Slashdot Mirror
Nvidia Blames Apple For Bug That Exposes Browsing In Chrome's Incognito (venturebeat.com)
An anonymous reader points out this story at VentureBeat about a bug in Chrome's incognito mode that might be a cause for concern for some Apple users. From the story: "If you use Google Chrome's incognito mode to hide what you browse (ahem, porn), this might pique your interest. University of Toronto engineering student Evan Andersen discovered a bug that affects Nvidia graphics cards, exposing content that you thought would be for your eyes only. And because this only happens on Macs, Nvidia is pointing the finger at Apple."
>> I didn’t expect the pornography I had been looking at hours previously to be splashed on the screen
I think you're either doing it wrong or you're not looking at the right stuff. (Hours? Really?)
You insist on having your own slow ass OpenGL implementation for our cards, I guess you fucked up on security too.
This isn't just on Apple's OS. While I have nothing like Mr. Andersen's writeup to prove it, I've seen this kind of bug happen on Windows.
So are you implying that this bug is due to wanting to keep images in RAM for advertising purposes?
So, your program allocates some memory. Should it initialize the memory to make sure it's all a bunch of zeros? Apparently, Nvidia doesn't think so.
So, a program running on your OS requests some memory. Should the OS initialize the memory before handing it to the application? Apparently, Apple doesn't think so.
Either answer is right.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
A session that doesn't store cookies/etc. Very useful if you need to log into the same place with two different sets of credentials at the same time.
Anything else?
Your ISP can already tell what you're doing, and no browser will change that.
And Facebook and Google can already tell what you're doing, because according to some flash-based advertisements that wobble and emit noise, your computer may be broadcasting an IP address. Browser ain't gonna do shit against basic TCP/IP.
No, his reason is that sweet sweet +5 insightful. We don't need your facts around here.
it happens with anything that uses 3d acceleration on OS X (for me, even on AMD cards), and given cocoa does that it tends to be just about everything. this topic isn't noteworthy for anyone other than apple who I guess should probably do something about it but if you have a mac you know about this already.
His extension was exposed. *ba dum tssss* Thank you and remember to tip your waitress!
No way no one would not believe that.
Had Evan Andersen been streaming his gameplay, then everyone on the Internet would know that he visits porn sites!
Does that mean I have to throw away my porn iPad and go back to my porn ChromeBook?
I hate that. Just moving the bookmarks will take forever.
lucm, indeed.
I've done some GLSL programming and it's not unreasonable for clearing a GPU buffer to take 1/20 to 1/10 the time as the actual operation on that buffer. How many Nvidia users (read gamers) would prefer to take a 5% performance hit to prevent occasional glitches like this?
This has absolutely nothing to do with Nvidia's drivers. It is a glitch in Diablo III and maybe something Chrome could address for the paranoid out there. Meanwhile, if you're really that worried about someone seeing a glimpse of your porn hours earlier, just turn your computer off/on before allowing anyone to use it next. Problem solved.
Just like a pharma company doesn't really need you to take every drug they manufacture, Google doesn't need to get your info with every software they make. You either think that the vast majority of Google engineers are moral-less bastards, or do I sense a hint of sour grapes?
Chrome advertises its Incognito mode as leaving no traces behind. Therefore, it should be responsible for wiping its framebuffer, just as it clears caches, cookies and history. It's like writing a file shredder that doesn't actually overwrite files, then blaming the OS and hard drive manufacturer for the oversight.
It might be nice if framebuffers and such were zeroed on release, but like overwriting files, it's a time/energy/security tradeoff. Besides, the screen isn't really protected anyway; IIRC applications on most OSes can capture the screen without even admin privileges. After apps are sandboxed into seeing only their own windows we can talk about securing the framebuffer.
How can I believe you when you tell me what I don't want to hear?
No surprises here.
Why, is she a cow?
Somehow, the idea that people would trust incognito mode in a browser made by a company whose profits mainly come from targeted advertising strikes me as really hilarious.
Why? They are two different and not incompatible processes. The company performs analytics and collects information about you to store on its servers. The incognito mode is designed to ensure a trace of the browsing session is not left on your PC.
There is a very big difference between the form of data collection here as well as the result of it. Mother is not going to know I search for dirty things based on Google's data collection.
There is a far simpler way to defeat chromes incognito mode, just use it for awhile. After some unknown (not forever) period of use, it will start to not forget history even after it's been shutdown and restarted. At least in 'Version 44.0.2403.107 (64-bit)' running in Linux Mint.
Is NVIDIA really to blame for all of this? I mean, on most Macs with NVIDIA cards, the default driver has been written by Apple. Only a few users download the so-called official drivers from NVIDIA. Most Mac users are pretty clueless about such things as keeping graphics card drivers up to date.
And, if you are allocating a framebuffer, wouldn't it be a form of best practice for the software developer to clear the contents rather than assuming the driver will do it?
I've got an older GTX 760 running on an HP Z820. I run ubuntu on this thing and use nvidia-352 drivers. When I log out of gnome3 and log back in through lightdm, I see the same exact symptoms. I can see what was previously displayed on my framebuffer, including firefox and chromium windows.
Chrome advertises its Incognito mode as leaving no traces behind. Therefore, it should be responsible for wiping its framebuffer, just as it clears caches, cookies and history. It's like writing a file shredder that doesn't actually overwrite files, then blaming the OS and hard drive manufacturer for the oversight.
This, this, this!
If it's incognito, it should not trust anyone else to ensure the privacy of the user's data, not even the OS. We already know that it's possible to use CPU cache bugs as a covert channel to snoop on other processes running on your computer; if the application claims to maintain security, it needs to zero the memory itself.
As an aside, a GPU is a better machine for zeroing pages than the main CPU, and won't pipeline stall or time stall the main CPU by doing it, and GPUs are traditionally really good at manipulating large amounts of memory. So one has to wonder: why doesn't nVidia expose a primitive that Chrome can then use to zero the pages of a frame buffer, before or after it is used?
Just after Christmas 2008, I got a then new Macbook Pro. I noticed this issue cropping up often when launching full screen games, fragments from many different windows from previously run programs filled the screen, often with pictures, stills from videos, and text.
That machine just died late last year, and I always kept the OS up to date.
At this point I really don't have high confidence in the competence of Apple's software people.
Looks like you have no clue what incognito mode even does.
Nope, she's a rary!
If you do anything long enough you get good at it and eliciting a response from people is no exception. Politicians, comedians and trolls all work to learn what makes people do something and quick ways to do it. Cheap snark is always good for mod points.
The best thing you can do though is get your comment in early. Nobody reads more than the first few so if you're at the top, get ready for everyone who was about to post the same thought as you to give you votes.
*opens link*
... pornography ... splashed on the screen ...
*closes window*
systemd is Roko's Basilisk.
If you enable 3D mode in your VirtualBox VMs, then you will see the screen buffer contents when you reboot them, Tried this with RHEL7 guests on Linux host, the host has NVIDIA card.
Also, with same NVIDIA setup, if I boot from RHEL into Ubuntu, I can see the RHEL screenbuffers in Ubuntu when logging into the desktop.
NVIDIA isn't clearing the buffers properly.
and this is modded down.. why? sounds like a reasonable way to do things to me.
and a reason for me to stay away from NVIDIA blobs (unless they fully document their hardware).
It seems to me to be obvious that NVIDIA is correct and the MacOS behavior is wrong. MacOS is apparently leaking information between users by not zeroing pages. This is almost exactly the same vulnerability as Heartbleed where an exploit could read "too far" and access sensitive memory that had not been zeroed or protected properly.
Who's to say the screen buffer that MacOS does not have all sorts of sensitive credentials and other private information? If the browser wasn't in incognito mode, would this kind of leakage really be ok??
There are two real issues here.
The first is that malicious programs could open up, grab screen buffers, and get access to stuff that had been on the screen to use for their nefarious purposes.
This is bad, and unless we get decent support to isolate the frame buffers (and other graphic memory) between apps at either the driver or hardware layer, it's not going away anytime soon. Dont want this? Power cycle (all the way off - not just hiberante) between application launches would do it.
The second is sloppy programming on the part of non-malicious applications. That's what is being talked about in the application. Diablo apparently asked for a frame buffer, and then presented it, as is, to the user without putting what it wanted in place, trusting for it to be in a particular state. Which it wasn't.
You want a black screen to show to the user, then write zeros into your buffer before you show it to the user. Decent compilers/languages will tell you if you've tried to read from unitialized variables, and you should never trust that anything you've asked for dynamically is in a safe state, unless you've explicitly requested that it's cleared before being handed to you. Why should a resource from the graphics card be treated any differently?
NVidia is right about one thing here - most of the time, nearly all of the time, the thing you do with that buffer you're given is to write your stuff into it, completely overwriting it, and it would slow things down if they had to guarantee that it was cleared before handing it out to you. If your program doesn't care enough to do so itself, that's not really their fault.
It would be nice if, on program exit, all GPU resources used by that app were flushed, but again, that would involve the OS needing to be told of all the GPU resource allocations and deallocations so it could clean up properly, and that too would probably slow things down. Not a lot, but enough to be annoying when your game stutters.
I keep hearing slashdot talk about all the evil shit that Chrome does behind the scenes. So let's see some sniffer logs or some evidence of Chrome doing something its not supposed to. I'll wait.
Only the State obtains its revenue by coercion. - Murray Rothbard
This has happened and continues to happen REGULARLY on my Windows 7 system with every GPU from the GeForce 7950 GTOC to the GTX 460.
It's NOT an Apple issue. It's solidly an nVidia issue.
That also happens on my iPad using the dolphin browser, fwiw.
Mac graphics has done this for years. It happens with the embedded Intel graphics as well on my old Mac mini. There must be a system level frame buffer somewhere that's not being fully released. This "issue" has been around for more than a decade. I used to see it capturing video on machines, during system startup just before the desktop would appear, and hapless other times during application launch or termination.
As was stated in the linked article, this can only be "exploited" with physical access to the machine and a login. It cannot be exploited remotely, so the chances of this being a problem for someone are slim at best.
As far as I'm concerned, it's *everyone's* fault. What we have here are a bunch of companies that are playing an immature pass the buck game.
Chrome's incognito is supposed to be secure. Wouldn't any reasonable person expect a wipe of used VRAM to be included as part of cleanup process when an incognito window is closed? I know I would. But they don't, because they expect it to be handled by the driver.
NVidia's driver should be wiping memory that has been released by the calling app. It's *their* driver. Therefore they also share responsibility, unless Apple wrote their own NVidia driver and kept NVidia out of the dev process,
OSX should be taking care to wipe any volatile resources in between passing them from one process to another. That's just basic security.
Microsoft probably already does this, because they've had to deal with idiot vendors for decades who don't do the right thing.
Isn't it very likely that users would have 'regular' Chrome running almost all the time and periodically open up incognito tabs to do banking or just browse pr0n. Once finished, they would close the incognito tabs/windows but would most likely keep Chrome itself running for a good while longer.
Another use case is working in MS Word on two documents at once. One is top secret, the other is not, you finish with the top secret one and close it, but you keep working on the other document, keeping Word open.
In those situations neither the OS or the graphics driver would get the ok to clear out memory as the application itself is still running. The OS could (maybe) protect memory assigned to specific apps, if that is possible with video RAM?
Maybe running separate processes for each window/tab sidesteps this?
I have no idea, but certainly this isn't as simple as clearing video RAM after closing an app since the app isn't closed
I've seen this, and have been able to reliably reproduce the issue with mplayer, many many times.
https://github.com/x0r1/jellyfish
pls read the above project doc's from 6+ months ago..
DHI, at it again.. :)
"You only have to clear the buffer once on exit."
One of the cases I've heard of this is during a crash. In that case, you may have no clean exit in which to clear the buffer.
I'm not paranoid, it's based on an unpleasant incident.
Two years ago, many of my friends complained that they were receiving spam from one of my Outlook.com email addresses. It was weird because it was not the sign-in address for my Outlook.com account; the spam was sent using one of my aliases that I used only with a Google account for non-important stuff (Chrome, Youtube, Google search preferences and such but no Gmail) on one specific machine.
I didn't know how this happened, so I turned off that laptop (which was a spare machine anyways), planning to do a bit of investigation later. Spam stopped. Life caught on, and I forgot about that laptop. About two months later I bought a new desktop computer, and I decided to use that same Google account to sign-in in Chrome and other Google services. My Chrome bookmarks came back from the cloud, but also my friends told me that spam from that Outlook.com alias had resumed! So I wiped that machine and also wiped the laptop and never used that Google account anymore. Nor did I use Chrome sign-in again.
I don't know exactly what happened. I guess some kind of nasty Chrome extension made its way into my Google account and used my sign-in address (which was an Outlook.com alias) to spam my contacts, and it got stored with my Google stuff. One way or the other, I'm no longer sharing bookmarks, extensions and similar stuff between my machines.
lucm, indeed.
Which feature films are non-DRM?
Maybe we could have lists of non-DRM movies (probably just Creative-Commons right now)
The Creative Commons movies I can think of are Blender tech demos such as "Big Buck Bunny" and "Sintel". These are shorts, not feature-length.
Even if we establish a DRM-free area in just one genre (e.g. sci-fi), that would still be worthwhile.
I was trying to allude to FSF's guide to DRM-free video, which links to GOG.com's movie section. And last time I checked, GOG.com's movie section was full of video game documentaries and little else.
This is prosumerism, if we cannot buy them, we can make them.
I have a couple questions that would need to be answered before that can become practical: Who pays for their production? And who would pay the damages if, say, it turns out that costume design or music created for the film is an accidental infringement on someone else's work?