comparing a lockout of a device to a scenario where processes need to be physically halted. Stop moving the goalposts and MS is most definitely better.

And I'm wrong about the run level but I'm right about the runlevel? That is the most amazing argument I've heard all day.

In any case your argument sounds like Linux locking is just as secure as windows if you impose all these additional handicaps on windows, and then narrow the linux scenario down to one specific configuration.

And no, runlevel 5 is most definitely NOT the default on many linux distributions. Maybe it is if you pop Ubuntu in, then you have your little victory. Oh wait but that also then depends on which Ubuntu you download. 2 of the 3 distributions intended for computers default to runlevel 2 and stay at that default once the GUI is installed.

Re:not the point

[bingoUV]

You're having to resort to plain lies - what does that suggest?

I never said you were right about run levels. Actually you didn't mention run levels at all, at least in the post I replied to are any that I remember.

Run levels strictly were a concept in sys V init. Most distributions don't even use that init any more, so 2 out of 3 distributions using run level 2 is laughable. Clearly you have no clue what you're talking about.

Re:not the point

[phantomfive]

And you are dishonest.

You're a jerk, and I hate you. Woohoo, insults, I can do them too.

If you had Windows in 1993, and you pushed ctrl-alt-delete and it brought up your login screen, then you were not normal, and the OS was not an OS many people had. THAT is the truth.

As an aside, in 1993, more people were running Unix than Windows NT.

Re:not the point

[Uecker]

Yes, Ubuntu still uses X. Maybe they are using Mir on their phone OS or something?

Re:not the point

[Uecker]

Yes, and isn't great that you can do this?

But should Linux drop X many applications will stop supporting X properly. They will then not run properly on any X server anymore, neither on Mac, Windows, or Linux or elsewhere. Or in other words, your X server on Windows or Mac OS X is only useful, because there is currently a large ecosystem based around X.

If Linux switches to Wayland, this ecosystem will be gone. X currently offers compatibility across different architectures, along time (currently, you can still run decades-old X application just fine), and space (network transparency). X as a standard provides as much value as POSIX. Why do you want to break this?

On the few new Linux-based mobile platforms which currently use Wayland, X compatibilty is alread lost. Just sad.

And what do we gain if we replace X? Will it be faster? No, Wayland has basically the same design as X: Message passing using a UNIX domain socket and buffer sharing for direct rendering. Performance wise, there is not really anthing to gain. X is bloated? Do you really think a few kilobytes of old and unused rendering code needed for backwards compatibility are bloat? The design of X is unfixable? Nonsense, X was designed from the beginning on to be extensible. It would be very easy to add a special screensaver extension, if really needed.

Re:not the point

[ihtoit]

Mir=X but Mir !=X11

basic functionality is pretty much the same, but the framework is different enough to be called a new approach to the same problem.

Re:Windows reigns supreme

[Viol8]

Would this be the "hobby" OS that took over running the London Stock Exchange trading platform when Windows couldn't cope?

FUD

[Flavianoep]

... there has to be a trojan on the system or at least something connected to the X server over the network.

Hmm. I think by this time your security is already out the window and a borked lock program is the least of your worries.

Thank you! Now I can be sure that these "news" are just FUD.

Re:FUD

[Burz]

Its not FUD when a malware (or bug) with normal privs can open an avenue for physical attack.

If a website/MITM tricks your browser into putting up a tiny context menu, it can allow someone to walk up to your computer later and start messing with it.

Already solved!

[Qzukk]

systemd-screenlockerd saves the day!

Of course, it requires systemd-moused, systemd-keyboardd, systemd-windowd, systemd-X11d, and finally systemd-logind. Right now there's some compatibility issues that have been in the bug tracker for a year or so, so for best results you should also ditch KDE or gnome and go with systemd-windowd-managerd and systemd-menud. There's a few incompatible apps as well, if you have problems try using systemd-webbrowserd (requires systemd-networkd) and systemd-xtermd (requires systemd-fontd and systemd-shelld). Thunar works fine though for browsing files, as long as they're in the systemd folder.

Re:Already solved!

Dude, you just made me snort my coffee...

Re:Already solved!

[BlackPignouf]

From Poettering himself :
http://lists.freedesktop.org/a...

Re:Already solved!

[nblender]

You forgot systemd-moused-pointerd ... Have you tried using systemd-windowd-managerd blind?

Re:Already solved!

[davydagger]

check the date: Sun Mar 31 17:22:15

yeah, just a few hours shy of April 1.

Re:Already solved!

[delt0r]

ROTFLOL... I can't even tell my colleagues in the same room why i am laughing. Evil Mac users!

Oh and init.d FTW.

physical access

[silfen]

Screen lockers protect against physical access; you're welcome to try and get around an X11 lock screen by tapping at the keyboard. Good luck.

Comparing this to Windows is silly, because Windows doesn't have anything like the X11 protocol. On Windows, running code can disable the screen saver in other ways: patching or replacing DLLs, changing system configuration, etc. No difference from a security point of view.

Re:physical access

[Wrath0fb0b]

Comparing this to Windows is silly, because Windows doesn't have anything like the X11 protocol. On Windows, running code can disable the screen saver in other ways: patching or replacing DLLs, changing system configuration, etc. No difference from a security point of view.

I'm no Windows fanboy, but this is just factually incorrect.

(1) All those operations require elevation, so unless the user has lowered UAC from the default, they will require authentication. I suppose a malicious installer could do that, but it is emphatically incorrect that any running code can effect that change.

(2) Since 7, when Windows elevates it completely suspends the old 'Desktop' and creates a brand new one for the elevation prompt. If you look closely, you'll realize that all the other 'windows' are actually just a static screenshot of what happened on the unprivileged desktop at the point where the elevation prompt was created.

So "from a security point of view", on Windows you have a specific privilege required to change the SS that is mediated through a privileged interface where it cannot be snooped/intercepted by unprivileged processes.

[ Of course, this comparison is also patently unfair -- Windows 7 was written in the 2000s, X11 was written in the 1980s. Expecting them to be comparable in terms of security is pretty ridiculous. ]

Re:physical access

[unrtst]

Screen lockers protect against physical access; you're welcome to try and get around an X11 lock screen by tapping at the keyboard. Good luck.

1. CTRL+ALT+Backspace
2. CTRL+ALT+F1, CTRL+ALT+F2, ...
3. ALT+SYSREQ+F
4. CTRL+ALT+KP_MULTIPLY

Maybe you're safe from all those because you disabled all the features that make those work. Are you sure you're safe? Now try "vlock -nas" and see if any of those work.

Re:physical access

[Sycraft-fu]

"Of course, this comparison is also patently unfair -- Windows 7 was written in the 2000s, X11 was written in the 1980s. Expecting them to be comparable in terms of security is pretty ridiculous."

Which could be a good argument for replacing X. It is rather old technology, perhaps it is time to update it to something newer, rather than clinging to it and claiming it is all one needs.

Re:physical access

[unrtst]

The idea of "CTRL+ALT+F1, CTRL+ALT+F2, ..." is that you may get a local vt that DOES have a logged in session. That's less likely these days, but it used to be very common to login to one of those, then run "startx". If you got back to that, you'd just CTRL+Z then "bg" then start running whatever you want as the user.
Less shocking, it also means that, if you have a login, you can login, and thus can start doing more stuff. If the machine is hooked up to networked logins (AD, LDAP, etc) such as is common at work, then many people *may* be able to login this way.

Personally, I like to lock all local consoles and prevent console switching, thus my vlock suggestion. There are others can do that as well and possibly better (physlock?), I'm just familiar with vlock.

Re:physical access

[serviscope_minor]

Which could be a good argument for replacing X. It is rather old technology, perhaps it is time to update it to something newer, rather than clinging to it and claiming it is all one needs.

Or how about adding a protocol extension to deal with this security problem as has been done a number of times in the past for authentication. I don't understand why X11 seems to get special treatment here.

Program has security flaw. Response "has it been patched yet"

X11 has security flaw: we can't possibly patch it we must discard everything and start again.

There's certainly some things wrong with X11, but this is one which could be solved easily. It could, for example, be done by having a "kill all grabs" command which is available to the window manager.

Re:physical access

[Alomex]

X11 was written in the 1980s

Written? More like scratched in crayon in the walls of a padded cell.

The architecture of X has always been a mess going back to the very beginning. Need proof? the client is on the server and the server is on the client. 'nuf said!

p.s. notice that you need no elevation for this. This was a common joke back in the pre-security days. You wrote a cool user space application that after a few minutes of inactivity would pop up an xlock clone. The user would then type his/her password and "unlock the screen".

The application would then create a word readable .pwd file in the user directory which then you could use to mess up the users space, like hiding all files with a message "because you haven't paid your tuition/our logs show you've downloaded too much porn/you've used your entire yearly usenet posting quota".

Re:physical access

[WoLpH]

Actually... I've had the kde screensaver crash on me at some point which effectively unlocked my machine.

Also, I've seen notifications come through the lock which allowed you to task-switch out of the lock. I believe I once had this on OS X lion as well, although it could have been an earlier version.

Re:physical access

[silfen]

Well, some X11 screen locking programs have bugs. Possibly there are subtle bugs in the protocol too. But in principle, X11 screen locking is no different from Windows screen locking.

Re:physical access

[ihtoit]

ironically, my application server is this laptop (dual core, oodles of RAM and a VM Manager running as a service) and my 4 thin clients are relatively ancient diskless Pentium 4 desktops with about 64MB-128MB RAM (that none of them will ever max out ever again). Those P4s don't actually do ANY of the grunt-work, that's all done on the laptop. All the P4s do is display the output from the VM sessions running on the laptop. Yes, they're vastly overpowered for thin clients but my PIIs are long since burned out and the PIIIs are busy elsewhere.

Re:physical access

[silfen]

Virtual consoles have nothing to do with X11; they are also safe (you just get a login prompt).

Killing the X server is also safe, it just goes back to the login screen; it's also disabled on many distributions.

The rest are X.org-specific debugging keys; they shouldn't be on by default and they have nothing to do with X11 either.

Re:physical access

[silfen]

The idea of "CTRL+ALT+F1, CTRL+ALT+F2, ..." is that you may get a local vt that DOES have a logged in session.

How is that a problem with X11?

In any case, some systems simply check when X11 is locked and either lock those virtual consoles themselves, or warn you.

Uses QT for screensaver, complains about security

KDE uses QT, a gigantic toolkit, to implement the screen saver. In this case the UI relies on QT Quick.
Gnome's screensaver has the same problems with GTK.

Jamie Zawinski, who wrote the standard xscreensaver, has a FAQ page detailing how these are a fundamentally bad idea from a security perspective:
http://www.jwz.org/xscreensaver/toolkits.html

this is a mountain out of a mole hill.

[nimbius]

Whats being attacked is the unix ethos: do one thing and do it well. Capturing the key sequence to lock and faking the screen, while it may be easier in KDE alongside Systemd, is not easy in fluxbox or awesome. Its the explicit lack of widgets or sprockets or mindless dreck like this, and predefined key sequences that are captured by the window manager first. I use i3lock, which would mean attackers would have to find a way to get into /usr/bin to usurp my locker and at that point i have a far greater degree of concern than just the locker. X Forwarding and shared X in general has always been a security concern. ssh-agent should be avoided and if you have work to do on the server, do it in a tty over ssh. And this is the schism: newschool linux wants a sexy user experience that pops out of the box and is unified. They want the user to obey the vision of their design and use user switching, connection sharing, and fancy clock widgets and X just cant be (nor should it) Microsoft Windows. Old fogeys like myself will deck the halls of localhost when and if we want to. And it will always be on our terms, right down to color, shape, and font. Security will be our concern.

Re:this is a mountain out of a mole hill.

[smash]

X11 no longer does one thing, and it certainly doesn't do it well. It needs to be refactored and split into smaller subsystems built with modern computing requirements in mind.

Re:this is a mountain out of a mole hill.

[phantomfive]

X11 no longer does one thing, and it certainly doesn't do it well.

X11 received criticisms related to this from the day it was released.

Re:this is a mountain out of a mole hill.

[Aighearach]

That isn't really new-school, we had those same morons in the 90s. The difference was, all the "year of the linux desktop" crap caused a bunch of corporate funding to implement their schemes, and now they think they're all that matters.

Thank goodness for open source. Even if they embrace and extend X11, they can't take it from me, they can't extinguish it. We'll always have CLI ways of doing everything important "because servers." So I'll always be able to get by with my clunky old *nix workstation preferences and ancient software.

I've had the same .Xresources file since the 90s. It has been renamed a few times over the years, but they can have it when they pry it from my cold dead fingers.

Re:this is a mountain out of a mole hill.

[evilviper]

I use i3lock, which would mean attackers would have to find a way to get into /usr/bin to usurp my locker

Umm... No. Changing your PATH, setting LD_PRELOAD= or one of many other envs, changing Xsesson scripts or your WM's menu entries... Any of those would do just fine.

You also missed the entire point of the article, that an X11 screen-locker is just a normal user application like any other, a black image over top and only just TRIES to steal focus and input.

The 90s called...

[marcello_dl]

They want their lockscreen back.

Come on, this is 2015!
People nowadays think that typing into a CLI is low level hacking!
Real men don't lock the screen anymore, they CTRL-ALT-Fn to the first available login prompt, go away, and CTRL ALT F7 back to their session when they return.

Pussies!

Re:The 90s called...

[Karrham]

What about somebody knows about Ctrl+Alt+F7? This method can be used against dummies only.

Re:Windows reigns supreme

[Viol8]

They did go for C++. On Linux. It was more than just issues with .NET.

Re:How to make it work

[unrtst]

Article is WRONG WRONG WRONG. Screen locker: issue chvt onto another X instance, and spawn a thread that goes into a loop reissuing chvt to hold it there until the unlock password is given.

vlock -asn

This has been solved for a long time. Not sure why this is really an issue.

Re:Screen locker == physical access == ...

[smash]

Why is this considered acceptable? Get physical access to my iPhone (for example - Android is probably the same?), good luck getting in.

Sure, with a PC there's a few things that are a lot more difficult to secure (e.g., the boot process) but throwing hands up in the air and giving up because of physical access is a cop out.

Re:Windows reigns supreme

[jellomizer]

In terms of a server OS, Linux has good security. The lock screen on X11 in order to keep other out of your logged in session, workstation/desktop usage. It isn't ideal.

the NT Alt-Ctrl-Del is a Workstation thing. Its security is low level to prevent applications from accessing it.

Related: jzw

[John+Bokma]

http://www.jwz.org/blog/2014/0...

If it's accessing your X server, it's elevated ple

[raymorris]

If it has access to draw windows in your X session, it's elevated plenty - it can also log keystrokes at that point.

Re:How to make it work

[fahrbot-bot]

This has been solved for a long time. Not sure why this is really an issue.

Because the poster stepped out of a way-back machine and didn't notice ...

Linux rules the desktop, which is in your pocket

[raymorris]

The year of the Linux desktop was several years ago. Most new computing devices run Linux, and fit in your pocket.

Let this be a lesson...

[ggraham412]

Let this be a lesson to all of the architects out there who have a tendency to over-generalize, even to the point of abstracting away useful features.

Re:If it's accessing your X server, it's elevated

[bondsbw]

I'm not familiar with writing apps for X, but are you saying that every program that displays a window in X can log all keystrokes including in windows that are not associated with that program?

If so, I'm staying away from X for now on.

If not, I'm not sure what your point is. The malicious application would need to display a fake lock screen, convincing enough to fool the user, before the user would type in their credentials. Only then would that app be able to elevate.

Re:Screen locker == physical access == ...

[serviscope_minor]

Why is this considered acceptable? Get physical access to my iPhone (for example - Android is probably the same?), good luck getting in.

Huh? This exploit only works if someone has already had access to your unlocked computer long enough to load and run malicious code. It's not like oyu can plonk down someone at a computer wit ha locked screen and have them hack in by being clever.

And if I had access to your unlocked iPhone, could I not root it or whatever the iPhone cracking is called and install a fake screenlocker too? Or hell, install a custom keyboard app which looks like the normal one but saves all passwords and sends them to the cloud. I might not even need to root it to do that.

Re:Screen locker == physical access == ...

[Immerman]

Only because your phone doesn't have the ability to boot from external media by default. Change that and you grant anyone with a bootable flash card/USB drive total access to your phone. In fact with physical access and a screwdriver they could get around that boot restriction as well - worst case scenario they just have to replace the soldered-on flash drive. The extreme hardware integration that makes a phone such a disposable, non-upgradable consumer item does grant you a measure of security against casual intruders, but don't think that it's any more than an inconvenience to a serious attack.

Re:Screen locker == physical access == ...

[bobbied]

Why is this considered acceptable? Get physical access to my iPhone (for example - Android is probably the same?), good luck getting in.

Sure, with a PC there's a few things that are a lot more difficult to secure (e.g., the boot process) but throwing hands up in the air and giving up because of physical access is a cop out.

Hand me your Iphone, I'll get in... There ARE ways.

Uh.

[serviscope_minor]

Uh.

Why can't I have my screen locker have a passive grab on Ctrl+Alt+Delete or shift+altgr+control+` or whatever, using XGrabKey. That way if someone else installs a screenlock faker then I'll know because it won't respond to the magic key presses.

The thing is on Windows it never worked as well as it ought to. The reason is that if the screen said something like:

"pls entar u r passwordz to login"
[ password box ]
[OK]

"pls wate wile redirecting to http://scamsite.ru/yourbank"

"Pls entar u r bank passwrd thx"

an appalingly large number of people would have dilligently followed those steps. the ctrl+alt+delete thing was fine but required more knowledge than 99.9% of users had.

Oh and the active grab thing: if you ever hear a wayland dev tout that as a problem, please kick them in the nuts because it XFree86 USED to have a feature for killing grabs from a keystroke, until the fuckers who went on to develop Wayland decided we didn't really need it because "it would only be needed if a program is buggy". Well, no fucking shit hotshot.

Re:If it's accessing your X server, it's elevated

[vux984]

Are you familiar with the traditional attack

Computer somewhere running some OS.
Regular authorized but non-priviledged user logs in and runs regular non-priviledged user-space application "program that looks like lock screen" and then leaves computer.

Another coworker, or perhaps an administrator walks up to use the computer; types in his credentials... and the app saves them...

Windows solution to the attack implemented decade(s) ago:

real windows desktop lock screen can only be unlocked with ctrl-alt-delete which user-land non-priviledged apps can't intercept.
train users never to login to a computer unless they hit ctrl-alt-delete to unlock it first.

Re:If it's accessing your X server, it's elevated

[goarilla]

I'm not familiar with writing apps for X, but are you saying that every program that displays a window in X can log all keystrokes including in windows that are not associated with that program?

Well try this:
- Find the id of your window of interest (xwininfo).
- Attach to it with xev -id $id

Now that you know ... Ctrl-Alt-Backspace zaps X.

Re:How to make it work

[unrtst]

This has been solved for a long time. Not sure why this is really an issue.

Because the poster stepped out of a way-back machine and didn't notice ...

That's one hell of a way-back machine! vlock 1.2 came out in 1998!

Xscreensaver

[gringer]

Jamie Zawinski has another explanation why screensavers on KDE can't be secure:

Like GNOME, KDE also decided to invent their own screen saver framework from scratch instead of simply using xscreensaver.

And Unity:

Guess what, they did it again! Ubuntu Unity's screen-locking framework is yet another rewrite, and it is completely broken, bug-ridden and insecure. At this time I don't have any information on how to turn it off and use xscreensaver instead. If you do, let me know.

He also has a writeup on toolkits, discussing why locking and unlocking is a hard problem, especially when accessibility features are required.

Re:Xscreensaver

[gringer]

He's already basically responded to this in the toolkit discussion. Anyone else could write a secure screen locker, but to do that properly you need to understand the code of all the libraries being used:

That's why I implemented the unlock dialog using only Xlib: not because I think Xlib is a good way to write user interfaces, but because I think this was the safest way. The amount of code in Xlib is very small, and has been extensively security audited. It is very unlikely that there are crashing bugs lurking in Xlib itself. The same cannot be said for larger, more featureful libraries. So, by making minimal use of Xlib (the dialog box is drawn using only the lowest level text-printing and rectangle-drawing routines) we can keep the code path short and auditable.

I am as close to certain as I can be that there is no action a user can take on their input devices that will cause the current Xlib-based lock dialog in xscreensaver to unlock. That's because it's a small amount of code that I have stared at and tested for a very long time. It is a small enough piece of code that I (believe I) know every possible path through it.

Introduce N layers of widget library, general text field handling, compose processing, input methods, I18N... and all bets are off. Who knows what bugs wait lurking in there; who knows which particular combinations of which libraries are a security-bug timebomb.

Let me put that another way:

The GTK and GNOME libraries have never been security-audited to the extent that their maintainers would be willing to make the claim, "under no circumstances will this library ever crash."

One can, within a reasonable doubt, make that claim about libc, or even about Xlib, but not about anything the size of GTK. It's just too big to be sure. This is not a criticism of GTK or GNOME or their authors: it's simply a truth about any piece of software of that size.

Re:Xscreensaver

[gringer]

why are you letting jwz do your thinking for you?

An alternative, related question, why are you saying things without references?

I don't have a good knowledge of the intricacies of screen locking and controlling input devices, so I have to refer to others who I consider to share my general view point, but who appear to be more knowledgeable in a particular area. This is a very common approach in research, and separates out the people who have their own theories based purely on anecdotal evidence from the people who build on the theories and evidence of other research.

My observation is that almost every program has bugs, and the number of bugs increase (in a non-linear fashion) with the size of a project. Bugs in software that deals with authentication are particularly serious, because a bug may be exploitable to give someone privileges that they would otherwise not have (see toolkit discussion).

If you disagree, please address why security is something that should be handled by screensavers, instead of the display manager.

I don't feel that I need to do this, because it has already been addressed in the toolkit discussion. You're giving off the impression that you haven't actually read the toolkit discussion. Please provide some other evidence why the arguments put forward by JWZ are incorrect (preferably something other than "he is a pretentious idiot, so he's wrong"). Anyway, because you're giving this impression, I feel it necessary to post more of that discussion here:

So, you want xscreensaver to invoke the "unlock dialog" program and wait for a response. The unlocker would use a GUI toolkit, and would be linked against the various security libraries. Perhaps the way it would work is that it would print either "yes" or "no" on stdout, depending on whether a password was correctly entered. Were it to crash, the daemon would take that that to mean "no"...

In fact, this approach would actually reduce the number of libraries (and thus, lines of code) in the daemon itself, since the daemon would not need to link against things like PAM and crypto. That's a good thing.

So that doesn't sound hard so far, except that the xscreensaver daemon has the keyboard grabbed. It's pretty important that it hold that grab, because otherwise keystrokes tend to go "through" the xscreensaver window and reach random desktop windows underneath.

This [raises] the question of, how do the keystrokes get to the unlock dialog at all? That's a difficult question. Understanding how to do that right requires a lot of knowledge about X (which I have) but also probably a lot of knowledge about foreign-language input methods and screen readers and other accessibility-ware (which I do not have.) ...

In the current system, where the same process is the creator of both the screen-blanking window and the unlock dialog, this is not a problem: that process gets all the events it wants. But when they are in different processes, we need a way for the keyboard and mouse events to get to the process driving the unlock dialog. So you'd like to transfer the grabs from the xscreensaver daemon to the unlock dialog, and then transfer them back afterward. Unfortunately, there is no way to transfer grabs atomically in X. ...

Another possibility is for the xscreensaver daemon to keep its grabs, meaning that all keyboard and mouse events would go to it; but then for it to use XSendEvent() to generate synthetic events on the lock dialog window. That is, the xscreensaver daemon would read a KeyPress, and then would simulate an exact duplicate of that KeyPress on the lock dialog window.

[arguments against this: Applications can tell the difference between real and synthetic events, so might reject synthetic events as a security measure. Input methods need to be embedded in the dialog, rather than as a separate window] ...

In Summary

Making the xscreensaver

Re:If it's accessing your X server, it's elevated

[RightwingNutjob]

Here's the problem: if you care about security to the point where screen locks are serious business, you've gotten yourself into a contradictory set of requirements: both trusted and untrusted users have physical access to and execution priveleges on a terminal. If you really suspect that your users are untrustworthy enough to steal credentials in this way, the answer is to not have a screenlock at all but to push the security barrier further into the system. The terminal is dumb and has no security model, but to access and/or interact with your proprietary information, the user types credentials into your own custom coded application or web form through a browser and it logs him out after N minutes and requires reentry of the credentials. He's not allowed to run any code on your system, and all the directories, executables and shell scripts that are run in the course of interactring with the terminal are marked 755 or 744 as appropriate so that he can't modify them, and the tmp dir resides in a ramdisk that gets wiped between sessions. Then it doesn't matter if everything is permitted over the X11 protocol, because there is no way to spoof anything from that untrusted terminal. Physical security goes a long way in obviating risks from software vulnerabilities, where practical. And if the data being guarded is sufficiently important, it will be made to be perceived as practical.

Re:If it's accessing your X server, it's elevated

[JesseMcDonald]

I'm not familiar with writing apps for X, but are you saying that every program that displays a window in X can log all keystrokes including in windows that are not associated with that program?

Yes. This isn't just X, by the way; it's a common design across most operating systems. Any client can register to receive keyboard and mouse input regardless of the current focus, unless another client has already "grabbed" the input device. This is how things like global keybindings are typically implemented. Windows used for password entry (including lock screens) can grab the keyboard to prevent other programs from listening in. The problem is that this only works if no other program has already grabbed the keyboard.

Secure input handling is one of the many reasons why everyone is eventually planning to switch to Wayland. Under Wayland, only the compositor has access to the raw input or the ability to inject simulated input events. The compositor manages any global keybindings and forwards the remaining events exclusively to the active window.

Re:Linux rules the desktop, which is in your pocke

[omnichad]

If you consider micro-HDMI output and bluetooth keyboard support a "desktop" then I guess nobody will stop you.

Re:Screen locker == physical access == ...

[omnichad]

I'd argue that's not really having access to the computer except for re-purposing its hardware. If the boot/data drive is encrypted, you've gained nothing. A lot of smartphones are encrypted by default when a screen locker is enabled. With Windows, CTRL+ALT+DEL plus a secure password is probably enough to keep you out of an encrypted computer in the short term. In Linux, you could probably bypass an X11 lock screen without much trouble without losing access to the decrypted contents.

Re:Collection of wrong

[PPH]

And if you do it anyway, expect 120 xeyes windows to pop up pretty soon.

xroach FTW!

Re:If it's accessing your X server, it's elevated

[operagost]

Security standards like PCI DSS assume that, yes, your users are untrustworthy or, at best, naive.

It is still there..

[toonces33]

They have prettied it up quite a bit, but the underlying protocol is still there. I can run X applications on my Ubuntu 14.04 box, and they display just like they used to 20 years ago. The colors are a bit different, but the basic protocol is still there.

so don't use lock screens

[slashdime]

I may be wrong but this applies to the lock screen/screensaver, not the login screen.

One can use the "switch user" option to leave their X session open and bring them back to the login screen.

Re:If it's accessing your X server, it's elevated

[Lumpy]

Yeah that doesnt work.

If it's sitting there on what looks like a normal login they will not hit CTL-ALT-DEL they will just type away. Hell it's hard to not get users to open up every single attachment no matter where it comes from or to not click on every pop up window they get.

Re: If it's accessing your X server, it's elevated

[bondsbw]

But my assumption was that some control in the other window already has keyboard focus.

Between consumers and developers

[tepples]

Desktops are better suited for developers and smart phones are better suited to consumers.

Then what's better for people in the middle? They're not "developers" because they are not directly involved in the production of computer programs, but they're not "consumers" because they do not exclusively view works created by others. Besides, schoolchildren are "developers" in training now that "introduction to computer science" has been added to high school curricula.

Re:Between consumers and developers

[MrKaos]

Desktops are better suited for developers and smart phones are better suited to consumers.

Then what's better for people in the middle?

A Vic20 with a 4K ram expansion and a cassette interface.

Locking Windows without a Windows key

[tepples]

On this PC (Windows 8.1 with Classic Shell), it's Ctrl+Esc (opens Start), Alt+U (opens Shut Down menu), Down, Down, Enter. It's probably similar for Windows 7. Which operating system is your PC running?

Re:Locking Windows without a Windows key

[ihtoit]

7 HP here, it's CTRL-ALT-DEL then ENTER to lock. There are other options like switch user, log off, restart or shut down, but the two-hit combo locks it. Takes but a second to perform this series, why are people finding it so hard to secure their workstations when they step off?

Re:If it's accessing your X server, it's elevated

[Xylantiel]

The lock screen and the login screen are different things in X. Typically on X ctrl-alt-backspace will kill the X server and give you a fresh login screen. I always thought that the assumption is that propagating this behavior from login to unlock has too many gotchas to be worthwhile. In an environment where security is essential, you should always log out instead of locking and hit ctrl-alt-backspace before you log back in.

Re:Linux rules the desktop, which is in your pocke

[TWX]

"Linux" is already something of a 'cute' name, a man named Linus applied his name to his reimplemented UNIX-type kernel...

Re:Uses QT for screensaver, complains about securi

Jamie Zawinski has been wrong before, too, but in this case it's not even wrong. What we're talking about is the X protocol being fundamentally flawed; it's really pretty irrelevant what screen locker is being used.

And yet Jamie's xscreensaver hasn't been shown to be insecure by this guy. He's only proven what jwz said which is that a lockscreen using a toolkit on top of X11 is insecure.

Let me get this straight...

[davek]

Let me get this straight. In order to exploit this vulnerability, an attacker must:
  * gain login access to your system via SSH
  * hope you turned on X11 forwarding
  * be root or your user
  * hope you've disabled access control with `xhost +`
  * be able to run a fake screen locker program to get your password to the system he's already completely compromised

Yes, someone could still stop by your desk and put in the fake screen locker while you were getting coffee, but if you got up and didn't lock your machine, that's on you, not X11.
I'll file this one under "good enough" security.

Re:Let me get this straight...

[delt0r]

QTF. Yea that is all they have ever done. I am surprised by how many people think "its secure cus it runs linux". Good God no. Security is hard when you have a well defined thread model. Many times you don't even have that.

Re:Let me get this straight...

[delt0r]

threat model... treat model. Not thread. There is no thread.

Re:If it's accessing your X server, it's elevated

[HiThere]

Naive is a version of untrustworthy. Ask your Nigerian Banker.

Re:Windows reigns supreme

[phantomfive]

It was more than just issues with .NET.

Really? Now I'm interested. What other problems did they have?

Re:Screen locker == physical access == ...

[phantomfive]

Yup.

Re:Collection of wrong

[phantomfive]

Then he goes on to post an example program that can prevent your screen saver from kicking in, if you run the example program first. An easier way would be to disable the screen saver, and that doesn't require downloading malicious code.

Good point.

Re:If it's accessing your X server, it's elevated

[Aighearach]

Yeah, I wrote a custom lock screen for X in 2000 for an internet kiosk, and I grabbed the pointer and there was no problem. In my case of course it was controlled by a bill acceptor, not a password.

The basic misunderstanding here is the idea that the screen lock in old X was designed for security, and usable as such; it was just a screensaver with a password, it wasn't intended as a security device and people who needed a security device just used one. It is open source, we're not locked out, we're not forced to use the provided default tool.

TFS claims they "can't" be secure because... linux didn't copy windows. Well, geeeeeeeeeeeeeee. If I'd used windows for my kiosk, it would not have increased security. And even here, it would not be easy to integrate a custom setup with the windows feature, so I wouldn't have been able to actually use it; it wouldn't have provided the claimed security.

Re:If it's accessing your X server, it's elevated

[Aighearach]

You're tricking yourself into security theater. You can't intercept an actual ctrl-alt-del, but you can read the ctrl and alt keys, and just unlock your fake lock a couple seconds later. For bonus points, as soon as they press ctrl-alt you change the pointer to an hourglass, and wait an extra second, that way even if they're slow they have time to press del. No windows user is going to be surprised or alarmed by 2 seconds of lag. Their brain will probably hold them in a sort of pause mode anyways, because they're so used to waiting to be allowed to continue.

And the more often they have to press a magic key combination, the more robotic it becomes and the less attention they will pay. Also, even if something looks slightly off, they've been taught that this magic key protects them in this situation, so they won't worry much.

Short Version

[T.E.D.]

The good news is, on X11 platforms, anyone can write their own lock screen program.

The bad news is, on X11 platforms, anyone can write their own lock screen program.

Re:Linux rules the desktop, which is in your pocke

[Aighearach]

I know you never heard of the OTG standard, but you don't have buy a special cable to try it out. Just cut open the micro USB cable and solder the unused pin to the ground pin, and now you can use that cable to attach standard USB keyboards, etc. to your portable linux device.

See also: http://en.wikipedia.org/wiki/U...

Not sure what your point was about the HDMI, that is what all modern screens expect.

Re:Linux rules the desktop, which is in your pocke

[omnichad]

Great idea. Now you can have either a keyboard OR power. I have an OTG cable. It's useless for anything but a quick use.

Re:If it's accessing your X server, it's elevated

[countach]

That's great, but if the terminal you're logging in with is compromised by the old fake login, then all your keystrokes into your super trusted proprietary app or browser session can be logged and then your passwords into THAT system are now compromised, not to mention screen grabbers which might have sucked down whatever secrets you were trying to keep. Your theory about supposedly "pushing security further into the system" is a mere placebo. There is nothing inherently more secure about a browser than about an operating system.

Re:If it's accessing your X server, it's elevated

[countach]

Oh, and if you think a dumb terminal solves it, firstly these days terminals are never dumb. Even dumb terminals (does anybody still actually buy them?) probably run something like Linux underneath.

And if you can find a truly dumb terminal and solve all those problems, then you can stick a little thumb drive sized linux server between the ethernet port of the terminal and the rest of the network. Then it can put up the fake login screen whenever it wants, and at other times just pass through the packets.

This could be solved by requiring the terminal to use encryption with the key securely input into the terminal, but who is actually using such a scheme? I doubt anybody is.

Re:If it's accessing your X server, it's elevated

[ihtoit]

even those that don't display a window but relies on user input has the potential to be a keylogger or have one as part functionality. Word processors, for one. The desktop manager, for an example of the latter.

If you don't want keystrokes to be logged, unplug your keyboard.

Re:If it's accessing your X server, it's elevated

[amorsen]

Of course the screen lock in X was a security device; back when X was designed most workstations were shared.

XScreenSaver has some atrocious code to work around the deficiencies in X. Most of the time it succeeds.

Re:Linux rules the desktop, which is in your pocke

[ihtoit]

the stock Nokia Lumia 610 has Mobile Office which is a necessarily stripped but still fully functional port of MS Office for desktop.

Re:If it's accessing your X server, it's elevated

[RightwingNutjob]

Exactly. You need to control the hardware with physical security, or none of your fancy software solutions are valid. And yeah, then you have to worry about vendors, and where the factories are, and do you pay your security guards enough.

Re:If it's accessing your X server, it's elevated

[JesseMcDonald]

What exactly would you propose to add? This isn't a matter of implementing new functionality, but rather removing fundamental misfeatures. Any change to address this issue is going to end up breaking existing applications which depend on the original input behavior.

In any case this is hardly the only reason to switch to Wayland. It's just one of many areas which highlights the drawbacks of trying to tack modern best practices on top of an aging framework. Better to adopt a clean and modern design as the base and confine the hackish workarounds needed to support older clients to a separate compatibility layer.

Re: If it's accessing your X server, it's elevated

[JesseMcDonald]

Some other window most likely does have the keyboard focus, but that's not the same as grabbing the keyboard. Having the focus doesn't prevent input events from also being delivered to other windows, it just tells the non-focused windows to ignore the events. Integrity and privacy for both input and output is a hard problem and something very few windowing systems manage to get right. The solutions tend to involve some degree of inconvenience for the user.

Re:If it's accessing your X server, it's elevated

[complete+loony]

Crippleware on Windows always used to amuse me. Oh you've disabled the button because I haven't paid? [poke]...[poke]... There now it's enabled again. Oh, you forgot to check if it should be enabled when processing the click event? Tough.

Re:If it's accessing your X server, it's elevated

[psmears]

You're tricking yourself into security theater. You can't intercept an actual ctrl-alt-del, but you can read the ctrl and alt keys, and just unlock your fake lock a couple seconds later.

This. Or the fact that there are registry entries that allow remapping of any key to any other, including (as far as I remember) the Ctrl, Alt and Del keys. The "security" of Ctrl+Alt+Del has always been over-hyped :-)

Re:If it's accessing your X server, it's elevated

[Swistak]

It's. You've obviously never seen X.Org's code. Belive me it is.

Back in the day...

[technothrasher]

Reminds me of the good old days of the early 90's, when you could just keep typing in the xdm password field until the buffer overflowed and it would dump you into a root shell.

Re:If it's accessing your X server, it's elevated

[disambiguated]

The basic misunderstanding here is the idea that the screen lock in old X was designed for security, and usable as such; it was just a screensaver with a password

What use is a screensaver with a password that isn't designed for security? Why is the password even there? So it looks secure? Lets just admit it was poorly designed from a security standpoint. That's fine, most stuff designed at that time was not secure. MS-DOS had no security at all. Pointing out that NT occasionally has some good ideas is not an indictment against Unix.

Re:If it's accessing your X server, it's elevated

[serviscope_minor]

What exactly would you propose to add? This isn't a matter of implementing new functionality, but rather removing fundamental misfeatures. Any change to address this issue is going to end up breaking existing applications which depend on the original input behavior.

Oh how about a new protocol extension that allows one designated program to receive all keyboard inputs regardless of any other grabs. The X11 server can keep on pretending that the other grabbers still have such a grab.

Look: X11 works on Windows even though windows can apparently REALLY gab the keyboard. X11 will we are told work on Wayland too despite the fact that wayland can apparently REALLY grab they keyboard. Do you really think it couldn't be extended to do that itself?

In 2014, 1 billion Android, 160 million PCs

[raymorris]

In 2014, there 1.3 billion mobile devices sold. 82% of those run Android, so just over 1 billion Android devices. Over the same time period, 160 million PCs were sold.

Re:If it's accessing your X server, it's elevated

[Jeremi]

Crippleware on Windows always used to amuse me. Oh you've disabled the button because I haven't paid? [poke]...[poke]... There now it's enabled again. Oh, you forgot to check if it should be enabled when processing the click event? Tough.

If you're going to pirate the software, you might as well go ahead and pirate the full version; then you won't have to poke at it.

OTOH, if you're going to legitimately use the software, you ought to pay for it.

Wouldn't Wayland fix this problem?

[unixisc]

For one thing, not having direct remote access, and another, since it's totally independent of X, they could put in either that same key combination of CNTL-ALT-DEL or something similar - CNTL-ALT-ESC to lock the screen.

Re:If it's accessing your X server, it's elevated

[JesseMcDonald]

Oh how about a new protocol extension that allows one designated program to receive all keyboard inputs regardless of any other grabs. The X11 server can keep on pretending that the other grabbers still have such a grab.

I'm not really sure how creating yet another way for a "designated program" to monitor input events is supposed to address the problem that any X11 client can monitor keyboard events on any window in the absence of a grab, unless you intend to rewrite all existing software to grab the keyboard on receiving input focus, and force all the desktop environments to implement support for the extension and move their global keybindings into a specially designated client. At that point you might was well switch to a system designed for secure I/O from day one—like Wayland.

Look: X11 works on Windows even though windows can apparently REALLY gab the keyboard. X11 will we are told work on Wayland too despite the fact that wayland can apparently REALLY grab they keyboard. Do you really think it couldn't be extended to do that itself?

It's no different with a rootless X server on Windows. Input received by any X window can be observed by any X client, unless one client grabs the input. XWayland will probably work the same way, with native Wayland clients secure from each other and from X11 clients but no isolation between X11 clients and no support for grabbing input directed at non-X11 windows. XWayland is meant as a shim between the Wayland compositor and ordinary X clients; it doesn't support external window managers and isn't expected to host a full X11 desktop environment. You wouldn't run something like a screen locker as an X11 client under XWayland. It wouldn't be secure, for the same reasons that screen lockers aren't secure under X11 now, and similar compatibility problems would occur if you tried to implement the Wayland input model with X11 extensions.

It's easy to implement the insecure X11 model on top of a secure system. The reverse is much more difficult.

Re:Screen locker == physical access == ...

[smash]

You're not going to get any of my data that way, which is what is actually important.

Re:Screen locker == physical access == ...

[smash]

Perhaps I should have clarified: attempt to get my data out of it. Of course you can use DFU mode.

Re:If it's accessing your X server, it's elevated

[parenthephobia]

Your façade rather falls apart when they actually do press "del", I think.

Re:Windows reigns supreme

[MrKaos]

It was more than just issues with .NET.

Really? Now I'm interested. What other problems did they have?

Messaging systems performance. The closed nature of the windows kernel means it cannot be tuned to the granularity required for performance objectives to be met for the messaging systems. Windows may reign supreme on the desktop, however when it comes to serious computing objectives, it's always the year of the *ix server.

As for this issue affecting any enterprise systems, many don't have a GUI on their console, so there is no opportunity to troll there either.

Incidentally, if you want to see a manifestation of this issue on a X11 desktop, pick a program with menus - lets say firefox, position the mouse on the menu so it opens, then leave the cursor on the menu until the screensaver kicks in. After the lock screen kicks in you will be able to interact with the GUI until the task loses focus, then the screen save will lock. It's been around for a while.

Yep, it's a risk for a desktop, if _insert_convoluted_scenario_here_, however it should still be fixed.

Re:If it's accessing your X server, it's elevated

[skids]

Lockscreens in general only exist to satisfy PHBs and annoy the user. If you really cannot trust the physical security of your office environment for more than 10 minutes, you probably should not be trusting it for even 1 minute and be locking your system through other means.

Re:If it's accessing your X server, it's elevated

[skids]

Supposing there is no way to close it faster than it renders, sure they will be confused, but most will just blow it off as just another windows UI flub, close it, and enter their password.

So all people have to do

[iamacat]

Is install Linux on your "Windows NT" workstation and emulate Ctrl-Alt-Del login screen? Or insert a little keylogger between keyboard and computer's USB port? Or hide a little camera in light fixture of the ceiling to snoop on your password? Or just to a little old fashioned shoulder surfing?

Best realize that your password is vulnerable to a determined attacker and practice defense in depth.

X11 has lots of things to be improved...

[Casandro]

...but you _can_ make secure screen lockers on it, you just need to use it raw and not use bloated frameworks. It's been done for years.

There is nothing wrong about considering to replace X11, however the current crowd of desktop developers probably won't make it much better. Instead of learning from modern operating systems like Plan 9 and using language neutral file system based interfaces, systems like Wayland still are stuck in the past requiring dynamically linked libraries as API interfaces.

Re:If it's accessing your X server, it's elevated

[benjymouse]

I'm not familiar with writing apps for X, but are you saying that every program that displays a window in X can log all keystrokes including in windows that are not associated with that program?

Yes. This isn't just X, by the way; it's a common design across most operating systems. Any client can register to receive keyboard and mouse input regardless of the current focus, unless another client has already "grabbed" the input device.

Except in Windows. Since Vista user interface privilege isolation prevents unauthorized processes from grabbing keyboard/mouse events or sending messages to windows owned by another process, even if that process is running as the same user. To be allowed to grab keyboard/mouse, the process must have declared that intent in the manifest *and* it must have been launched from an installed location (program files or windows system). Furthermore, such hooking/messaging is also masked out at the intrinsic level by UAC - specifically by integrity levels. A lower integrity process is simply not allowed - manifest or not - to send messages or install keyboard/mouse hooks at a higher integrity level process.

X is especially bad in this regard, as it does not even protect against shatter attacks and eavesdropping on windows from *another users* processes. If you elevate to root - e.g. sudo from a terminal window - any other process can *still* eavesdrop on keyboard events.

Re:Screen locker == physical access == ...

[serviscope_minor]

You're not going to get any of my data that way, which is what is actually important.

I'm not sure I follow. Surely if I had unlocked access to your phone, I could simply read whatever data was on there? Also, can you install free apps without an additional password? If so what stops me installing a keyboard app trojan?

Honest question: I don't own an iPhone. If it stops those kind of attacks it would be great to know how.

Re:If it's accessing your X server, it's elevated

[Aighearach]

The same reason I have a locking desk drawer with a wimpy lock that a professional thief could easily defeat: it keeps co-workers from gaining casual access.

The same reason I lock my car doors, and it generally prevents theft. They can still break the window or use other access techniques; my car is not actually secured. I wouldn't leave something important in it though, like a HD full of confidential customer information.

So even a not-fully-secured workstation benefits from casual access control. But thinking it is secure might prevent the creation of more secure systems to store confidential data.

Knowing the real level of security achieved is vital to assessing how your processes meet your security needs.

Re:If it's accessing your X server, it's elevated

[serviscope_minor]

First bear in mind the attacker has local code execution. If they can put up a fake screengrabber, it's just a logout/reboot away from running a trojaned compositor (if you use Wayland), a trojaned screenlocker (if you use X) and on either system without even a reboot, a trojaned browser, terminal, ssh program and so on and so forth. So to say this is a serious flaw with X is hyperbole.

The next case is that you also claim Wayland is secure. Therefore X11 running on Wayland is secure. Therefore in that case X11 is being run in a secure manner. I claim that if that is the case, then X11 could very easily be secured, because it's eassy to see it in operation nowrunning in a way that the additional insecuritu doesn't break things.

I'm not really sure how creating yet another way for a "designated program" to monitor input events is supposed to address the problem that any X11 client can monitor keyboard events on any window in the absence of a grab, unless you intend to rewrite all existing software to grab the keyboard on receiving input focus, and force all the desktop environments to implement support for the extension and move their global keybindings into a specially designated client. At that point you might was well switch to a system designed for secure I/O from day oneâ"like Wayland.

OK, I'm lightly lost so I'm going to swing back to the original point.

First there's the one about server grabs which prevent other windows from opening. Well, you could easily have a protocol extension that allows only one connected client to bring up windows anyway. The continuation of the grab could either be faked to the grabber, or killed outright (the latter feature---killing grabs---was removed from Xorg by the wayland people because they decided we didn't need it!). Let's say it's first come, first serve, so that the first client to request this feature is the only one to get it. Or the screenlocker could get that command. This requires the WM and screenlocker to be run on boot before a trojan, but as I pointed out, if the system is that deeply trojanned anyway, then this is all pointless.

That requires some rewriting to whichever screenlockers you want to add the feature to, hardly a major undertaking since there's about 3 in common use and a few, more obscure, ones.

The other problem---a designated screen lock key combo. Well, if the screen locker has a passive grab on ctrl-alt-delete, then the fake screenlocker can't grab that, so that already works.

It's easy to implement the insecure X11 model on top of a secure system. The reverse is much more difficult.

Why? Why not have exactly the same security model? You haven't explained, only asserted, that your chosen security feature couldn't be easily available under X.

In fact when it comes to locking things down, there are things like the X security protocol, which blocks untrusted programs from executing various protocol commands. This already exists and could (I haven't checked if it does) easily block things like receiving events from a window on another connection, reparenting or redirecting a window on another connection, diddling with the global keymap and so on.

Anyway if there's unsanboxed local code execution, you're basically screwed on any system.

Re:Screen locker == physical access == ...

[bobbied]

I can do that too.... Might take awhile, cost a lot and require disassembly of the device to get to the flash, but if the data is there, there is a way to get access to it. There are devices that "self destruct" when disassembled but I know of no commonly used cell phones with that feature.

Re:Yes, point is to keep adversary out. It fails.

[Dahan]

When you come back from the bathroom, you want to regain access to your own computer. Think about exactly how you do that. Do you press the power button and reboot, and then enter your authentication credentials into a dialog that you know is your login screen, because you know that every step from boot to login, is intended to protect your interests?

You're stuck there anyways because you can never be sure someone didn't reboot the system, run a keylogger designed to act like the lock screen, and then send your password and reboot the machine.

As the guy you're replying to said, "you know that every step from boot to login, is intended to protect your interests." If you're concerned about someone rebooting the system and running some malware, you should make use of the various features designed to mitigate against that. All PCs these days let you password-protect the BIOS settings, so if you've configured it to only boot from the HD, it's not as simple as an attacker putting in a CD or plugging in a USB flash drive with their keylogger. And for even more protection, you can get a computer with more "enterprisey" features, such as a physical case lock and a chassis intrusion detection switch. If the attacker thinks they'll just open the box up and do a quick hard drive swap or something like that, that's not gonna work. And these days, there's also UEFI Secure Boot. Sure, there are ways to attack all of this, but a BIOS password plus case lock is sufficient for the vast majority of people. If you need more than that, you should probably focus on keeping intruders from getting access to your computer in the first place.

Whether it's user mode per se or not, there are tools to change the behavior of ctrl-alt-delete.

As far as I can tell, that's just a utility that changes the options that are already available in Windows--they're normally controlled via Group Policy. It's not actually running any new code, it's just changing behavior in a way that MS has already allowed. It actually is possible to write your own code that runs when the user presses Ctrl+Alt+Del though; it's called a custom GINA DLL. Of course, if an intruder already has Admin access to install their GINA DLL, it's already too late... The point of Ctrl+Alt+Del is to thwart malware running as an unprivileged user.

PS - The other major thing is that Ctrl-Alt-Delete was originally a DOS-ism that had more to do with dealing with misbehaving, yet not malicious, programs and trying to regain some level of control.

That key combo was selected because no application uses it. Other than that, there's no relation to its use in DOS. Bill Gates has said that he (or Microsoft in general) had wanted a dedicated key for it, but IBM (which was a major keyboard manufacturer at the time) didn't want to add a key for MS. I guess MS eventually had enough clout to get everyone to add the Windows and Context Menu keys, but it wasn't worth changing Ctrl+Alt+Del to use the new keys.

Re:If it's accessing your X server, it's elevated

[pop+ebp]

Actually, even before Vista, the requirement to press Ctrl-Alt-Del before you entered your password solved the rogue screensaver problem nicely.

No ordinary process can intercept the key combination and when pressed, takes you to a secure desktop that ordinary program cannot draw on so they cannot fake the password screen.

Re:If it's accessing your X server, it's elevated

[pop+ebp]

But when you do actually press the Del key, the real password dialog appears, and it is on a secure desktop (the "Winlogon" desktop) that can't be manipulated by your rogue program. Your window would be seen only after the user entered their password once, which would look quite suspicious.

Re:If it's accessing your X server, it's elevated

[vux984]

This

Actually. No. Not this.

Or the fact that there are registry entries that allow remapping of any key to any other, including (as far as I remember) the Ctrl, Alt and Del keys. The "security" of Ctrl+Alt+Del has always been over-hyped :-)

Yes, you can install a keyboard driver, usb filter driver, or adjust the keyboard scan code map in the registry to disable the keys. (And that's not in HKEY current user.)

You aren't going to be tampering with or installing of ANY of that from user land. And if you have root... you can just install a keylogger be done with it. Why bother with dorky fake lock screens?

Re:If it's accessing your X server, it's elevated

[psmears]

You aren't going to be tampering with or installing of ANY of that from user land.

I think you're confusing the user vs administrator distinction with the userland-vs-kernel-mode distinction... but never mind...

And if you have root... you can just install a keylogger be done with it. Why bother with dorky fake lock screens?

What I'm saying is that the "Ctrl+Alt+Del protects your password" claim is overblown; the suggestions you give only amplify that, as they are even more ways to circumvent it...

Re:If it's accessing your X server, it's elevated

[vux984]

I think you're confusing the user vs administrator distinction with the userland-vs-kernel-mode distinction... but never mind...

Deliberately conflating, but not confused.

What I'm saying is that the "Ctrl+Alt+Del protects your password" claim is overblown; the suggestions you give only amplify that, as they are even more ways to circumvent it...

But none of them are trivial to do. Especially if I am not already an administrator on the system.

I can trivially run a program to throw up a screen that looks like the login screen on a PC at work. TRIVIALLY.

the "Ctrl+Alt+Del protects your password" claim is overblown

Its like door locks. Nobody anywhere claims they make your house secure, but it does stop people from being able to literally just wander into your house.

In the real world door locks prove to be highly effective at keeping people out of places. From hotel supply closets and building electrical rooms to the bosses office to your bathroom stall while your taking a crap.

Nobody here is arguing ctrl-alt-delete is some magical super thing, its just a door lock. But its enough of a hassle to get around, that its plenty to stop all kinds of casual intrusions and mischief.

Ctl-Alt-Delete is the same way.

Re:If it's accessing your X server, it's elevated

[psmears]

Deliberately conflating, but not confused.

It's hard to tell the difference from here ;-)

I can trivially run a program to throw up a screen that looks like the login screen on a PC at work. TRIVIALLY.

Adding a registry entry to remap keys is pretty trivial, too... as, for that matter, is running a different OS which doesn't treat Ctrl+Alt+Del in a special way! Thus any extra security provided is minimal. Which is fine - as you say, security doesn't have to be perfect in order to be useful - but in my view overselling the effectiveness of a measure is counterproductive.

Nobody here is arguing ctrl-alt-delete is some magical super thing,

Alas that is exactly what Microsoft claimed for years (possibly still claim?)...

Re:If it's accessing your X server, it's elevated

[vux984]

Adding a registry entry to remap keys is pretty trivial, too.

You need to be an administrator to do that. That makes it pretty non-trivial.

is running a different OS which doesn't treat Ctrl+Alt+Del in a special way

Now your suggesting what exactly? That the attacker is going to throw in a linux live CD, boot it, run his 'fake login screen' that looks like the usual windows screen?

Ok... yes I guess that is a theoretically possible attack; although you'd probably get caught as soon as the user isn't actually able to log-in and IT gets called in...

Usually the fake login screen attacks "fail" with a you got your password wrong message, and then quietly disappear and throw the -real- lock screen up so the unwitting user tries again... gets in to what he expects and assumes he must have fat fingered his password.

Fake the lockscreen?

[allo]

Why is it a fake?
Assume i have gnome-screensaver, kscreensaver and xlock installed. now i use one of them to lock the screen. do all the others now cry, because the used one is a fake to them?

Re:If it's accessing your X server, it's elevated

[psmears]

Adding a registry entry to remap keys is pretty trivial, too.

You need to be an administrator to do that. That makes it pretty non-trivial.

It would, except that users having Admin access is much more common on Windows systems. (Being an Administrator on Windows does not (in theory, at least) have the complete "game over" privileges that "root" traditionally does on Unix-based systems, so there are still further privilege levels to be escalated to.)

is running a different OS which doesn't treat Ctrl+Alt+Del in a special way

Now your suggesting what exactly? That the attacker is going to throw in a linux live CD, boot it, run his 'fake login screen' that looks like the usual windows screen?

Ok... yes I guess that is a theoretically possible attack; although you'd probably get caught as soon as the user isn't actually able to log-in and IT gets called in...

Why would IT get called in? After the user's entered their password, you just display a simulated BSOD and then reboot into the genuine OS; no user will be remotely suprised ;-)