|
|
Log in / Subscribe / Register

Matthew Garrett calls for the private, secure desktop

We're bad at marketing

We can admit it, marketing is not our strong suit. Our strength is writing the kind of articles that developers, administrators, and free-software supporters depend on to know what is going on in the Linux world. Please subscribe today to help us keep doing that, and so we don’t have to get good at marketing.

By Nathan Willis
July 30, 2014

GUADEC 2014

Various contributors to the GNOME project gather in person multiple times a year for various hackathons and meetings around the globe, but there is still something different about the annual GUADEC conference. Reports from the project's teams, question-and-answer opportunities with board, and the sheer size of the turnout all combine to make it an unofficial assessment-and-strategic-planning event. At GUADEC 2014 in Strasbourg, France, Matthew Garrett took advantage of that opportunity in his keynote talk; issuing a bold challenge to the project to make user safety and security its paramount concern for future releases.

[Mathew Garrett]

Garrett's keynote was entitled "Why do we desktop?"—and by "we" he meant, specifically, GNOME. First, he asked, "what is the desktop?" It runs on your computer, he said, there is a mouse, and you can click on things and get some things accomplished. But beyond those generic aspects, what people do on "desktop" computers today bears little resemblance to what they did on the first desktop systems a few decades ago. The earliest desktops, he said, were basically multiplexors for running several terminals, and even the first Windows releases centered around running existing DOS programs simultaneously: the emphasis was on providing quick access to multiple streams of information, but users still worked the way they had been working before windowing systems. Plus, he added, they could keep a clock running next to their applications.

Things changed considerably in the 1990s, he continued, as operating system vendors redesigned their desktops to take advantage of Internet access. This was not always a success: he called out Microsoft's Active Desktop effort, in which the desktop itself was supposed to provide integrated Internet access. It frequently crashed and proved confusing, but it was a bold experiment. Vendors and users had both realized that not all of the relevant information had to originate from local applications.

Not much changed for a few years afterward, he said. Desktops got shinier and added translucency; users still wanted to display clocks, and could add multiple clocks to their desktop (sporting exotic themes). Technical changes like hardware-accelerated compositing and special effects became possible. But even then, Linux did not really break into the market in a big way until Google launched its Chromebook and Chromebox projects. At that point, the meaning of desktop changed again: the Chrome OS desktop only exists so that you can open more browser windows, he said. In a sense it replicates the old multiple-terminals model: the desktop is just there to provide access to several browser windows at the same time.

Current reality and adaptation

But "how desktops work" was not the only factor undergoing change over the years, Garrett said. How companies want you to work has also changed—and, largely, not for the better. More and more of our work is bound to our ability to access remote systems. At the same time, people do more of their computing on devices outside of desktops. The big concern, though, is that the commercial operating system vendors see this and have adapted to it for their own advantage.

Microsoft, he said, is adapting by pushing a tightly unified user experience across all of its products. A Windows 8 desktop, Windows tablet, and Windows phone all look exactly the same; on a recent visit to a Microsoft campus, Garrett said, he even noticed that the physical signage on the buildings and the ID badges perfectly reproduced the new Windows style, even down to the aspect ratios.

Apple's response has been different. Mac OS X does not look very different today than it did a decade ago, and it is still distinct from iOS. Instead, Apple is pursuing integrating these disparate platforms by tying them in to the company's platform applications. iTunes is used to manage devices and the desktop alike. The company's App Store works on the iPhone and on a Mac; much of what a user does on a computer can be performed through core Apple applications like iTunes.

Google, too, is trying to integrate its various OS form factors, though it is doing so by tying them all into Google services. That is to say, Chrome OS and Android do not look much alike; the code bases do not use the same components, except for the kernel and a few other individual pieces. But they are all deeply linked into Google services.

The point that often seems to get missed, he said, is that none of these adaptations are actually focused on the needs of the user. The commercial vendors' moves are all geared toward selling more of the company's products—either selling things to the user, or, in the case of Google, selling the user's data to others. They are not designed to increase the user's productivity, he said, much less to preserve the user's privacy.

New world desktops

The trend of desktop designs focusing on revenue rather than user's needs is a problem free software is poised to fix, Garrett said. Furthermore, the world itself is changing in ways that make fixing this problem paramount. As people already know, there are criminals who make a steady living stealing financial information or breaking into systems, locking out the owner, and extorting ransom. And as people have discovered recently, government agencies are actually using desktop software as an avenue to spy on citizens. The concept angers people, he said, as it should. But the commercial OS vendors are ignoring it.

The proper response, Garrett said, is not to try to build "a better desktop" (than the competition); it is to build "a different desktop" that has a different set of priorities. Most of the priorities Garrett enumerated will likely not surprise free-software advocates.

A desktop must be secure, he said; if an attacker compromises LibreOffice, the attacker should not also gain access to all of the user's data. It must also respect and preserve privacy, he said. Integrating communication channels with Tor is good, but not enough. Everyone knows that applications themselves leak personal data, too. Applications should, instead, recognize a "privacy mode" requested by the desktop environment and respect it. They should also make it easy for the user to know that their privacy is being safeguarded. Finally, such a desktop must be open to inspection, so that it is auditable and so that users can see what happens when a flaw is discovered and corrected. "We should be embarrassed when we fail," he said, "then we should fix the flaw and move forward."

If there is to be a desktop that makes these principles its priority, Garrett said, that desktop should be GNOME. GNOME is free from corporate control, he said, which is not even the case for other free software desktop projects. It is also transparent; the designs, discussions, and decisions in the project are open for everyone to see. And GNOME is a diverse project. That makes it capable of serving the needs of users from anywhere in the world.

Garrett pointed out current discussions and work within GNOME that fit his list of priorities: application sandboxing and Wayland, for example, are both vital for security. Other priorities might take new work. GTK+ widgets and window decorations could be made to change their appearance or color in response to privacy-protection features, for instance.

Although the audience was, to be sure, on Garrett's side during the discussion of priorities, he ended his talk by making a more direct challenge to the project, asking who the "GNOME user" should be. The audience replied with a perhaps predictable "everyone," but Garrett pointed out that this goal in fact means addressing some users who are typically left out.

Those ignored users include web developers, for instance. Garrett noted that he recently attended an OpenStack event and saw that the majority of the developers were writing open source Python code on Linux, but doing so over SSH sessions from their Apple laptops. At home, they used those same laptops to watch video and listen to music content on a proprietary operating system. OS X is not helping these people do their work, he said, but just as importantly, GNOME is not serving them the rest of the day, and it should.

Similarly, he said, free software is usually dismissive of gamers who play proprietary games. Steam has solved a lot of the problems with getting and running games on a Linux desktop, he said, but GNOME needs to care about these users, too, even if those users are not aligned with free software's philosophy. "They deserve to be secure, too, and to have as much privacy as we can give them," he said. Their interest in running proprietary software does not make them less deserving of security and privacy.

Ultimately, he concluded, GNOME needs to look at as many users as possible, and serve them. A desktop project that says "you didn't watch the news last week and install all of the security updates released in response to that vulnerability? Too bad; it's your fault" is not serving the user. The project will face challenges if it attempts to push forward on these points, "but if we don't do this, who will?" he asked.

[The author would like to thank the GNOME Foundation for travel assistance to attend GUADEC 2014.]

Index entries for this article
SecurityDesktop
SecurityPrivacy
ConferenceGUADEC/2014


to post comments

Matthew Garrett calls for the private, secure desktop

Posted Jul 31, 2014 9:11 UTC (Thu) by intgr (subscriber, #39733) [Link] (11 responses)

The obvious first step would be to rip out libvte from GNOME Terminal because its developers refuse to consider an option not to write all terminal output persistently to disk, which is a security and privacy leak.

But the reality is, while some GNOME developers might care about privacy, others don't and there is no way to consistently enforce such a vision. Only people familiar with the fine details of the programs they're using (or avoiding) will be able to have privacy, certainly not the ordinary user.

Of course I would be happy to be proven wrong.

Matthew Garrett calls for the private, secure desktop

Posted Jul 31, 2014 16:38 UTC (Thu) by ebassi (subscriber, #54855) [Link] (9 responses)

have you even read the bug, especially comment #4, which outlines a plan on how to implement what you ask?

Matthew Garrett calls for the private, secure desktop

Posted Jul 31, 2014 19:01 UTC (Thu) by intgr (subscriber, #39733) [Link] (8 responses)

Yes I have. That comment is from 2012 March and nothing has been done until now. It's not what I asked for: it's just plain silly to write things to disk that don't need to be persistent (for more reasons than privacy). And I don't have much confidence in someone's ability to get cryptography right when they're talking about "DES3" in 2012.

For contrast you can look at how browser vendors deal with privacy.

Matthew Garrett calls for the private, secure desktop

Posted Jul 31, 2014 21:06 UTC (Thu) by rleigh (guest, #14622) [Link]

The other bad side effect is to make the desktop unusable over NFS. VTE isn't the only desktop component guilty of this by a long shot. I've had equally bad experience with KDE applications freezing up the entire desktop as it blocked on writing .xsession-errors and similar, though that was due to the over-verbose logging enabled by default. There's a simple rule here: don't do unnecessary filesystem I/O; unfortunately, this seems to have been forgotten by all the desktops as they cease to test their stuff on anything but single-user desktops using local filesystems. Another reason why I'm gradually using the Linux "desktop" less and less.

Matthew Garrett calls for the private, secure desktop

Posted Jul 31, 2014 23:08 UTC (Thu) by mjg59 (subscriber, #23239) [Link] (6 responses)

RAM is a more limited resource than disk. It makes absolute sense to write something to disk rather than keep it in RAM, especially if you'd need to mlock() it to avoid exactly the same security issue.

The appropriate thing to do is probably to ensure that there's a userspace-encrypted filesystem mounted somewhere under ~ with a per-session key, and then just ensure that any applications that want to store ephemeral data make use of that. No reason to force duplicate code into a large number of different places.

Matthew Garrett calls for the private, secure desktop

Posted Aug 1, 2014 12:25 UTC (Fri) by robbe (guest, #16131) [Link] (3 responses)

> RAM is a more limited resource than disk.

What are typical sizes for these buffers? Moderate needs (average of 80 columns, 10000 lines, mostly ASCII) will result in about 860 kiB of data per tab.

Even a barebones page like this one takes about 3 MiB in Firefox.

If you are somewhat security sensitive, the first thing to encrypt is swap (or turn it off). Its better to assume memory is safe than assuming any random disk location is.

Matthew Garrett calls for the private, secure desktop

Posted Aug 1, 2014 12:29 UTC (Fri) by mjg59 (subscriber, #23239) [Link] (1 responses)

Typical's not really relevant here - worst case is. I've had >100MB of backscroll in multiple terminals at once.

Matthew Garrett calls for the private, secure desktop

Posted Aug 1, 2014 15:13 UTC (Fri) by mstone_ (subscriber, #66309) [Link]

Even then, how can you look at a current Gnome system and say: "that 100MB of scrollback is where all my memory went!"? The gnome terminal has always been a slow/huge program, and it seems that the optimizations that are made are not the ones that are actually needed.

Matthew Garrett calls for the private, secure desktop

Posted Aug 1, 2014 14:42 UTC (Fri) by tao (subscriber, #17563) [Link]

Don't forget that each individual character can have attributes (colour, etc.) and can be unicode -- hence we're not talking 8-bit/character, but quite a bit more.

That said, I suspect that most modern system could cope well with having the backlog in RAM.

Matthew Garrett calls for the private, secure desktop

Posted Aug 7, 2014 9:31 UTC (Thu) by Wol (subscriber, #4433) [Link]

> The appropriate thing to do is probably to ensure that there's a userspace-encrypted filesystem mounted somewhere under ~ with a per-session key, and then just ensure that any applications that want to store ephemeral data make use of that.

There's nothing new under the sun ...

Apart from encryption, I was using this feature on a (Perkin Elmer?) mainframe in the early 80s ... log out, and your temporary file system vanished.

Cheers,
Wol

Matthew Garrett calls for the private, secure desktop

Posted Aug 7, 2014 9:37 UTC (Thu) by Wol (subscriber, #4433) [Link]

> RAM is a more limited resource than disk.

Okay, I'm a techie who knows what I'm doing, but all my systems have large amounts of swap, and make heavy use of tmpfs.

I take the maximum ram capacity of my motherboard (here 16Gb), multiply by 2 (32Gb), and have a swap partition that size on every disk (maybe a fraction of one percent of the disk?).

That gives me a usable memory space on this system of 112Gb :-)

Yes, I know RAM is a limited resource, but for a desktop system how often does the system ever descend into swap? It's not common.

Cheers,
Wol

Matthew Garrett calls for the private, secure desktop

Posted Aug 1, 2014 0:08 UTC (Fri) by ovitters (guest, #27950) [Link]

> But the reality is, while some GNOME developers might care about privacy, > others don't and there is no way to consistently enforce such a vision.

Privacy has to be judged each time. I don't think writing to disk is a big threat to privacy. You're saying "consistently enforce", which is IMO the wrong approach. You want people to take privacy into account. First thing is IMO ensuring that to have an encrypted disk everything easily works.

There are going to be gaps and privacy is pretty wide term. Lots of things can fall under that. But there is no need to call for "forcing", there is a group who can force things: GNOME release team. I'm part of that, and IMO enforce is the wrong approach. I think something like that will end up as checking tickboxes, without actually ensuring a good privacy. Not to say that e.g. this bug is not important. Just that going for "enforcing" means you'll just limit yourself in your thinking.

Matthew Garrett calls for the private, secure desktop

Posted Jul 31, 2014 14:33 UTC (Thu) by flussence (guest, #85566) [Link] (5 responses)

> GNOME is free from corporate control, he said, which is not even the case for other free software desktop projects.

I note several things wrong with this statement and surrounding text:

* It's false. Take a glance at the GUADEC sponsors page to see which corporate players keep GNOME afloat, both through paying the bills and writing the code. No surprise to see RedHat at the top there. I'd be interested to see an average GNOME release's git commit statistics.
* Assuming it were true, it implies that corporations are malicious and/or incompetent, and that projects they maintain are inferior. That's hardly a nice thing to say about Mozilla, or whoever's providing GNOME's web browser backend this week.
* The secondary implication that GNOME considers itself above those other FOSS projects. Which is kind of a self-defeating attitude.

Matthew Garrett calls for the private, secure desktop

Posted Jul 31, 2014 16:36 UTC (Thu) by ebassi (subscriber, #54855) [Link] (3 responses)

so, it helps if you want to rebuke something to actually get some facts right.

* the members of the GNOME Foundation advisory board are there in advisory capacity only: they do not dictate the technological direction of the project; and while companies hire GNOME developers, the majority does not hire them to work on GNOME, but to work on their products that may or may not be GNOME-based. GNOME existed before the GNOME Foundation existed, and if the Foundation would go away (which would be problematic, since we use the Foundation to hold donation money from everyone, users and companies alike), the GNOME project would keep existing as long as somebody keeps committing code, documentation, tests, translations, etc. to the code repositories.

* what does that even mean, and how did you even infer that connection? also, the web browser backed was switched *once* from Gecko to Webkit years ago, not "last week", since Gecko does not allow embedding any more.

* GNOME considers itself as a Free and Open Source Project because we are one. we are situated in a unique position to provide a free, open, secure, and respectful of user privacy environment for users.

Matthew Garrett calls for the private, secure desktop

Posted Jul 31, 2014 18:54 UTC (Thu) by jospoortvliet (guest, #33164) [Link] (2 responses)

What percentage of work on GNOME is done by people working for the top and top three corporate contributors? Those numbers would be facts that can refute the parent, not this handwaving.

Matthew Garrett calls for the private, secure desktop

Posted Jul 31, 2014 23:12 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

The company with the largest number of paid GNOME contributors decided that the default GNOME desktop wasn't what they wanted to ship and so shipped something else instead. If they exerted significant corporate control, is that really a plausible outcome?

Matthew Garrett calls for the private, secure desktop

Posted Aug 1, 2014 2:34 UTC (Fri) by ebassi (subscriber, #54855) [Link]

as former director of the board of the GNOME Foundation I like to think I know a bit more than you about how corporate sponsorship works in the GNOME project, and how it affects the technical direction of the project itself — which was the issue raised by the OP. I don't need to "handwave" the fact that how bylaws prevent electing more than 2 people on a board of 7 directors from the same company; or the remit of the advisory board. or the fact that we don't have CLAs or contribution agreements in place for GNOME technology. companies cannot influence GNOME's direction through license or sponsorship.

as for "influence through hiring": the last census was done in 2010, and it showed how much of a volunteer-driven project is GNOME. it would be interesting to see a new census, but I highly suspect that the numbers would be pretty much the same, ignoring some companies that do not exist any more.

if you actually ask GNOME developers employed by various companies, you would also see how they consider themselves GNOME developers first.

on top of it all, as Matthew said, the company that is perceived as being the main corporate backer of GNOME is shipping their product, which supposedly was made by paying a lot of GNOME developers, using a different version of the GNOME, and not its default user experience. if Red Hat had actual control over the GNOME technical direction, you would see the GNOME Classic desktop as the default, not as an option.

Matthew Garrett calls for the private, secure desktop

Posted Aug 1, 2014 0:13 UTC (Fri) by ovitters (guest, #27950) [Link]

* how does sponsorship relate to corporate control?
* how does it imply that corporations are malicious? mjg gave examples where e.g. a corporation will strive to maximize profit. That's NOT malicious, but it can conflict
* mjg speaking about GNOME is not a statement made by GNOME

Note: GNOME is very nice and friendly, no need for this type of "assume bad will", there is none.

Matthew Garrett calls for the private, secure desktop

Posted Aug 1, 2014 16:44 UTC (Fri) by njwhite (guest, #51848) [Link] (3 responses)

It's interesting to talk about how we could provide a more private desktop to people by accepting their proprietary software. Proprietary software is more-or-less antithetical to privacy and security; it is software which explicitly and deliberately prohibits inspection or change for any purpose.

One could argue that our focus on genuine security and privacy (aka software freedom, here) has alienated those who are happy giving up their privacy in exchange for some games or videos. I don't see how we could say honestly "our system respects your privacy, and works great with netflix". The two are pretty fundamentally at odds.

I prefer the argument "our system respects your privacy, and look, here's bittorrent, now you don't have to make yourself so vulnerable." Obviously it has problems too, but at least it feels more consistent.

I suppose the real argument that Garrett is making is that we should use things like apparmor and selinux to constrain malicious proprietary software, that we are implicitly encouraging people to fund the development of, and that by design still generally spys on its users. I suppose we could. But that doesn't sound great to me.

The problem seems to be that most people are ignorant (or perhaps accepting, but I'm an optimist) of how much they are giving up to use these horrible systems. I don't think "meeting them halfway" is a great idea, but rather we need to try to explain more clearly why ours is a private and secure system, and what that means, and that some things that many currently take for granted as "the way things work" should not be tolerated. Perhaps it is a losing battle. But it is right.

Matthew Garrett calls for the private, secure desktop

Posted Aug 4, 2014 11:58 UTC (Mon) by Seegras (guest, #20463) [Link] (1 responses)

> some games or videos.

Videos? There is nothing in "videos" which has any privacy implication. The most modern video players and codecs are all open source.

Of course, it might be the that you lump them into "non-free", because some people have been illegally granted patents on them, but that doesn't make them less "free software" in copyright terms; especially since the patent holders aren't actually the programmers of the software, but just a bunch of criminal rent-seekers.

Matthew Garrett calls for the private, secure desktop

Posted Aug 4, 2014 12:59 UTC (Mon) by njwhite (guest, #51848) [Link]

Sorry if I wasn't clearer, I was refering to proprietary video file download services like Netflix, iTunes, and Amazon's Instant. All of which are very privacy invasive.

Matthew Garrett calls for the private, secure desktop

Posted Aug 4, 2014 15:21 UTC (Mon) by raven667 (subscriber, #5198) [Link]

EVERYTHING on the Internet is a privacy violation, every website, every Ad network and every IP service provider are gathering and correlating as much information as they can about you for those who can pay to use that information against you in some way. The only way to avoid that is to go full Amish/Secret Agent Cipher and completely restructure your life around privacy and security, which only very few people are willing to do, most people are generally accepting of the privacy implications of using Internet services even if they are ignorant of the specific technical details. They will become less accepting if there is a clear demonstration of harm, but as long as the information is used behind the scenes then there is no practical downside.

I think from a technical perspective there are a number of things we can do to make the desktop itself help rather than hinder the privacy-minded user, but the user is ultimately responsible for what they want to run and it's not our job to pass judgement that they are bad people for wanting to share in the dominant culture, watch movies, play games and dictate that they cannot do so by putting in technical roadblocks.

If we are going to care about privacy then as a people and a culture and citizens of nation-states we need to establish laws that limit data retention and usage, disclosure procedures for what is gathered and how it is used, strong audit and punishment based on the popular will. Fundamentally this is a political problem and not a technical one, as a people we haven't articulated what is acceptable behavior in a way that can be enforced.

If you ask the people to weigh in on privacy you also have to accept that the answer you get may not be the one you want, there have been a number of "wake up calls" in the popular media letting people know what is going on and the reaction seems to have a lot of "meh", younger people are used to less privacy and more personal openness than previous generations. What people are "used to" will greatly inform what is considered generally acceptable.

Matthew Garrett calls for the private, secure desktop

Posted Aug 5, 2014 17:59 UTC (Tue) by Tet (subscriber, #5433) [Link]

none of these adaptations are actually focused on the needs of the user

I know I'm late to the party here, but the obvious rebuttal to that is that neither is GNOME3. Having recently installed a modern distribution on a new laptop, I have to say I've been astounded at how bad a user experience GNOME3 delivers. I'd heard the rumours, but I hadn't realised it was quite that bad. And no, it's not that it's just different. It's actively bad. Perhaps not for everyone. But certainly for enough people that it needs to be fixed.

Matthew Garrett calls for the private, secure desktop

Posted Aug 7, 2014 8:06 UTC (Thu) by Rehdon (guest, #45440) [Link]

"The trend of desktop designs focusing on revenue rather than user's needs is a problem free software is poised to fix, Garrett said."

"If there is to be a desktop that makes these principles its priority, Garrett said, that desktop should be GNOME."

"Ultimately, he concluded, GNOME needs to look at as many users as possible, and serve them."

Couldn't help to laugh here, bitterly though ...

Rehdon

Matthew Garrett calls for the private, secure desktop

Posted Aug 7, 2014 15:44 UTC (Thu) by nye (guest, #51576) [Link]

This article needs more context, because it's clearly talking about a different GNOME project than the one I know. And quite possibly a different universe.


Copyright © 2014, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds