Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password?

But then when I change CPU Frequency scaling, I'm prompted to enter my admin password?

O.o

How to reproduce:

1. Restart your computer and login. Do not enter any passwords after your desktop has loaded.

2. Go to Applications > Accessories > Passwords and Encryption Keyrings

3. Click on the 'Login' folder to drop down and view the programs that store data here.

4. Double click on something you want to look at.

5. Click Password to show some dots, then uncheck the box below the dots marked "Show password"

6. Note that throughout this whole procedure, not once were you prompted* to enter in anything that verifies you are authorized to view this information.

*The only prompt is asking if it's allowed access to the keyring, to which anyone can click allow.

Links all in one place:

Bug report filed on Launchpad (https://bugs.launchpad.net/seahorse/+bug/189774)
OMG! UBUNTU! Blog Post (http://www.omgubuntu.co.uk/2009/10/security-issue-in-gnome-lets-anyone-see.html)
Gnome-keyring mailing list (http://mail.gnome.org/mailman/listinfo/gnome-keyring-list)
Gnome Keyring Security Philosophy (http://live.gnome.org/GnomeKeyring/SecurityPhilosophy)
Ubuntu Brainstorm Idea (http://brainstorm.ubuntu.com/idea/22120/)

http://brainstorm.ubuntu.com/idea/22120/image/1/ (http://brainstorm.ubuntu.com/idea/22120/)


-------

Because you already entered your password once? Lock your screen when you leave your computer if you don't want others to see this information...

gksu and sudo have the 15 minute period where you don't have to type in a password for administrative tasks

gksu and sudo have the 15 minute period where you don't have to type in a password for administrative tasks
Is it that long? That's too long for my tastes. I'm gonna change my sudoers file.

Because you already entered your password once? Lock your screen when you leave your computer if you don't want others to see this information...
It does seem odd to me that you're not required to enter your password again here. I realize that this is not being done as a superuser and that's probably why, but perhaps viewing the password should require you to re-enter your user password. It doesn't seem like a good idea to allow anyone to view your entered passwords for things like email acounts and whatnot unless you lock your screen or logout.

Regardless, this is something that requires physical access, which is the biggest security whole in the first place. Why would you lave your computer without locking your screen if you're worried about security?

Regardless, this is something that requires physical access, which is the biggest security whole in the first place. Why would you lave your computer without locking your screen if you're worried about security?
Both true and irrelevant. It's reasonable to wonder why passwords for things other than your local computer can be viewed in clear text without entering a password. Even Windows doesn't allow that.

Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password?

But then when I change CPU Frequency scaling, I'm prompted to enter my admin password?

O.o

*The only prompt is asking if it's allowed access to the keyring, to which anyone can click allow.
:popcorn: It's Your computer,isn't it? I am sure that if you are concerned about your personal information,your not going to leave your machine lying around,powered up,with your keyring open.

All valid points, but, regardless of individual situations I still think that you should not be able to view important passwords without first validating that you are indeed the owner of the accounts they belong to.

Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password?

This is big; you should file a bug report, I guess. No matter what the justifications offered, your keyring passwords should not be opened with prompting for a password. (I don't even get the prompt to allow the keyring to be opened).

Why is it that when I go to Applications > Accessories > Passwords and Encryption Keys I can click on Passwords, then expand 'login' and then I can see my passwords for my MSN account and wireless networks I connect to without once being prompted for my user password?

But then when I change CPU Frequency scaling, I'm prompted to enter my admin password?

O.o

*The only prompt is asking if it's allowed access to the keyring, to which anyone can click allow.

Although it does feel disconcerting at first, I got used to putting the system on guest or locking it before leaving the computer and/or handing it to someone. I suppose it is your machine so for me on laptops I do the above and on desktops I manage separate users.

This is big; you should file a bug report, I guess. No matter what the justifications offered, your keyring passwords should not be opened with prompting for a password. (I don't even get the prompt to allow the keyring to be opened).

Could someone else post a bug report for me please? Feel free to use my attached image as a demo. I would do it, but I'm a bit tied up with a non-booting system. (http://ubuntuforums.org/showthread.php?p=8173148)

Wow, blatant security flaw indeed!

If the sudo command asks for password, accessing other partitions asks for password, update manager asks for password, if the wireless access point is turned off for a while it keeps asking for password (annoying since Windows can reconnect automatically when the access point becomes available), why cant accessing keyring and stored passwords require asking for password???

Both true and irrelevant. It's reasonable to wonder why passwords for things other than your local computer can be viewed in clear text without entering a password. Even Windows doesn't allow that.

Orly? See attachment.

If the sudo command asks for password, accessing other partitions asks for password, update manager asks for password, if the wireless access point is turned off for a while it keeps asking for password (annoying since Windows can reconnect automatically when the access point becomes available), why cant accessing keyring and stored passwords require asking for password???

Because accessing your personal data doesn't require administrator access. Protecting your personal data is your responsibility, not the system's.

"Protecting your personal data is your responsibility, not the system's."

And I want to protect it by making the system ask for a password to access it. But the system provides no such option. It asks for a password to access other partition which neither has any linux system files nor any other OS files. I don't see much difference between the two from a user's perspective.

And shouldn't accessing system wide keyring be a higher privileged operation?

It's all about having layers of security.

Orly? See attachment.

Trying to prove that Windows shows your passwords in cleartext by showing a screenshot of a third party application is somewhat stupid?

Even though I understand why this is the case, I'd agree with requiring a user to enter their password before showing their stored passwords.

Because accessing your personal data doesn't require administrator access. Protecting your personal data is your responsibility, not the system's.

Lets just say someone had a computer which has automatic loggin on enabled (like me because karmics boot time is so slow) and then, without any password needing to be entered, WHATSOEVER, someone who decides they want to access my computer now can see all my passwords for every single program with just a few clicks. Yes, this is our own responsibility, but SURELY there should be an option to password protect our whole keyring? I know you will probably tell me there is a way, and feel free to tell me, but its not obvious

Trying to prove that Windows shows your passwords in cleartext by showing a screenshot of a third party application is somewhat stupid?

Last I checked, Pidgin and NetworkManager were third-party applications, too. Also Gnome.

I know you will probably tell me there is a way, and feel free to tell me, but its not obvious

I have no idea. I use KDE.

Anyone care to share steps to reproduce?

Besides I'm totally with replies #2, #3, and #15.

Anyone care to share steps to reproduce?

Besides I'm totally with replies #2, #3, and #15.

1. Restart your computer and login, make sure you never enter any passwords after your desktop has loaded. Don't do any sudoing or anything.

2. Go to Applications > Accessories > Passwords and Encryption Keyrings

3. Click on the 'login' folder to drop down and view programs that store data here.

4. Double click on something you want to look at.

5. Click Password to show some dots, then uncheck the box below the dots marked "Show password"

6. Note that throughout this whole procedure, not once were you prompted to enter in anything that verifies you are authorized to view this information.

Ways to solve: Change how this data is stored or prompt to enter in your user password to view your user data.

I've asked because that's exactly what I did and I couldn't reproduce it. Do you have autologin enabled? Maybe an empty keyring password?

Whats the point of having a keyring password when that password is never ever asked?

Those who do not agree to having a choice for prompting for password, should remove their user passwords and remove even the option to have user login passwords. After all you guys are saying rely ONLY on physical security. Because according to your view, locking the screen is useless as well since anyone can access your data through a live CD/DVD.

I've asked because that's exactly what I did and I couldn't reproduce it. Do you have autologin enabled? Maybe an empty keyring password?

Did it ask you to enter a password or just click the allow button?

Ha, got me - yes, I now can reproduce it. Autologin enabled, non-empty keyring password.

Hmm I don't have Auto login enabled. I'm pretty sure my keyring has a password, I just did a fresh install though... how to check?

Those who do not agree to having a choice for prompting for password, should remove their user passwords and remove even the option to have user login passwords. After all you guys are saying rely ONLY on physical security. Because according to your view, locking the screen is useless as well since anyone can access your data through a live CD/DVD.

The keyring only allows the user, logged in, to access the passwords. A live CD/DVD wouldn't work.

The Gnome keyring is based on three simple principles:

1) If someone is logged in as user X, he is user X and has already proved his identity at login.

2) If someone is not logged in as user X, he is not user X and cannot see the passwords of user X. That includes the live CD user.

3) In the unlikely event that someone logged in as user X is NOT user X and has malicious intentions, the mere fact that this person is using user X's account is already a massive security hole as far as personal info is concerned. Imposing security restrictions for this situation is sacrificing usability for minimal security gain.

For more info, see the security philosophy of Gnome keyring (http://live.gnome.org/GnomeKeyring/SecurityPhilosophy).

If you disagree with this, go discuss in the keyring mailing list. But do not report bugs, this is by design.

The keyring only allows the user, logged in, to access the passwords. A live CD/DVD wouldn't work.

The Gnome keyring is based on three simple principles:

1) If someone is logged in as user X, he is user X and has already proved his identity at login.

2) If someone is not logged in as user X, he is not user X and cannot see the passwords of user X. That includes the live CD user.

3) In the unlikely event that someone logged in as user X is NOT user X and has malicious intentions, the mere fact that this person is using user X's account is already a massive security hole as far as personal info is concerned. Imposing security restrictions for this situation is sacrificing usability for minimal security gain.

For more info, see the security philosophy of Gnome keyring (http://live.gnome.org/GnomeKeyring/SecurityPhilosophy).

If you disagree with this, go discuss in the keyring mailing list. But do not report bugs, this is by design.

Thanks for clarifying. I guess this does make sense. But then why do I have to enter in my password for a whole host of other things, when I have already proved that it's me at login?

And also, Ubuntu can run for a long amount of time without being rebooted or logged in/out, so surely there should be some sort of timer, perhaps 3 hours, where the user needs to re-prove that it is still the correct user when he/she tries to access seahorse passwords in the keychain.

All I'm saying is that it would be simple to add in a prompt for you to enter in your user password before you are allowed to see the passwords for these things.

The email account and password in particular is very sensitive and important to most people, so more should be done to protect any access to these sorts of user details.

Just my opinion.

I find this to be poor security because it assumes that the security level of passwords stored on the machine relate to the level of security of the machine itself.

e.g. Lets say a user is working in an open environment where colleagues and passers by will have intermittent access - say while the person goes for a coffee. This is ok because a) the user is never away very long and b) there is no secure information on the actual machine.

However there may be times when the user accesses a more secure environment, say a particular WiFi network, located elsewhere, even his own personal network at home. Under these circumstances a casual viewer can easily gain access to passwords and keys.

Thanks for clarifying. I guess this does make sense. But then why do I have to enter in my password for a whole host of other things, when I have already proved that it's me at login?

The password entry for "sudo" etc achieves an elevation of privileges to those you normally do not hold. Your login thus is no proof in the case of "root-like" powers.

Given all that is written here, I think a case can be made for a design change, motivated on the grounds that an OS should help a user and preventing a severe security breach during a few moments absence at the keyboard is both sensible and helpful.

my 0.02c...

HA

The password entry for "sudo" etc achieves an elevation of privileges to those you normally do not hold. Your login thus is no proof in the case of "root-like" powers.

Given all that is written here, I think a case can be made for a design change, motivated on the grounds that an OS should help a user and preventing a severe security breach during a few moments absence at the keyboard is both sensible and helpful.

my 0.02c...

HA

Nicely summed up. Who/how do we poll for a design change? Or is there already a contributor to this thread who could alert someone or do something about it?

https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

So your request is basically that the keyring gets closed after a user defined amount of time, right?

The behaviour described here is completely normal. By default, the "login" keyring is unlocked by your login password when you log in. The login keyring is used for storing things like WPA passphrases and passwords for email accounts. Without this, you would be prompted for a password each time you connected to a wireless network and each time you opened Evolution etc.

You can create extra keyrings which aren't unlocked automatically when you log in. I do this for my Evolution accounts. When you do this, any application which attempts to access the keyring will trigger a password prompt, to allow the application to authenticate and access the keyring. When you see this, you have the option of allowing the particular application to access the keyring only once, or forever (in which case, you won't get any further password prompts each time that application attempts to access the keyring - this only applies to the application you gave explicit permissions too, and you can revoke the permissions later on).

So, there really is no bug here. Passwords aren't stored in plain text anywhere on disk, so you can't just view them. And changing the default behaviour of the login keyring will really annoy users when they get a password prompt to unlock the keyring each time they reconnect to their wireless network.

Also, remember the Pidgin stores your account passwords in plaintext on your hard disk. Pidgin doesn't use the keyring, and AFAIR the Pidgin developers aren't interested in doing this either. Empathy does store your account passowrds correctly though

Launchpad bugs has a "wishlist" category but that gets set by triagers and not the bug submitter (or has that changed?). On Launchpad at the mo', "Wishlist" seems to mean "classify and forget". (Do devs ever pass on wishlist items upstream?). Seahorse is a gnome project ( http://projects.gnome.org/seahorse/ ) and you should try there (at source so to speak).

HA

Yeah but we're not asking for anything to be chained regarding how they are stored or how the keyring is unlocked.

Just for a password prompt when trying to view the saved passwords.

I'm not an expert on keyrings by any means, but from my perspective, it does seem a bit silly to have secure passwords accessible from the main menu! Regardless of anything else, this isn't ideal.

Launchpad bugs has a "wishlist" category but that gets set by triagers and not the bug submitter (or has that changed?). On Launchpad at the mo', "Wishlist" seems to mean "classify and forget". (Do devs ever pass on wishlist items upstream?). Seahorse is a gnome project ( http://projects.gnome.org/seahorse/ ) and you should try there (at source so to speak).

HA

I just fired off an email to the Seahorse mailing list with a link to this thread. We'll let the experts have a look at our argument and see what they have to say.

Yeah but we're not asking for anything to be chained regarding how they are stored or how the keyring is unlocked.

Just for a password prompt when trying to view the saved passwords.

I'm not an expert on keyrings by any means, but from my perspective, it does seem a bit silly to have secure passwords accessible from the main menu! Regardless of anything else, this isn't ideal.

Exactly true. If anyone here has ever used the excellent KeePassx (password management) software, that's what it does. You open your "keyring" of passwords, crucially by supplying a password. It can also go one better though. Not by default, but you can ask it to allow viewing of usernames only - and if you want to open the password view, it prompts for your password again to prove it's you.

This behaviour is absolutely vital in the corporate environment where although you might trust your colleagues, you certainly don't want any old passer-by spotting your (foolishly unlocked) PC while you grab a coffee, then popping on and grabbing all your passwords!

I'm astonished that the Seahorse behaviour is being defended on these forums.

I should add that Seahorse and Keepassx aren't really comparable products (although they sound similar), but the way they handle password viewing is an absolutely relevant comparison here.

Just in case someone suggests that if I love Keepassx so much, why don't I use it instead... ;)

I think a case can be made for a design change, motivated on the grounds that an OS should help a user and preventing a severe security breach during a few moments absence at the keyboard is both sensible and helpful.

That feature already exists. It's called "locking the screen".

This behaviour is absolutely vital in the corporate environment where although you might trust your colleagues, you certainly don't want any old passer-by spotting your (foolishly unlocked) PC while you grab a coffee, then popping on and grabbing all your passwords!

Then don't leave your PC "foolishly unlocked".

I find this to be poor security because it assumes that the security level of passwords stored on the machine relate to the level of security of the machine itself.

e.g. Lets say a user is working in an open environment where colleagues and passers by will have intermittent access - say while the person goes for a coffee. This is ok because a) the user is never away very long and b) there is no secure information on the actual machine.

However there may be times when the user accesses a more secure environment, say a particular WiFi network, located elsewhere, even his own personal network at home. Under these circumstances a casual viewer can easily gain access to passwords and keys.

That's what locking your screen is for.

Remember, if you leave your computer running, unlocked an unattended, you are not only compromising your passwords but also all your files. If you do that, complaining about the passwords is a bit pointless.

Still, I'd have nothing against asking for your keyring password again to view saved passwords, but I must say I don't really find that as any significant change in security since the keyring is already unlocked anyway, so the actual keys are usable. And, like I said, computers left unattended are insecure anyway, and should at least be locked if you care even a bit about your security...

Well, like everyone mentions, it's best if you lock your screen if you want noone to access it.

If you're that worried, you might as well know that Firefox has the same policy where you can simply click on 'show passwords' somewhere under the preferences menu. True, you can lock it, but then you will need to enter the password each time you'd want the password to autofill, kinda counter-productive in that case....

That feature already exists. It's called "locking the screen".



Then don't leave your PC "foolishly unlocked".

I was referring to being helpful for those of us who are imperfect......;)

HA

I find this to be poor security because it assumes that the security level of passwords stored on the machine relate to the level of security of the machine itself.
Exactly! The keyring encrypts stored passwords for a reason (unlike Filezilla, Pidgin, and a number of other apps that take this less seriously). It makes no sense to me to display those passwords in clear text without requiring confirmation that you are the correct user.

The security of the keyring application could be easily improved by simply adding a password confirmation dialog in order to view them in clear text. It's that simple. Telling people they should lock their screen instead is allowing your pedantry to get in the way of improving Ubuntu's security in various real-life situations.

If you're that worried, you might as well know that Firefox has the same policy where you can simply click on 'show passwords' somewhere under the preferences menu. True, you can lock it, but then you will need to enter the password each time you'd want the password to autofill, kinda counter-productive in that case....

Actually, I believe that you only need to enter your password once per FF session, exactly as some of us are suggesting the keyring should work.

The security of the keyring application could be easily improved by simply adding a password confirmation dialog in order to view them in clear text. It's that simple.

I know, I'm not sure why a few people are up in arms about it. It's not the functionality of the program that needs to change, it's the accessibility and privacy.

Also, relocating "Passwords and Encryption Keys" to the Administration menu would make much more sense. It could even be combined with the Authorizations program, after all, they both have the same icon O.o

As a temporary measure, i'm hiding Passwords and Encryption Keys from the menu... after all, who really clicks on it that often?! Obviously not many people, otherwise we would have found this flaw already!

Exactly! The keyring encrypts stored passwords for a reason (unlike Filezilla, Pidgin, and a number of other apps that take this less seriously). It makes no sense to me to display those passwords in clear text without requiring confirmation that you are the correct user.

The security of the keyring application could be easily improved by simply adding a password confirmation dialog in order to view them in clear text. It's that simple. Telling people they should lock their screen instead is allowing your pedantry to get in the way of improving Ubuntu's security in various real-life situations.

You have already confirmed that you are the correct user. You do that at login time, and when you unlock the screen. (or when you type your keyring password, if you use automatic login.)

The keys are stored encrypted so that other users of the same machine can't access them even if they have read access to your home directory.

humphreybc: Actually moving it to Administration menu wouldn't make any sense at all, since nothing about the keyring is actually an admin task. Preferences-menu might actually be worth considering..

And still, it's not a flaw. Just lock your screen and both your passwords and your files will be safe. That's what you are supposed to do anyway when you leave a computer unattended. No matter what OS or desktop you are running. (if ypu can't bother to do that manually, you can set the power manager or screensaver to lock the computer automatically when idle)

The security of the keyring application could be easily improved by simply adding a password confirmation dialog in order to view them in clear text. It's that simple.

That is called "security by obscurity". If the keyring is already unlocked, then applications can access it without a password anyway. Asking for a password to view an already unlocked keyring is pointless.

If you don't like the behaviour, then use a keyring which doesn't unlock automatically. You will get a password prompt when trying to view passwords then.

I was referring to being helpful for those of us who are imperfect......;)

Sorry, but if you tend to forget your screen unlocked and someone is interested in your secrets, a password over the keyring won't do much more than give you a false sense of security. If your machine is unlocked, in less than 30 seconds a user can quickly plug a pen drive, copy a keylogger, run it silently on the background, unplug the pen drive and leave.

That is called "security by obscurity".

No it's not. Security by obscurity would be something like hiding Seahorse in the Accessories menu.

If the keyring is already unlocked, then applications can access it without a password anyway. Asking for a password to view an already unlocked keyring is pointless.

If you don't like the behaviour, then use a keyring which doesn't unlock automatically. You will get a password prompt when trying to view passwords then.Allowing applications to access passwords is not the same as displaying them in clear text. I don't want to be asked for a password every time the keyring does its job, just when trying to view passwords in clear text. Why is this so hard for people to understand?

Sorry, but if you tend to forget your screen unlocked and someone is interested in your secrets, a password over the keyring won't do much more than give you a false sense of security. If your machine is unlocked, in less than 30 seconds a user can quickly plug a pen drive, copy a keylogger, run it silently on the background, unplug the pen drive and leave.

And if they've copied your ENCRYPTED keyring, that's really no big whoop now is it?

There are plenty of other things that they could swipe, and many applications are less secure than Seahorse, but I expect better from the system password manager.

And if they've copied your ENCRYPTED keyring, that's really no big whoop now is it?

I never said he could copy the keyring. I said he could install a keylogger.

There are plenty of other things that they could swipe, and many applications are less secure than Seahorse, but I expect better from the system password manager.

No, you expected something different. "Better" is a matter of opinion.

I never said he could copy the keyring. I said he could install a keylogger.Only if you've entered your sudo password in the last 15 minutes, I expect.

The point is not that leaving your computer unlocked is a good idea or that not showing passwords in clear text is a security silver bullet. It's an incremental improvement, much like requiring the same (sudo) password to be reentered to install software. Most operating systems do not show stored passwords in clear text, so the argument could be made that this is also expected behavior (I certainly assumed that was the case before reading this thread).

Finally some informative comments.

I don't understand why some people are so against having this option. Locking the screen solves the problem. But there can be several situations when you do NOT want to lock the screen:

For example, you are letting your say cousin or a friend use your laptop / netbook to check mail. It is normal to trust 'em not to do anything too dangerous (child porn etc) but being mischievous, they can see your passwords if the passwords are SO visible. (Creating a guest account is a hassle which through this option one can avoid. No they cant install a keylogger because they dont have the root password which is required for all installation).

OS native and third party applications encrypt user data files, which are only decrypted upon entering a password even though a user is signed in. Roboform is a third party app for Windows that encrypts the web passwords and asks for a main password if one wants to access it. So it is not unusual what we are asking.

It is not a bug, not a blatant security flaw but a feature or an extra layer of security we are asking for.

Finally some informative comments.

I don't understand why some people are so against having this option. Locking the screen solves the problem. But there can be several situations when you do NOT want to lock the screen:

For example, you are letting your say cousin or a friend use your laptop / netbook to check mail. It is normal to trust 'em not to do anything too dangerous (child porn etc) but being mischievous, they can see your passwords if the passwords are SO visible. (Creating a guest account is a hassle which through this option one can avoid. No they cant install a keylogger because they dont have the root password which is required for all installation).

OS native and third party applications encrypt user data files, which are only decrypted upon entering a password even though a user is signed in. Roboform is a third party app for Windows that encrypts the web passwords and asks for a main password if one wants to access it. So it is not unusual what we are asking.

It is not a bug, not a blatant security flaw but a feature or an extra layer of security we are asking for.
You don't have to create a guest account. Ubuntu already has a built-in guest login. All you need to use it. Just click the User Switcher applet in top right corner of your screen, and select "Guest Session". Problem solved and you don't need to compromise your files or your passwords by leaving the machine unlocked. :)

(And keyloggers and other malicious programs could be installed for the current user only, which wouldn't require a password if the session was left unlocked.)

There is an option for having a password to access other partitions on teh drive. Why is that? Accessing a folder or partition is not an admin task. They must have put it there because it could be useful in some situations. Just like this feature we want.

You don't have to create a guest account. Ubuntu already has a built-in guest login. All you need to use it. Just click the User Switcher applet in top right corner of your screen, and select "Guest Session".

Wow. didnt know that.

(And keyloggers and other malicious programs could be installed for the current user only, which wouldn't require a password if the session was left unlocked.)

Really? But it always asks me for a password whenever I install any application. It doesnt give any option to do a current user install?

There is an option for having a password to access other partitions on teh drive. Why is that? Accessing a folder or partition is not an admin task. They must have put it there because it could be useful in some situations. Just like this feature we want.

The password isn't asked for that if the partition is configured to be accessible by users.

If accessing it is allowed for normal users or not is decided by the administrator, and can definitely be a task that would require more than basic user privileges, depending on the purpose of that partition.

Wow. didnt know that.



Really? But it always asks me for a password whenever I install any application. It doesnt give any option to do a current user install?

You only need the password to install anything system-wide. But quite many programs are usable without installing, and could be simply extracted to your home directory and hidden there. Not to mention what can be done with just a simple script...

Also quite a lot of nasty stuff could be simply done by creating aliases for commonly used commands (or by editing their launchers), to make them do something else than you'd expect. Like logging data to a file...

While malware/keylogger installed that way wouldn't be as well hidden as root access would allow, it would still be good enough to hide it from user who isn't suspecting anything.

... By default, the "login" keyring is unlocked by your login password when you log in. ...

You can create extra keyrings which aren't unlocked automatically when you log in. I do this for my Evolution accounts. When you do this, any application which attempts to access the keyring will trigger a password prompt, to allow the application to authenticate and access the keyring. .

Really? I have to check this out. This should solve the issue.


Also, remember the Pidgin stores your account passwords in plaintext on your hard disk. Pidgin doesn't use the keyring, and AFAIR the Pidgin developers aren't interested in doing this either. Empathy does store your account passowrds correctly though

Hahahaha. Damn. I use Pidgin. *sheepish smile*

I was going to chime in, but I got reamed because I thought that the default listing of usernames at boot is a possible security risk.

I guess there's a more trust in the world by the "powers that be" in the Ubuntu community.

It's not about "physical access": it's about remote observation and carefully planned intrusion, and, common sense. The things you don't know about until it's too late. Those that know COMSEC and those that have been violated before will just have to work a bit harder now.

I was going to chime in, but I got reamed because I thought that the default listing of usernames at boot is a possible security risk.

I agree with you there as well. It's not a major issue imo, but I don't see why people would want to reveal this info at the login screen. I never use any of the user browser GDM themes for this reason.

Only if you've entered your sudo password in the last 15 minutes, I expect.

A keylogger for the keypresses of the current logged user wouldn't require root access.

Even having an extra password prompt in seahorse wouldn't change the situation. The person would just have to make another program that DOESN'T prompt for the password an additional time. The solution is already here: make another keyring that doesn't unlock at login. Adding a password prompt to seahorse will not improve security at all, really...

I know, I'm not sure why a few people are up in arms about it. It's not the functionality of the program that needs to change, it's the accessibility and privacy.

Also, relocating "Passwords and Encryption Keys" to the Administration menu would make much more sense. It could even be combined with the Authorizations program, after all, they both have the same icon O.o

As a temporary measure, i'm hiding Passwords and Encryption Keys from the menu... after all, who really clicks on it that often?! Obviously not many people, otherwise we would have found this flaw already!

I wouldn't spend too much time arguing about it. None of the people in this thread who claim it's not a big deal to display all your passwords with a few simple clicks from the main menu, have anything to do with the real decision making in Ubuntu.

The argument above (from a mod no less) with the Windows screenshot is embarrassing to say the least. Showing a screenshot of a third-party application storing the password in cleartext != the operating system itself displaying all passwords across all programs from the main menu.

I can see the arguments already;

"Ubuntu is not the operating system, it's Linux!"

"No no, it's not Linux you noob. It's GNU/Linux"

"You are both noobs, it's Gnome that's doing it, but it's not a big deal because everyone already knows to make 100% sure no one has even 5 seconds alone with your computer without signing on to a guest session first. Even if you forget, what are the chances they'd click on an icon in the main manu that says "PASSWORDS" anyways?"

blahblahblah

Imagine the uproar if Windows 7 displayed all passwords across all programs, simply by clicking:

Start -> All Programs -> Accessories -> Passwords

But it's possible in Ubuntu and people defend it?

Seriously, no point in arguing, just wait for them to fix it.

but it's possible in ubuntu and people defend it?

seriously, no point in arguing, just wait for them to fix it.

+1!

This argument is too long isn't it? Its obvious that some of us users (yes including me) would like the option to require a password before our passwords are revealed in clear text. And anyway - surely the precedent is already set in Firefox. You can save your passwords in Firefox and have the option to set a master password if and only if you would like to. Those who do not want the inconvenience have the option not to be asked. Those who want one extra layer of security have the option to have it.

Revealing the passwords is not at all the same as the keyring allowing the passwords to be used by the way! The former gives other people access to your private information forever and any time from any machine whether you are there or not, and whether or not your own keyboard is then locked. The latter is for the few moments when you have forgotten to lock your keyboard or decided not to lock it so as not to seem suspicious.

And speaking of suspicious - let us read between the lines and guess that there are legit Ubuntu users who do not want to share ALL their passwords with all the people who they trust. Fathers and mothers may not trust their children with everything. Children may want their own privacy. Have you known your girl/boy friend long enough to tell them all your intimate passwords? Husbands might even want to hide things from wives and vice versa! And who are we to judge.

Come on folks! Let's at least have the option of a password! Please??

And while I am writing, does anyone else think that it is a huge disadvantage that the new Karmic login screen shows the names of all the accounts on the machine? I would love to be able to go back to having to type in my username and password. The next step is to offer a pulldown menu of possible passwords that have been used in the past so that anyone can try them out! These two topics seem to me not to be unrelated.

Actually, I'm glad to have the user menu in Karmic... but could see why someone would want the option to have to type in the user name.

No it's not. Security by obscurity would be something like hiding Seahorse in the Accessories menu.

Allowing applications to access passwords is not the same as displaying them in clear text. I don't want to be asked for a password every time the keyring does its job, just when trying to view passwords in clear text. Why is this so hard for people to understand?

Yes it is the same. I could write an application in a couple of minutes which would get the password from the unlocked keyring and display it to me in plaintext, thus bypassing the extra password you seem to wish for in order to give yourself the illusion of better security.

Asking for an extra password before displaying a password from your already unlocked keyring (which everything else can already access, with a confirmation from the user) only makes you think it is more secure - therefore, it is security by obscurity!

And while I am writing, does anyone else think that it is a huge disadvantage that the new Karmic login screen shows the names of all the accounts on the machine?

I dislike the new GDM, and its lack of easy customizable options...

Here is the official reply from Adam Schreiber of Seahorse:


I'm not going to read that entire thread, but I guess the gist is
someone's asking if providing access to the keyring without prompting
for the password. Here's the official response regarding the
gnome-keyring security philosophy:
http://live.gnome.org/GnomeKeyring/SecurityPhilosophy

In short: lock your screen if you walk away and use the guest session
if someone asks to use your computer.

Cheers,

Adam


The debate is well out of my depth right now, and I think out of most peoples' depths. I think perhaps the issue now is that there isn't a clear understanding of the whole "keyring" system, that's completely new to people coming from a Windows background, like 90%* of Ubuntu users do. Perhaps, somewhere during installation or first login or something there could be an explanation of what the keyring is, how it works, what on earth PGP keys are, why you need them etc etc... heck, I still don't understand entirely about how it all works and I've been using Ubuntu full time for almost a year now.

I think perhaps an argument could be made for some adjustment so passwords are not visible in clear text from a main menu application. How this is fixed, is up to the experts... but I could think of a couple of solutions, either changing the location of the application to Preferences, or prompting for a password to view login details, or storing the passwords in an encrypted place that only trusted applications are allowed to access. (They get given the trusted status by you the first time they want to use the keyring). Or something like that, as you can see, i'm not really sure. :)

* Made up statistic, but, you know, the majority come from Windows. ;)

Have none of you read the security philosophy linked early in the thread? That's the philosophy of the developers, and they aren't going to change it. If you're really terrified of it, go to another OS.

Linux is designed as a multi-user system, where multiple users can log onto the same machine at different times. Any authorized user has access to anything in his domain, or home directories, but no access to anything else. No other user can access the passwords being complained about. Also, no user can access any system files outside his home without becoming a superuser or root, by entering a password. If you can log into your home, then you are presumed to have authorized access to everything there. It's not just Ubuntu, it's Linux in general. As for providing detailed explanation of how Seahorse and the keyring work in advance of installation - get real. It's there if you want to do the research, but most don't want to, as is obvious from the posts on the thread. It's your responsibility to inform yourself. The keyring actions are a feature, not a bug.

That's the way it has always been, and I suspect the way it will always be, regardless of minor rebellions like this. If you can't live with it, there is always Windows and Mac.

I wouldn't change a thing.... but... forget the keyring. Forget the passwords. Forget afore said arguments. If anyone knows how to get to recovery in grub... the game's over.

I love it though!

Might have already been said a few times but to the OP, you have to type your password to log in to Ubuntu, correct? If that is the case then the keyring is unlocked for 15 minutes. If you walk away in those 15 minutes I suppose you are vulnerable.

If you have auto-login enabled you should be prompted for the keyring password. I really wish I could test this last statement but my ubuntu PC is in use for now and will be for most of the night :(

Ways to solve: Change how this data is stored or prompt to enter in your user password to view your user data.

Solutions already in place:
1. Log-Off.
2. Lock Screen.
3. Mindful of allowing access to your personal hardware.
4. Requiring password to log in during boot. (Disabling auto-log-in).

I agree with some of the others, this seems more of a PEBKAC issue, not a bug.

I dislike the new GDM, and its lack of easy customizable options...

Bah. It's new, of course it's not fully customisable yet. Get over it and be patient or go back to the old one if you need the customisability.

I wouldn't change a thing.... but... forget the keyring. Forget the passwords. Forget afore said arguments. If anyone knows how to get to recovery in grub... the game's over.

I love it though!

If somebody gets free physical access to your computer, the game is over. Regardless of if there's recovery mode in Grub or not. Simply booting a live-CD will give full access to all unencrypted content on the machine, no matter what OS is installed on the computer. :)

Ahh gotta love the LiveCD huh. Hence why you encrypt your home directory and stick any important information in there :D

If somebody gets free physical access to your computer, the game is over. Regardless of if there's recovery mode in Grub or not. Simply booting a live-CD will give full access to all unencrypted content on the machine, no matter what OS is installed on the computer. :)

Well there are ways around that....
Password protected BIOS, locked PC Case, PW-protected Grub, no CD Drive in Boot order. At least that's what I'm running.

no fun in that...

I dont understand anyone arguing "just lock your computer", or "physical access = root access" etc. That might be true, but do tell me this, why on earth is there a timeout on sudo then? Why does it even ever prompt you for a password since you already proved your credentials when you logged in, and since you didnt lock the screen, it should just trust you?

This makes zero sense to me. If I leave my PC unattended >15min without locking it, I would know i would risk someone opening my files, reading my emails. I would never assume it would allow someone to read my PASSWORDS any more than I would assume it would allow someone to install a rootkit.

Now the problem seems limited to a few apps that show passwords in plain text, but that seems to include Empathy which is installed by default.

This is a clear security hole, and "locking the screen" is not an appropriate answer. There is a reason every app like firefox lets you save a password but not view it!

Yes it is the same. I could write an application in a couple of minutes which would get the password from the unlocked keyring and display it to me in plaintext, thus bypassing the extra password you seem to wish for in order to give yourself the illusion of better security.

Asking for an extra password before displaying a password from your already unlocked keyring (which everything else can already access, with a confirmation from the user) only makes you think it is more secure - therefore, it is security by obscurity!

Exactly. It's the "security theater" the philosophy page talks about.

Imagine the uproar if Windows 7 displayed all passwords across all programs, simply by clicking:

Start -> All Programs -> Accessories -> Passwords

If the design was the same, the uproar would be wrong. This is not an argument.

Seriously, no point in arguing, just wait for them to fix it.

Waiting for them to "fix" a conscious design decision? You should find a chair to sit on, as this might take a while.

You are not happy with the current situation? Go to the mailing list and provide your reasoning there.

This "it's so obviously wrong that the developers will eventually see the light and fix the problem while I wait doing nothing besides complaining on a forum they don't read" attitude won't get you anywhere.

And no, filing a bug report is not "doing something" because "I disagree with it" is not the same as "it's a bug". If you want a design decision to be changed, you should be prepared to engage in a possibly lenghty discussion.

Well there are ways around that....
Password protected BIOS, locked PC Case, PW-protected Grub, no CD Drive in Boot order. At least that's what I'm running.

BIOS settings are really easy to reset (which solves both BIOS passwords and boot order), Grub password is nice but won't help a bit when booting a live system, and most case locks use the same key as all the others do. I think I must have at least 10 of those keys around. And in the end cases that would actually provide any resistance if you just grabbed the door and pulled are very rare..

Sadly, this issue has been around for quite a while

https://bugs.launchpad.net/seahorse/+bug/189774

http://ubuntuforums.org/showthread.php?t=1075456

The official response has an eerily familiar ring to it, reminiscent of the Gnome/KDE security fiasco earlier this year.

http://www.geekzone.co.nz/foobar/6229

Follow-up

http://www.geekzone.co.nz/foobar/6236

http://lwn.net/Articles/319072/

In short, it was possible to create a "some_text.odt.desktop" file, or "some_text.jpg.desktop" file, that when placed on the Gnome/KDE desktop, looked just like a normal openoffice or picture document. The Desktop icon not only mirrored what it should look like if the file were legit (the icon made the document look like a standard picture/openoffice file), it even removed the .desktop from the name.

He could send the attachment to someone, they would save it thinking "Hey I'm on Linux, I don't get viruses, and this is just a normal .jpg file anyway" and it would be able to download a script from the internet and run any arbitrary code it was told to.

The easiest solution to prevent this kind of problem is to not just blindly click on attachments that people have sent you. Does that sound like a sentence you have always heard in the context of Windows before? You bet. The point is: Even on Linux this advice should be taken serious.

A step that could be taken by the Gnome and KDE developers: Require launchers to have execute permissions. A saved attachment won't have those.

The developers refused to do this. If I remember correctly, "Working as intended" was their response. It wasn't until this article gave sufficient negative press that the developers fixed the problem. This problem was around since 2006!

Why is this relevant to the current thread? Because here we are again. The developers refuse to password protect seahorse and now we have passwords in the clear within 5 seconds on a default Ubuntu install.

Someone above mentioned to create a keyring which doesn't unlock on install, I don't think this is a good solution, as people don't want to be constantly prompted for their password every time they switch routers...etc

Here is my solution for anyone still reading:

Rename /usr/bin/seahorse to something random.
Remove the Passwords icon from the main menu.

This way, you retain the full functionality of the program without the "CLICK HERE TO SEE ALL MY PASSWORDS" button in the main menu, and if you want to run seahorse, simply run the "something random" you renamed seahorse to. You can also delete the seahorse file, or save it to a USB disk or something, to be used when needed.

Does this save me in all situations? No. Can someone come over and simply run their own seahorse file since I deleted mine? Probably. Is this better than allowing any Tom **** and Harry who looks at my computer 3 click access to all my passwords? Absolutely.

Issues like this, both the security issue and the community response, certainly contribute to the low adoption rate of Ubuntu and Linux in general.

This is what the developers of Pidgin say on their wiki regarding storing passwords in plaintext:

Having our passwords in plaintext is more secure than obfuscating them precisely because, when a user is not misled by a false sense of security, he is likely to use the software in a more secure manner.

Source: http://developer.pidgin.im/wiki/PlainTextPasswords

Here is the big thing people seem to be missing: Making it easy to view passwords doesn't make your program more secure! A raise of hands: How many people here knew Pidgin stored passwords in plain text when first installing? How many people knew Ubuntu allowed anyone to see all stored passwords in 5 seconds of clicking from the main menu?

If users aren't aware of these issues, you are only making them less secure. Before today, I wouldn't think twice of letting a friend use my computer for a few minutes to check something, especially on Linux. My friends don't have the sophistication to install a keylogger or similar malicious program on my machine, they wouldn't know where to acquire one, nor would they be so devious. However, clicking the "passwords" button in your "Start menu", now that doesn't seem so devious.

This is the equivalent of a car manufacturer removing the car locks from your brand new Mercedes, with a note saying "We have removed your car locks. You are now forced to carefully consider where you park your car. Since your car can be broken into anyway, even with door locks, we find this is the only way you will feel compelled to protect yourself by not parking in dangerous areas."

The main difference here is I never got my note.

I don't know about you, but the next time I see a Ubuntu user (I know a few at work), I'm going to ask if I can check a website "real quick". I won't need the keyboard, only the mouse will do. I will be sure to note their faces as I read aloud their Gmail password 5 seconds later. I'm anticipating one of two responses:

1. Blame Ubuntu for allowing a "Show me all your passwords" button in the main menu

or

2. Blame themselves for allowing someone to touch their mouse for 5 seconds.

Before today, I wouldn't think twice of letting a friend use my computer for a few minutes to check something, especially on Linux.

You might want to think about your definition of friendship. It's certainly not the same as mine.

This is the equivalent of a car manufacturer removing the car locks from your brand new Mercedes, with a note saying "We have removed your car locks. You are now forced to carefully consider where you park your car. Since your car can be broken into anyway, even with door locks, we find this is the only way you will feel compelled to protect yourself by not parking in dangerous areas."

It's not the same case. A more accurate analogy would be making the car ignition key to be the same as the car door key, thus allowing anyone who has the door key to turn on the car and steal it. I agree this is an absurd security flaw... oh, wait, cars are exactly like that.

I don't know about you, but the next time I see a Ubuntu user (I know a few at work), I'm going to ask if I can check a website "real quick". I won't need the keyboard, only the mouse will do. I will be sure to note their faces as I read aloud their Gmail password 5 seconds later. I'm anticipating one of two responses:

1. Blame Ubuntu for allowing a "Show me all your passwords" button in the main menu

or

2. Blame themselves for allowing someone they don't trust to touch their mouse for 5 seconds.

Fixed the second one for you. This allows me to introduce a third one:

3. Blame themselves for trusting you.

Has anyone considered just locking the keyring, or perhaps making sure that the login keyring is locked by default?

Go to Accesssories -> Passwords and Encryption Keys. Right click on the "login" keyring and select "Lock." Now you are prompted for the keyring password whenever you try to view all the keys.

The only downside to this approach is that whenever an application tried to access the keyring, you are prompted to enter your password, which kind of defeats the purpose.

EDIT: I just discovered that if you logout and the log back in again, the keyring is unlocked again. I have to agree with the OP, this is kind of a security risk.

It's not the same case. A more accurate analogy would be making the car ignition key to be the same as the car door key, thus allowing anyone who has the door key to turn on the car and steal it. I agree this is an absurd security flaw... oh, wait, cars are exactly like that.

Ok. This should be more accurate. I let my friends in my car all the time (letting them in the car, past the first line of defense, but not giving them the key = letting them use my computer after I've logged in for myself). If I leave them in the car alone for a minute while I run to grab something, I don't expect them to have the ability to easily drive away without the key (my password).

Can they hotwire the car? Yes. Is that easy for them to do with no tools and a short amount of time before I return? No.

Allowing people to view all my passwords with 5 seconds of clicking = my friend who I left in the car being able to drive away without my giving him the key in 5 seconds.

The whole "let's make it trivially easy to steal everything so people are more careful" argument just doesn't hold in the real world, where statistics definitively show that making something harder - though not impossible - to steal is an effective means in lowering it's likelihood of theft.

If you don't trust your friends when they use your computer unattended, let them use the guest account. And make sure that all passwords stored in the keyring are not top secret.

Ok. This should be more accurate. I let my friends in my car all the time (letting them in the car, past the first line of defense, but not giving them the key = letting them use my computer after I've logged in for myself). If I leave them in the car alone for a minute while I run to grab something, I don't expect them to have the ability to easily drive away without the key (my password).

Can they hotwire the car? Yes. Is that easy for them to do with no tools and a short amount of time before I return? No.

The analogy is complete. You are relying on obscurity (fast hotwiring is hard for most people) instead of seeing the bigger picture (fast hotwiring is not impossible) and adopting better procedures (not leaving people you don't trust alone in your car in the first place).

If you really have "friends you can't trust" (quotes necessary as for me such thing is a oxymoron), don't let them use your account, period. Opening a terminal and doing a "rm -rf ~" is faster and allows a much shorter reaction time than opening the keyring manager. And it's probably far more dangerous: the amount of people who has so-sensitive-that-my-world-will-explode-if-people-read-it information is probably smaller than the amount of people who makes regular backups of their home directory.

A better analogy is - why bother having a steering lock and an ignition key - hell if the guy has got through the car door then all is lost anyway!

Its tough and your fault if you left the car unlocked or the kiddie left the passenger window open.


A lot of the people here are talking as 'security geeks' they believe we all go around thinking about protecting our computers. Most people don't, they expect to have some layers of security - ok if the bloke can sit down in front of the screen for 3 mins, well he should not be able to do much - right, and yes he might compromise this machine - but not every other password protected system I know.

A better analogy is - why bother having a steering lock and an ignition key - hell if the guy has got through the car door then all is lost anyway!
But someone who is stealing my car is not likely a friend of mine who I have borrowed the car keys.
If I borrow my car to a friend I will most likely give him the key to the steering lock as well. So this is a false analogy.

All analogies break down at some point lets not waste time with that.

No one defending this decision has answered me yet why there is a timeout on sudo? Why? Why is there even a need to type a password for sudo when the only way to be safe is locking your screen anyhow?

No one defending this decision has answered me yet why there is a timeout on sudo? Why? Why is there even a need to type a password for sudo when the only way to be safe is locking your screen anyhow?

Since sudo gives access to the entire machine, not just your personal data. If I share machine with other people I should be able to access my data, but not theirs. Nothing strange, really.
Also it gives some protection against malicious code since at least you have to explicitly give the administrator password before anything serious can take place.

;8180959']Since sudo gives access to the entire machine, not just your personal data. If I share machine with other people I should be able to access my data, but not theirs. Nothing strange, really.
Also it gives some protection against malicious code since at least you have to explicitly give the administrator password before anything serious can take place.

Most malicious code is designed to obtain your passwords. What could possibly be a worse security breach? A regular user is constantly annoyed having to enter his password to do about anything, just so an attacker is not able to install malicious code, but he doesnt even have to!

I've read every post in this entire thread, and I'm not going to go argue with coders about their security policy, but really this is lack of security policy.

What it's actually saying is that if I give you my car key you should have immediate access to the network of the company where I work since all the VPN passwords are visible in clear text in seahorse.

I took the advice above, removed the Passwords and Encryption Keys from the accessories menu, and I renamed seahorse itself, ironically after having to type in my password. In addition to that suggestion, make sure you go into your .bash_history file and remove the line that shows what you renamed it to.

There is a difference between someone who's a dedicated and prepared hacker taking advantage of an unlocked idle system, and a normal user who expects their linux system to be secure enough to not allow access to corporate VPN passwords within 5 seconds of walking up to a terminal. Same reasoning, there's a difference between a program or script having access to an unlocked keyring with my permission than there is for a user to have access to all my passwords. It's a matter of expertise, a dedicated professional with the right tools, can steal a car, break into your house, etc. but I don't expect that a normal person could get access to secure passwords with less effort than it would take for them to simply put a fingerprint on my car. Which it does now, it's farther to walk to get to my car than it is to get to my console.

Personally I don't even like to have a screensaver password because I hate having to type in my password if my laptop sits idle while I'm on the workstation, but I setup a screensaver password with a longer timeout and I setup <super>-l to lock the workstation similar to Windows. I'm not paranoid by any stretch, and I work in an environment where I feel safe leaving my wallet and personal laptop on my desk while I'm away from my keyboard, but having clear text passwords visible at the console right at the applications menu is a bug. And I don't believe that to be a matter of opinion. Believe what you will.

All analogies break down at some point lets not waste time with that.

No one defending this decision has answered me yet why there is a timeout on sudo? Why? Why is there even a need to type a password for sudo when the only way to be safe is locking your screen anyhow?

Some GNU/linux veterans would argue that normal users shouldn't even be using an account that has the same password as your sudo password. Sudo does not intend to provide for privacy, but for security. User A, once they login, has access to user A data only. User B, once they login, has access to user B data only. Administrator, either by logging in as root, or temporary elevating another User through sudo (if they are listed in sudoers), can access the entire system.

Sudo is there to provide Administrator access only. Functions that could bork your system, change major facets of your install or system. These things require a global Administrator account. Since it is dangerous to stay logged in as Admin constantly (I'm talking about something like accidentally running a script to rm Everything, or the like), Ubuntu uses User accounts with sudo ability.

Privacy is a human issue, not software, at this point. I have used a few distros now, and I see no issue with this problem. As User A, why should I not be able to go in to Keyring and see User A's passwords? This has always been the case under Gnome. Many programs, I can simply click the little checkbox "Show Password," and see what it is I typed or Keyring entered. When I lock my screen, or my screensaver triggers, my account cannot be accessed by others. Handing my laptop to another user, it takes 3 seconds to click "Guest Account," again locking my personal data. When I log out of User A, User A's passwords are not viewable, even with a LiveCD.

The comparison of one OS to another is pointless. I can easily borrow a friends laptop to check my flashdrive on any Windows release... and slip in a tiny program to copy all the saved passwords in plaintxt to my drive. It's free and readily available if people know where to look. With Hirams (sp?) Win Boot, installed to flash, I don't even need their computer on. At least with Ubuntu, my /home partition is automatically encrypted when I log-off.

As yet another paranoid computer user ;) I am pleased with the levelS of protection that Ubuntu, and GNU/linux provide me with. It's all about how you use it.

As yet another paranoid computer user ;) I am pleased with the levelS of protection that Ubuntu, and GNU/linux provide me with. It's all about how you use it.

In this case it's about a lack of education and training for Linux users. If I'd known that someone could get access to sensitive stuff that easily I'd have made an effort to change something sooner. Again, it's the difference between someone LOOKING to steal your passwords, which really you can't stop no matter what you do, all they need to do is take your hard drive and they realistically have all the data you've saved, encryption is not unbreakable. But make it hard enough that it's not worth most people's effort and you're fine. Seahorse is WAY on the wrong side of that line.

While I'm the last person to say the os should compensate for user stupidity. I have to agree that 4 clicks to see passwords is a little too easy. Sure you could write a script to retrieve passwords from the keyring. But the point is that someone who knows how to do that could get your info regardless. The op is just asking for protection from lookieloos, for whom the simple measure of not showing the passwords in clear text without confirmation would be effective. I think the sudo issue is confusing as well because your sudo password is the same as your user password. (Not good but, an argument for another thread.) Personally I try not to login to my sudo account directly, but through a terminal for that reason. The downside is I have to enter my password twice to use sudo.
su -c "sudo whatever" adminaccount
password: adminpass
(sudo)password: adminpass
whatever runs.
I guess removing the keyring from the menu would do the trick, but then a new user would probably never find it. A bigger security hole IMHO.

While I'm the last person to say the os should compensate for user stupidity.

I totally agree with this, but this isn't a stupidity issue, it's an education issue. And if you're not going to go to the steps to educate your users to protect themselves from "everyone" then you need to help them. Seahorse isn't helping. Of course there's no way you're going to protect yourself from Kevin Mitnick should he want to know your passwords, but at least you shouldn't have to worry about protecting your passwords from Paris Hilton. The current default setup doesn't even manage that.

Obviously a lot of people misunderstand the purpose of sudo, superuser, and administration. Those are not for securing user passwords, they're for securing the entire system. They prevent malware from infecting the entire machine, by requiring a password before altering system files. They have nothing at all to do with user passwords. These are entirely separate issues. It's easy enough to not allow seahorse to access your user passwords, and you can remove it entirely if you like. Things will be much more inconvenient, but if you're really worried about your passwords, that's the way to go. I run a separate password safe on my system, and only allow seahorse access to a limited subset of my passwords, but then I've done a little research on the subject. If you just suddenly discovered all this, then you need to take the time to learn what is going on, and why, before you jump up on your soapbox and proclaim your ignorance to the world. Again, none of this is new, or even recent. It's a design decision made long ago, and that decision will not be changed lightly, whether or not you agree with it.

Personally i think the best way to solve this would be the exactly the same way as the other privileges are handled, for example if i change CPU frequency i get some key-icon in my tray saying i still have privileges and just clicking that icon will drop them.
would it be possible to have a tray-icon showing that your keyring is unlocked and locking it just by clicking that icon?

and btw, does anyone know the CLI command to lock default keyring? im thinking of adding a custom launcher that executes that command, that way i would never be more than one click away from having my passwords securely encrypted.

I totally agree with this, but this isn't a stupidity issue, it's an education issue. And if you're not going to go to the steps to educate your users to protect themselves from "everyone" then you need to help them. Seahorse isn't helping. Of course there's no way you're going to protect yourself from Kevin Mitnick should he want to know your passwords, but at least you shouldn't have to worry about protecting your passwords from Paris Hilton. The current default setup doesn't even manage that.

the point is if you protect your passwords from 'paris hilton', most users will think their computer is secure, ignoring the fact it is trivially easy for 'Kevin Mitnick' to get what he wants, at present if the system isnt secure the system makes no attempt to actually make it appear secure (anything else is security through obscurity), thus the user should be more likely to secure it properly.
i dont think its an education issue, it should be fairly obvious that if you leave your computer logged in and unlocked it wont be secure. linux actually does a very good job in those circumstances by protecting everyone else, ie through sudo etc.

Here's what it comes down to, I don't need to SEE my passwords, and I don't want anyone else with 30 seconds to spare to SEE them either if they walk up to my console. What is the best way can we make this happen?

Here's what it comes down to, I don't need to SEE my passwords, and I don't want anyone else with 30 seconds to spare to SEE them either if they walk up to my console. What is the best way can we make this happen?

log out when leaving your computer unattended

Here's what it comes down to, I don't need to SEE my passwords, and I don't want anyone else with 30 seconds to spare to SEE them either if they walk up to my console. What is the best way can we make this happen?

Change your keyring password to not match your login password? It's easy, and it means the keyring won't be unlocked when you log in. But you'll have to enter the keyring password to unlock it when an application like NM, Evolution, Empathy etc wants to access it

log out when leaving your computer unattended

And if you forget? I don't think, "sucks to be you" is the message you want to send if you ever want to fix this bug (https://bugs.launchpad.net/ubuntu/+bug/1).

Let me put it this way, are you going to tell your CEO that if he wants to keep anyone from accessing all his passwords he has to log out of his machine every time he looks away from his computer for more than 30 seconds? I know for a fact that a certain CEO at a major encryption company would laugh in your face, with the comment, "my time is more important than that, you just need to make your software better."

log out when leaving your computer unattended

This won't prevent him from seeing his password if he's logged in. If you don't want to be able to see your password list from the main menu, you can remove the PASSWORDS entry from the menu and delete or rename the /usr/bin/seahorse program to something you will remember.

This won't prevent him from seeing his password if he's logged in. If you don't want to be able to see your password list from the main menu, you can remove the PASSWORDS entry from the menu and delete or rename the /usr/bin/seahorse program to something you will remember.

And that won't prevent me from seeing your password. I'll just bring a copy of seahorse on my pendrive, or extract it from a deb i download on your machine, or bring another small utility i write which retrieves all your secrets from your unlocked keyring.

It seems weird that a bunch of people who seem to be paranoid about things like this can't even be bothered with pretty basic security such as locking your screen when you're away, or changing your keyring password to not unlock on log in etc.

And if you forget? I don't think, "sucks to be you" is the message you want to send if you ever want to fix this bug (https://bugs.launchpad.net/ubuntu/+bug/1).

Let me put it this way, are you going to tell your CEO that if he wants to keep anyone from accessing all his passwords he has to log out of his machine every time he looks away from his computer for more than 30 seconds? I know for a fact that a certain CEO at a major encryption company would laugh in your face, with the comment, "my time is more important than that, you just need to make your software better."

if you forget, they are unsecure. what would the ceo say when his passwords were taken from his computer that he thought was secure but in fact wasnt, it just gave the illusion of being so, if you prefer that security model go with windows. yes you could take the menu option away but the passwords still wont be secure, you could just do this http://michael.susens-schurter.com/blog/2008/10/30/listing-all-passwords-stored-in-gnome-keyring/
if you want it actually secure logout or set your system to not unlock the keyring on login, and set up a time out.
the most secure method would to have every app have its own password keyrings with separate passwords etc, on time outs, but i would rather not have to log in to wifi then evolution and everything else that needs a password separately, that is why we have one app to do it all at once.

the point is if you protect your passwords from 'paris hilton', most users will think their computer is secure, ignoring the fact it is trivially easy for 'Kevin Mitnick' to get what he wants, at present if the system isnt secure the system makes no attempt to actually make it appear secure (anything else is security through obscurity), thus the user should be more likely to secure it properly.
i dont think its an education issue, it should be fairly obvious that if you leave your computer logged in and unlocked it wont be secure. linux actually does a very good job in those circumstances by protecting everyone else, ie through sudo etc.

This is a computer geek's way of thinking which will never apply to the real world.

Regarding this bug (https://bugs.launchpad.net/ubuntu/+bug/1) which was mentioned earlier. This is how the conversation will go down for any new user I setup a new computer with:

Windows/Mac computer: "Ok you're all setup. Now a word of warning, always be careful who you let on your computer. An expert computer hacker can have access to all your passwords if he knows what he's doing."

Ubuntu computer: "Ok you're all setup. Now a word of warning, always be careful who you let on your computer. Ubuntu has a "PASSWORDS" button (ironically right next to the "search" button), which will provide anyone who can click a mouse with immediate access to all your passwords"

You may be thinking "Great! Now the Ubuntu user will be extra super duper careful who they let on their computer and lock their computer 100% of the time!"

Reality - "Please give me my Windows back."

http://imgs.xkcd.com/comics/security.png

This won't prevent him from seeing his password if he's logged in. If you don't want to be able to see your password list from the main menu, you can remove the PASSWORDS entry from the menu and delete or rename the /usr/bin/seahorse program to something you will remember.

which is security through obscurity

except removing seahorse, which would just lower usability, i personally dont want to have to enter my password every time i want to go on the internet.

I just tried this under Jaunty. I was asked to grant permission (like the normal stupid MS system) but not to give a password. I was able to get the password for our other computer from the ssh login entry.

This is not good at all.

This is a computer geek's way of thinking which will never apply to the real world.

Regarding this bug (https://bugs.launchpad.net/ubuntu/+bug/1) which was mentioned earlier. This is how the conversation will go down for any new user I setup a new computer with:

Windows/Mac computer: "Ok you're all setup. Now a word of warning, always be careful who you let on your computer. An expert computer hacker can have access to all your passwords if he knows what he's doing."

Ubuntu computer: "Ok you're all setup. Now a word of warning, always be careful who you let on your computer. Ubuntu has a "PASSWORDS" button (ironically right next to the "search" button), which will provide anyone who can click a mouse with immediate access to all your passwords"

You may be thinking "Great! Now the Ubuntu user will be extra super duper careful who they let on their computer and lock their computer 100% of the time!"

Reality - "Please give me my Windows back."

i personally would prefer it to be obvious if my pc is secure or not, just like if i lock my door i would rather it actually locks rather than just making a reassuring sound.
i also made the point in a previous post that if you dont like that security model you should go back to windows, but at the end of the day who has the better reputation on security?

i personally would prefer it to be obvious if my pc is secure or not, just like if i lock my door i would rather it actually locks rather than just making a reassuring sound.
i also made the point in a previous post that if you dont like that security model you should go back to windows, but at the end of the day who has the better reputation on security?

Again, a computer geek's way of thinking (Don't be offended, I'm a geek too :))

Most people don't understand computers. They click on the little 'e' to get internet and have no conception of what an OS is. I just did a straw poll around the office (all Windows users) and gave both sides of the argument. In the end, none of them felt comfortable using a system with a PASSWORDS button in the "Start Menu".

"That's ridiculous", "Doesn't make any sense", "And they refuse to simply password protect it?" were a few of the responses.

This, my friends, is why Ubuntu is a geek's system.

Mark my words, Ubuntu or any other Linux distro will never gain significant marketshare, as long as there is a PASSWORDS button in the "Start Menu".

Com'on people this security through obscurity argument is silly. Its starting to sound like the pidgin mailing list in here. People just don't want passwords 4 clicks away. If the problem is education then how 'bout this:
"Your passwords have obscured to protect you from over-the-shoulder attacks, please be aware that as log as you are logged in your passwords are accessible to your desktop environment. Please Remember not to leave your session open and unattended."

Put that in the empty space in seahorse. now everyone is happy and informed.

...I could write an application in a couple of minutes which would get the password from the unlocked keyring and display it to me in plaintext, thus bypassing the extra password you seem to wish for in order to give yourself the illusion of better security.

You can write such an application, I can't, my family can't, my friends can't and 99% of all people who are likely to get physical access to my machine can't either.

Which is better:
a) 9 out of 10 people can successfully steal my passwords; or
b) 2 out of 10 people can successfully steal my passwords

The analogy is complete. You are relying on obscurity (fast hotwiring is hard for most people) instead of seeing the bigger picture (fast hotwiring is not impossible) and adopting better procedures (not leaving people you don't trust alone in your car in the first place).

If you think any security measure is impossible to break, you know less about security than even what I do. You cannot have any measure that is impossible to break. What about AES 128 bit encryption? Breaking it may require an insane number of years for a normal person today but 20 years from now it might be possible to break it easily. Forget 20 years, there is a good likelihood that the US or other govt might have some powerful secret supercomputer that can break it in a reasonable time. So according to your logic we shouldn't use SSL/TLS encryption because there could be someone who can break it.

Security through obscurity is when obscurity is the ONLY security measure. When there is obscurity in addition to fundamental security, it makes things a bit more secure. Steve Gibson says that too.

And oh on Windows, if I save the password in MSN or Yahoo, it can login automatically but is doesn't show passwords in clear text. The wifi password it does but not MSN and Yahoo. I suppose there must be a way of getting that as well but then again, I don't know it, my friends don't know it and most people likely to get physical access to my machine don't know it.

Why not make the Desktop background or wallpaper display all passwords? That would surely make us noobs lock our screens, eh?

Again, a computer geek's way of thinking (Don't be offended, I'm a geek too :))

Most people don't understand computers. They click on the little 'e' to get internet and have no conception of what an OS is. I just did a straw poll around the office (all Windows users) and gave both sides of the argument. In the end, none of them felt comfortable using a system with a PASSWORDS button in the "Start Menu".

"That's ridiculous", "Doesn't make any sense", "And they refuse to simply password protect it?" were a few of the responses.

This, my friends, is why Ubuntu is a geek's system.

Mark my words, Ubuntu or any other Linux distro will never gain significant marketshare, as long as there is a PASSWORDS button in the "Start Menu".
what was the question? "would you rather have a system where you can easily view passwords when logged in, but are secure when you aren't, or would you rather have a system that appears to be secure all the time, when in fact it never actually is?"

at the end of the day this thread is about whether this is a security flaw, it isnt.
yes you could argue that people would prefer the illusion of security rather than actual security (most terminal cancer patients would probably prefer to be told they arent going to die), thats fine dont use ubuntu, which is the same answer to all "linux isnt windows" threads.
i for one prefer linux because it actually treats me like an intelligent adult instead of wrapping me up in cotton wool, patting me on the head and telling me everythings ok.

Why does it have an option to show the password in clear text...They are passwords you should already know them. There should be no need for you to view your passwords once entered. The keyring should not be used as a tool to jog your memory, if you are forgetful there are other options for logging your passwords.

I think the option to view your password in clear text should be removed completely.

And oh on Windows, if I save the password in MSN or Yahoo, it can login automatically but is doesn't show passwords in clear text. The wifi password it does but not MSN and Yahoo. I suppose there must be a way of getting that as well but then again, I don't know it, my friends don't know it and most people likely to get physical access to my machine don't know it.

do you need a password to access them? if not they arent encrypted so its less secure than seahorse, if they do they are as secure (depending on encryption method), just because you cant see the password doesnt mean its not trivially easy for someone else to find.

Why does it have an option to show the password in clear text...They are passwords you should already know them. There should be no need for you to view your passwords once entered. The keyring should not be used as a tool to jog your memory, if you are forgetful there are other options for logging your passwords.

I think the option to view your password in clear text should be removed completely.

i personally cant remember all my wifi, email, forum etc etc passwords, i would much rather have the option of reading them from sea horse than writing them in a text file, or a piece of paper. and its still missing the point that if some one has access to your logged on system, your passwords, or anything else arent secure.

what was the question? "would you rather have a system where you can easily view passwords when logged in, but are secure when you aren't, or would you rather have a system that appears to be secure all the time, when in fact it never actually is?"

at the end of the day this thread is about whether this is a security flaw, it isnt.
yes you could argue that people would prefer the illusion of security rather than actual security (most terminal cancer patients would probably prefer to be told they arent going to die), thats fine dont use ubuntu, which is the same answer to all "linux isnt windows" threads.
i for one prefer linux because it actually treats me like an intelligent adult instead of wrapping me up in cotton wool, patting me on the head and telling me everythings ok.

In your opinion it isn't.

At the end of the day, this thread has shown there are people who do not regard 5 second of mouse clicks to your most important (credit card/VPN network protecting) passwords as a security flaw, and there are some who do.

I have no doubt this will be "fixed" eventually. Just like the Gnome/KDE .desktop issue, once sufficient negative press is reported on the issue, it will be changed. The devs will be dragged into it kicking and screaming, but it will be changed. If Ubuntu ever wants to make it to the big leagues, it is inevitable.

I personally do not feel comfortable with a big http://blog.tmcnet.com/blog/tom-keating/images/easy-button.jpg anyone can push to get access to my passwords.

To each his own.

i personally cant remember all my wifi, email, forum etc etc passwords, i would much rather have the option of reading them from sea horse than writing them in a text file, or a piece of paper.

Sure. But that doesnt mean it shouldnt even ask you a password before showing them! What next? Why not have a button next to your login which says "Forgot your password?" and clicking it tells you" your password is xyz123. Physical access = root access, so why not, hm? This is just as bad!

and its still missing the point that if some one has access to your logged on system, your passwords, or anything else arent secure.

If it wasnt for this blatant security hole, how would my passwords not be secure, even if someone does get access to my logged in machine?

do you need a password to access them? if not they arent encrypted so its less secure than seahorse, if they do they are as secure (depending on encryption method), just because you cant see the password doesnt mean its not trivially easy for someone else to find.

Probably the applications encrypt their own passwords. But are you getting the point? It might be easy for you, but it is not for me, not for most people who are likely to get physical access to my machine.

but at the end of the day who has the better reputation on security?

Maybe after someone uses this method to break in and find out the medical records of a Seahorse developer can we get this fixed, because I promise you that could happen and this is an unacceptable security risk. Sure the risk is that someone might forget to lock their system when they step away, but giving away passwords at the click of a mouse isn't going to fly when you're looking for health insurance and can't get any because some private detective used someone's password to get into some hospital's network and found out that you were once admitted for appendicitis, and it was found that you had traces of marijuana in your blood, and now you're being prosecuted for insurance fraud because you didn't state the use of controlled substances on your insurance application. So now you're without health care, your family is without an income and out on the street, and you're in jail on fraud charges pending bail that you can't afford to pay. All because someone at some hospital forgot to lock their computer and someone else got paid $20 to look up all your passwords through seahorse.

At this point after learning that most users can find all my passwords with console access and no additional software, I'm thinking that my faith in Linux security is potentially unfounded.

In your opinion it isn't.

At the end of the day, this thread has shown there are people who do not regard 5 second of mouse clicks to your most important (credit card/VPN network protecting) passwords as a security flaw, and there are some who do.

I have no doubt this will be "fixed" eventually. Just like the Gnome/KDE .desktop issue, once sufficient negative press is reported on the issue, it will be changed. The devs will be dragged into it kicking and screaming, but it will be changed. If Ubuntu ever wants to make it to the big leagues, it is inevitable.

I personally do not feel comfortable with a big http://blog.tmcnet.com/blog/tom-keating/images/easy-button.jpg anyone can push to get access to my passwords.

To each his own.

the security flaw is failing to logout or lock your session, not the human readable passwords.
to continue with the button analogy, all you are proposing is hiding it under you desk, instead of locking it in the safe.

the security flaw is failing to logout or lock your session, not the human readable passwords.

The security flaw is failing to tell users that they need to lock their systems if they're AFK for more than 30 seconds.

Whats the difference between 16-bit encryption and 128 bit encryption? The latter would take more time to be broken.

Whats the difference between having a *show passwords* button and not having such button? The latter would require a person to have technical knowledge and more time to break it.

Sure. But that doesnt mean it shouldnt even ask you a password before showing them! What next? Why not have a button next to your login which says "Forgot your password?" and clicking it tells you" your password is xyz123. Physical access = root access, so why not, hm? This is just as bad!

your example is flawed, the keyring is unlock when you log in there fore you have already provided your password, is it a security flaw to have a 'forgotten you password?' button on the desktop? pehaps but the bigger security flaw would be failing to lock the system.

@SeanBlader im sure the seahorse developers probably lock their system when they leave it unattended, because they understand that otherwise it isnt secure.

@the.lost.one i agree it might make it harder for alot of people to get hold of those passwords, the problem is those arent the people who will likely be looking for those passwords, in a previous post i posted a script to get all the passwords in seconds, it took 5 minutes of googling.
also if something is encrypted without requiring a password, its not secure, the encryption key needs to be stored somewhere.

The security flaw is failing to tell users that they need to lock their systems if they're AFK for more than 30 seconds.

To me that sounds like a Windows apologist saying the only security flaw in windows is failing to disconnect from the internet before turning the machine on, and forgetting to put it back in its safe after you're done using it.

Its perfectly acceptable that someone sneaking behind your pc while you're on the phone or smoking a cigarette can read your emails if you got firefox or your mail client to remember it. Thats a tradeoff between useability and security. Asking your password every time you want to open an email would be nuts. But its not acceptable he can read your bank or other passwords with the same ease, especially since avoiding it would have no usability tradeoff. You open Seahorse how many times per month?

The security flaw is failing to tell users that they need to lock their systems if they're AFK for more than 30 seconds.
i agree. unfortunately it isnt just linux that is guilty of that, and i would hope that all companies (where this would mainly be an issue) would communicate this to staff anyway, aswell as automatically locking the screen after a certain time.

your example is flawed, the keyring is unlock when you log in there fore you have already provided your password, is it a security flaw to have a 'forgotten you password?' button on the desktop? pehaps but the bigger security flaw would be failing to lock the system.


Which brings us right back to my original argument: what then is the point of timing out sudo? If the only security risk is failing to lock the PC, why do I have to reenter my password 100x per day? Logging in unlocks the keyring, why not unlock sudo permanently as well then ? If I cant leave my pc alone for 2 minutes without someone being able to rob my bank account, then why on earth do I need to enter my password again and again to mount a drive or change the clock?

what was the question? "would you rather have a system where you can easily view passwords when logged in, but are secure when you aren't, or would you rather have a system that appears to be secure all the time, when in fact it never actually is?"
you make it sound as tough this small change would somehow cripple the existing sucerity.

at the end of the day this thread is about whether this is a security flaw, it isnt.
yes you could argue that people would prefer the illusion of security rather than actual security (most terminal cancer patients would probably prefer to be told they arent going to die), thats fine dont use ubuntu, which is the same answer to all "linux isnt windows" threads.
What illusion? the system's security doesn't depend on seahorse *I hope* all were talking about is the clear text display. Hell even pidgin don't show passwords. (I know their clear text in a file somewhere, but where's that file? most don't know.) 90% of criminals are stupid, and wouldn't be able to coax the passwords through other means, the other 10%... locking you screen wont save you.

i for one prefer linux because it actually treats me like an intelligent adult instead of wrapping me up in cotton wool, patting me on the head and telling me everythings ok.

And this is what Microsoft got right.. dev's are not designers. You need to figure out what people need/want/expect then get the dev's to do it securely.

No sudo isn't the same P4man thats for admin tasks and that little keyring in the conner is for policykit.

sudo=switch user do <command>

And this is what Microsoft got right.. dev's are not designers. You need to figure out what people need/want/expect then get the dev's to do it securely.

If this were a flaw in windows microsoft would be vilified over it, and rightfully so. I think MS stopped storing passwords in clear text when they introduced windows95, perhaps 2000.

No sudo isn't the same P4man thats for admin tasks and that little keyring in the conner is for policykit.

sudo=switch user do <command>

I know what sudo is. You're missing the point.
Elevated sudo privildges expire after 15 minutes by default. What good does that do when the privilege of reading my bank account password never expires? So a hacker cant change my clock or install a keylogger to read my passwords, which is great except he doesnt even need to ;)

Seriously, no point in arguing, just wait for them to fix it.

I disagree - there is much resistance to "those paranoid porn users" as we are called behind our backs. As much as "gee whiz" features and other fluff have been added, Ubuntu has migrated away from security as one of the key concepts.

IMHO , too many developers want "pretty" over "practicality". Just look look at some of the comments made here and elsewhere regarding wasted resources ("Throbbers", anyone), removal of configuration options and other "dumbing down" choices that don't address stability (another key) and these security concerns.

Remember, "dumbing it down" just make it a bit easier for a "dumb criminal" to accomplish their craft, and the crafty ones to get away with even more.

Keep applying pressure both here and through Launchpad to ensure that Communications Security is addressed, and that those that want or need COMSEC (Federal or private) can achieve it "out of the box".

Because you bank account number isn't in the system files and therefore not under the protection of sudo. if seahorse acted like policykit that would kinda defeat the purpose

What illusion? the system's security doesn't depend on seahorse *I hope* all were talking about is the clear text display. Hell even pidgin don't show passwords. (I know their clear text in a file somewhere, but where's that file? most don't know.) 90% of criminals are stupid, and wouldn't be able to coax the passwords through other means, the other 10%... locking you screen wont save you.

system security depends on seahorse in as far as without it you either have unencrypted passwords or each app implementing their own passwords.
im aware pidgin doesnt encrypt passwords, why? first because the system isnt secure unless you lock it when you leave, plus the passwords for your messenger client by and large arent hugely important, although i personally would prefer to see it use seahorse.

@P4man sudo is used to temporarily give you admin privileges, if you permanently want those privileges log on as root, on a more practical point, how would you differentiate when you want to run something as user and when as root? as well as controlling which users have access to what.

If this were a flaw in windows microsoft would be vilified over it, and rightfully so. I think MS stopped storing passwords in clear text when they introduced windows95, perhaps 2000.

windows has a completely different system of security, its comparing apples and oranges, anyway linux would be vilified if it was as secure as windows.

I know what sudo is. You're missing the point.
Elevated sudo privildges expire after 15 minutes by default. What good does that do when the privilege of reading my bank account password never expires? So a hacker cant change my clock or install a keylogger to read my passwords, which is great except he doesnt even need to ;)

So you just simply can't lock your session when you are not using it? It takes 3 seconds max to do, and protects not only your passwords, but also your files, and stops anybody from installing any malware to your user.

Really. 3 seconds max and the whole issue is solved and everyhting really is secure 8at least to the level it can be with physical access to the machine).

Same applies to using the Guest session.

It's like complaining that somebody might easily open your desktop drawer and read your documents when you yourself refuse to lock your front door when you are not at home. The real security issue is that your front door is open and all your belongings are available for anybody to take, yet you still complain that your desk drawer doesn't have a lock. :D

so you just simply can't lock your session when you are not using it? It takes 3 seconds max to do, and protects not only your passwords, but also your files, and stops anybody from installing any malware to your user.

Really. 3 seconds max and the whole issue is solved and everyhting really is secure 8at least to the level it can be with physical access to the machine).

Same applies to using the guest session.

It's like complaining that somebody might easily open your desktop drawer and read your documents when you yourself refuse to lock your front door when you are not at home. The real security issue is that your front door is open and all your belongings are available for anybody to take, yet you still complain that your desk drawer doesn't have a lock. :d

+100 :-)

So not starting an MS flamewar here, I'm just trying to illustrate that MS PAYS people to find stuff like this and report to the developers to fix it. But here sometimes the community has its say, and sometimes a stubborn dev says "I know whats best, you don't like it fork it." Its the wrong attitude. I understand the seahorse dev point of view, and their right. But clearly some things work better in theory than in practice.

why do liquor cabinets have locks then? You may need to secure yourself from someone already in the house.

Security should consist of layers

door lock->car alarm->steering wheel lock->ignition key->GPS system.

If you talk to many security people they will tell you that having only one layer of security is really not good enough, each layer will never be impregnable but each additional layer delays the perpetrator to the point where it may not be practical to continue.

So the argument is really - is a single layer of security good enough.

In my case my machines are split into two types - secure and insecure. My laptop - which I take out and about is insecure because I realise that it can be easily stolen or compromised.(theoretically someone could grab it while I was working on it) I do not keep personal information on it.

I have a machine at home which is secure, and Internet facing. I keep personal information on it which can be accessed from my laptop through an ssh connection. Until now I belived that if someone did a runner with my laptop they would not be able to get to my personal data quickly enough before I changed the passwords etc. Now I'm not so sure.

why do liquor cabinets have locks then? You may need to secure yourself from someone already in the house.
that analogy would hold if you were the only person who would be expected to use your house, and if some one were to come and visit you could summon a house out of the ether for them to use. it that case then yes it would be silly to lock your cabinet, you would just lock your house when you left it.

why do liquor cabinets have locks then? You may need to secure yourself from someone already in the house.

I don't let people I can't trust to stay in my house when I'm not around.

I don't let people I can't trust to use my computer when I'm not around. And definitely not my own user account.

Both situations are solved in the same way, by locking the front door (or my computer/session) to keep such people away.

Security should consist of layers

door lock->car alarm->steering wheel lock->ignition key->GPS system.

If you talk to many security people they will tell you that having only one layer of security is really not good enough, each layer will never be impregnable but each additional layer delays the perpetrator to the point where it may not be practical to continue.

So the argument is really - is a single layer of security good enough.

the system does have multiple layers of security user password, root password, there are many other levels you can implement, bios passwords, hard drive encryption, case locks,putting your pc in a safe.
what some are advocating here though is hiding the radio facia in the glove box and leaving the car unlocked.

one word... kids

Not quite, root password is not in the loop as its not needed here, physical security is not valid if you want to use the machine, unless you want to talk about a secure room. Disk encryption is negated by the user password, a bios password would not be in the loop either so I think we are back to one layer?

Not quite, root password is not in the loop as its not needed here, physical security is not valid if you want to use the machine, unless you want to talk about a secure room. Disk encryption is negated by the user password, a bios password would not be in the loop either so I think we are back to one layer?

locking the session?

If this were a flaw in windows microsoft would be vilified over it, and rightfully so. I think MS stopped storing passwords in clear text when they introduced windows95, perhaps 2000.

Since when were my passwords on Ubuntu stored in cleartext?

locking the session

sorry but are we not back to one layer of security - the user password? If thats compromised?

sorry but are we not back to one layer of security - the user password? If thats compromised?

The user password is the same as the keyring password, so if the user account password is compromised, your stored secrets are also compromised whether the attacker is prompted for a password or not - so, it's still only one level

The user password is the same as the keyring password, so if the user account password is compromised, your stored secrets are also compromised whether the attacker is prompted for a password or not
Correct - thats why stored passwords should be held just like your user password - never to be seen in clear text again.

Not quite, root password is not in the loop as its not needed here, physical security is not valid if you want to use the machine, unless you want to talk about a secure room. Disk encryption is negated by the user password, a bios password would not be in the loop either so I think we are back to one layer?
ignition lock and gps wouldnt be needed to get access to the car, all of it would be useless if you put expanding foam in the alarm siren and put tin foil over the gps transmitter, we can trade flaws in each others analogies all day, the point is you said security depends on layers, i was pointing out linux does support and has multiple layers of security also when you leave your computer you lock it or log out, just the same as if you leave your car, you lock it.

one word... kids
again the analogy doesnt hold, it is easy to support multiple accounts for multiple users, its not so easy to build a new house for each member of your family.

The reality is that I have four family members using the same less than new hardware. It takes time to logout and back in, and guest sessions are buggy without the horsepower. Some times we share.

The passwords being the same is definitely an issue even more so considering your sudo password is the same so the argument applies system-wide

Correct - thats why stored passwords should be held just like your user password - never to be seen in clear text again.

So how would an application such as Empathy access your stored secrets then?

Correct - thats why stored passwords should be held just like your user password - never to be seen in clear text again.

but thats just security through obscurity. if you have the user password you have all the other passwords anyway.

Hey you are missing the point!

It's Ubuntu here that is the fault, not the user, the government, the criminal nor the geek!

Bickering amongst ourselves about concepts and opinions aas well as tossing related facts like grenades does not solve the problem.

Some simple things have been changed in Karmic and there is evidence that this trend will intensify, to make it "easy" and "fun". Those that use Linux for real work will either suffer the potential consequences or pay someone their hard-earned cash to secure the OS; maybe just to the point it may have been in Jaunty.

Ubuntu developers, the facts mentioned about the "security" flaws are real, not opinions. Let us identify and address these. Leave the "dog and pony shows" for the masses, but address these issues with professional seriousness.

ignition lock and gps wouldnt be needed to get access to the car, all of it would be useless if you put expanding foam in the alarm siren and put tin foil over the gps transmitter, we can trade flaws in each others analogies all day, the point is you said security depends on layers, i was pointing out linux does support and has multiple layers of security also when you leave your computer you lock it or log out, just the same as if you leave your car, you lock it.

Firstly I was talking about stealing the car not gaining access, secondly as I said no one layer is invincible, each layer adds to the difficulty of stealing the car. In this case you would have to come well prepared.

The reality is that I have four family members using the same less than new hardware. It takes time to logout and back in, and guest sessions are buggy without the horsepower. Some times we share.

The passwords being the same is definitely an issue even more so considering your sudo password is the same so the argument applies system-wide
well thats your choice to balance the risks, you trust they wont do anything in the same way you trust they wont rifle though your bank statements and sell your details on ebay.

sudo permissions are something you can modify, sudo can be removed entirely

I wouldn't classify myself as being very secure, like I said we sometimes share. But I just realized if I was paranoid I'd never store passwords with seahorse or anything else for that matter. So the issue is somewhat moot IMO. It just boggles the mind, the complete disregard for personal security once you login that this thread has relieved.

Hey you are missing the point!

It's Ubuntu here that is the fault, not the user, the government, the criminal nor the geek!

we arent missing the point, the user has to take responsibility eventually, ubuntu could be impregnable, it still wouldnt be able to protect the user from themselves, thats why most malware is spread through trojans, and not flaws in the os.


Firstly I was talking about stealing the car not gaining access, secondly as I said no one layer is invincible, each layer adds to the difficulty of stealing the car. In this case you would have to come well prepared.

first you cant equate stealing and car to just getting access to passwords on an already logged in system, a closer analogy, as ive already posted would be hiding the radio facia in the glove box and leaving the door unlocked.
i agree that no one layer is invicible, but why ignore the much stronger layer of logging off for the inferior layer of hiding the password. i refer you back to my previous car analogy, lock the car, dont hide the radio.

well thats your choice to balance the risks, you trust they wont do anything in the same way you trust they wont rifle though your bank statements and sell your details on ebay.
You trust your teens with your credit card? Better yet not to rifle through your filesystem? I remember being young. ;)

sudo permissions are something you can modify, sudo can be removed entirely
How? I'd love to make my sudo password different than my login

I wouldn't classify myself as being very secure, like I said we sometimes share. But I just realized if I was paranoid I'd never store passwords with seahorse or anything else for that matter. So the issue is somewhat moot IMO. It just boggles the mind, the complete disregard for personal security once you login that this thread has relieved.

is it a complete disregard for security to assume you are the actual user once you have supplied your password. to my mind its more of a disregard for security to make you think the system is secure, when in fact it isnt.

How? I'd love to make my sudo password different than my login

you may be able to i dont know, i was referring to changing permissions so only certain users can install apps for example, you can also completely remove sudo so that no one can use it, you would have to log in as root to do admin tho.

Once you've logged in, its up to you to look after the security of your passwords.

You (or anyone logged in as you) can read the ones you supply to your system to allow access to always.

You also have the option of using a different set of passwords which ask you to give another password just to see them (which happens to machines with automatic login, I believe?)

If you are unhappy with the assumption that once you have proved its you, it assumes it is you, then change the way it is set up.

Edit : Oh and asking for your password to see your collection of already unlocked passwords is only a dud barrier. The applications and any other application will still be able to get all your passwords as plain text from seahorse, unless you change the way it is configured.

is it a complete disregard for security to assume you are the actual user once you have supplied your password. to my mind its more of a disregard for security to make you think the system is secure, when in fact it isnt.

No one said Don't be upfront about what your doing. When you use synaptic the first time a box comes up to explain what it does, with a little check to never show again. Why not do the same for seahorse when you click the "show passwords button"

My analogy of stealing a car just shows how we use multiple layers of security to protect things from being stolen. In the car analogy, even if I leave the door open it is still not simple to steal the car.

you may be able to i dont know, i was referring to changing permissions so only certain users can install apps for example, you can also completely remove sudo so that no one can use it, you would have to log in as root to do admin tho.

That I was aware of. But throwing out A good program because of a small issue doesn't make a lot of sense. Just improve what is already pretty good. Isn't that what Ubuntu did with Debian?

Ok going with the car analogy.

You are ok with letting your friends into your car, but you dont want to give them the items that are important to you.

You let them in the back seat, or the passenger front seat, but not the driving seat right?

Ie/ log them in as them, or as guest, but not as you.

no more like you let your friends in, your too drunk to drive but your mistress phone number is in the glove box. you'd rather your friend didn't see that.

well that's your fault for putting it in an easy to access area.

But that analogy more resembles putting a file you dont want friends to see in your home directory. They can see that over your shoulder should you let on you dont want them to see it.

On the other hand, they still cant drive off with your car, until you give them the keys. (The proof that it is you, in Ubuntus case)

lol I was about to say the glove box has a lock but its the same key isn't it? Ubuntu isn't the only one with debatable issues.

No one said Don't be upfront about what your doing. When you use synaptic the first time a box comes up to explain what it does, with a little check to never show again. Why not do the same for seahorse when you click the "show passwords button"

i dont understand, a message to say logout when leaving your computer or else every man and his dog will have access to all you passwords and confidential information"?

i would suggest just a message on installation would do the job better.


My analogy of stealing a car just shows how we use multiple layers of security to protect things from being stolen. In the car analogy, even if I leave the door open it is still not simple to steal the car.

i get the analogy and i agree with multiple layers of security a car is not a computer, anyway a closer analogy is if i dont password secure the bios its still not simple to get access to the users passwords.
infact my computer is more secure because i have to input a password to install something, does your car require a key to remove the wipers?
now can we stop with the analogy mincing

lol I was about to say the glove box has a lock but its the same key isn't it? Ubuntu isn't the only one with debatable issues.

This is still valid, it means that if I defeat the external security, by smashing the window, I then cannot just grab something and run, I now have to spend more time breaking open the glovebox (while the alarms sounding). - Risks are too high best not to bother, especially when I do not know what the value of the stuff in the box is.

Ok how 'bout this:
I used to have a yahoo account. I login check my email, play some games, its all good. But if I try to change any of my user info yahoo confirms my password to make sure its me doing it. Sounds like a reasonable security measure to me.

One more thing before I go make dinner. If its Ubuntu's security policy for personal information to say once your logged in thats good enough. Then why when I open the "about me" applet to change my password, does the system ask me for my password?

That I was aware of. But throwing out A good program because of a small issue doesn't make a lot of sense. Just improve what is already pretty good. Isn't that what Ubuntu did with Debian?

i wasnt advocating throwing it out, im saying if you have multiple people using one user name, but you dont want all users to be able to use sudo, uninstall it that use the root account for admin



Ok how 'bout this:
I used to have a yahoo account. I login check my email, play some games, its all good. But if I try to change any of my user info yahoo confirms my password to make sure its me doing it. Sounds like a reasonable security measure to me.

youre accessing it remotely, which introduces security problems, plus they cant make assumptions about your os which may be a single user system.

One more thing before I go make dinner. If its Ubuntu's security policy for personal information to say once your logged in thats good enough. Then why when I open the "about me" applet to change my password, does the system ask me for my password?

perhaps its to prevent users not locking/logging out of their system getting knackered by someone sneeking up and changing the password.
more likely though is that changing passwords requires root privileges, so you are using the sudo password, not your own.

perhaps its to prevent users not locking/logging out of their system getting knackered by someone sneeking up and changing the password.
more likely thought is that changing passwords requires root privileges, so you are using the sudo password, not your own.
no just tried as an unprivileged user it asked me for my user password. and the same argument can be used for seahorse. thanks good night.

no just tried as an unprivileged user it asked me for my user password. and the same argument can be used for seahorse. thanks good night.
an unprivileged user that cant use sudo?
the same arguement cant be used for seahorse because the if youre logged in the passwords are already decripted, you would just be hiding them.

Just an update, i've been talking with Adam Schreiber.

I replied to his email:


I would hope that you take into consideration the opinions of the Ubuntu users. That's the over-ruling philosophy of Ubuntu, and if the users have something to say, the developers should listen.

If you do not have the time, then please pass this on to someone who does.

Benjamin


And he replied:


If you would care to summarize the thread and/or file a bug report
and/or ask a question, I'd appreciate it. That's a really long thread
at 14 pages. I care, but I don't want to have to respond to each
point separately. Also, please note, we're GNOME developers not
Ubuntu developers and while we try to be responsive to users and
reasonable to requests please remember that we're mainly volunteers
and haven't signed on to an "over-ruling philosophy of Ubuntu."

Cheers,

Adam


So, I did my best to summarize the thread for him:


Okay, i'll do my best to try and summarize:

Basically, users are worried that passwords for empathy, wireless networks and other programs that use Seahorse to store passwords can be seen in clear text from less than four clicks of the mouse button from a desktop.

The argument for changing it is to change the location of Passwords/Encryption to Preferences, remove the checkbox to show passwords in clear text (after all, you should know your own passwords) or prompt for you to enter in your user password to view them in clear text. Also many people say that even Windows does not show MSN passwords in plain text from the main menu.

The argument for leaving it how it is, is that people should learn to lock their computers when leaving them for more than 30 seconds, and if they don't, they've got more to worry about than people seeing their passwords (ie, rm -rf commands, rootkit installers etc).

The debate continues with many saying 90% of people using your computer won't know how to install rootkits or run rm -rf commands, but with a bit of thoughtless rummaging, quite easily access your passwords. As one person points out, most criminals are stupid, so therefore an easy option to show passwords would be more relevant to them.

There are other arguments put forward, such as it is the users responsibility to make sure untrustworthy people don't have physical access to your computer. The counter of that is that people such as co-workers, your family, teenagers that you trust to access your computer might stumble across your passwords easily. Teenagers could buy things using credit card details, co-workers and friends could use this information against you in the future if there was ever a fall out.

Among all this, there are a lot of posts debating analogies, with a car being used as the main analogy. If someone has access to your car door key, then the game is over - this key also starts the car. This equals one level of security, which is advised against in the security world. I haven't read the analogy posts in detail, but as you can imagine, there are arguments against this idea too.

Cheers,
Benjamin

i think you could safely have left the car analogies out, although i think this thread could have done without them too :p

i think you could safely have left the car analogies out, although i think this thread could have done without them too :p

lol well he asked for a summary of the thread, so a summary of the thread is what I tried to deliver :P

Ok going with the car analogy.

You are ok with letting your friends into your car, but you dont want to give them the items that are important to you.

You let them in the back seat, or the passenger front seat, but not the driving seat right?

Ie/ log them in as them, or as guest, but not as you.

And we are expecting people who have no concept of what an OS is, to be able to differentiate that for themselves?

-------------------
I have clients who thought they had to buy a new memory card every time their digital camera got filled up.

Who have pictures on their digital camera for years, because they don't know how to get them off.

Who didn't know their printer of 5 years also had a scanner.

Who complain about their printer "not working" when they're out of ink.

Who say their internet isn't working, when it's not plugged in.

Who can't for the life of them figure out how to configure their wireless router.

Who don't know how to reset their password-less router when the internet is out.

Who are college professors and didn't understand the "keygen" someone gave them to install a piece of software was illegal and likely malware ridden.

Who think as long as they don't download anything on the internet, they are "safe".

Who don't consider it a security risk when some USB software auto-installs every time they plug their USB drive to a new computer.

Who bring up in casual conversation "Yea I hate those spam e-mails, but I clicked on one once and it was really interesting! Did you know you could get ****** for a dollar?"

Who ask "Where's the any key?!"

In case anyone hasn't seen it, Google took to the streets of New York City and asked people a simple question: "What is a browser?"

http://www.youtube.com/watch?v=o4MwTvtyrUQ

--------------------

The cases above are not of user stupidity, they are characteristic of a typical computer user. Try explaining to these people that having an unprotected PASSWORDS button in the main menu, not only isn't a security flaw, but actually makes them safer.

The Ubuntu "Sucks to be you. If you don't like it, go back to Windows and learn how to use a computer noob" response I'm getting here, is only solidifying the fact that this system is for a niche audience only and will never appeal to the mass-market in it's current form.

No one here is arguing that locking the session isn't safer. There is an absolute agreement on that. We are simply contending that simply because there is some hacker software somewhere that allows people to see my passwords, doesn't mean people want the functionality installed by default in the main menu.

No one here is arguing that locking the session isn't safer. There is an absolute agreement on that. We are simply contending that simply because there is some hacker software somewhere that allows people to see my passwords, doesn't mean people want the functionality installed by default in the main menu.

its not hacker software from some leet script kiddie site, the funtionality is easily available, somewhere i posted a link to a script some time back, which was the fifth link from google, it uses gnome supplied python APIs.
i appreciate some people might not want it on their menu, but thats personal preference, and the good thing about linux is that anything can be removed, just modify the menu.

Who think as long as they don't download anything on the internet, they are "safe".

they are as far as the internet is concerned


The cases above are not of user stupidity, they are characteristic of a typical computer user. Try explaining to these people that having an unprotected PASSWORDS button in the main menu, not only isn't a security flaw, but actually makes them safer.

The Ubuntu "Sucks to be you. If you don't like it, go back to Windows and learn how to use a computer noob" response I'm getting here, is only solidifying the fact that this system is for a niche audience only and will never appeal to the mass-market in it's current form.
the problem with these examples is that it proves that its impossible to protect users from themselves, no matter how secure we make the os they will always defeat it, it also means that we dont need to hide the menus because these users will never be able to find it anyway.

ps i dont subscribe to the stupid user point of view, just that if you make the passwords impossible for them to see they will think its impossible for everyone to see it, if they know its easily viewable they (if theyre at all bothered about theyre data) will lock it.

pps nice video by the way :D

if they know its easily viewable they (if they're at all bothered about their data) will lock it.

This statement just goes to show how out of touch Linux developers are with actual users. There's a technical manager here at the medical device company where I work who has access to just about every system in the company who used to leave his computer on, and email open overnight for the first 6 months I was in his group. At one point I finally walked over to his computer and setup a screen saver password, he never noticed.

Showing passwords on the screen anywhere is pretty dumb.

This statement just goes to show how out of touch Linux developers are with actual users. There's a technical manager here at the medical device company where I work who has access to just about every system in the company who used to leave his computer on, and email open overnight for the first 6 months I was in his group. At one point I finally walked over to his computer and setup a screen saver password, he never noticed.

Showing passwords on the screen anywhere is pretty dumb.

well i wouldnt count myself as a linux developer but in this case:
1. the company should be doing something about about security, in these circumstances a password protected screensaver should be standard. thats the companies fault not any os developers fault.
2. appreciation of security issues is separate from securing an os, this manager obviously doesnt realise his data could be important, again not the os developer fault
3. if you were that way inclined, would it have been beyond your abilities to recover all of his unencrypted passwords? because with seahorse on ubuntu it wouldn't regardless of whether there was a menu entry or not.

what is with the 'stupid user' strawmen, if theyre that stupid just send them an email saying youre from some government department, and just ask for the passwords.

what is with the 'stupid user' strawmen, if theyre that stupid just send them an email saying youre from some government department, and just ask for the passwords.

It's been shown that Linux as a standard likes to protect users from themselves, hence the default use of sudo to do any system administration tasks. Following that methodology then getting into a Passwords and Encryption application should also require the user to enter a password. I don't think it's necessary to require a password for approved applications to get into the system's keyring, but non-approved apps, should require a password. That way when it says "never ask again" I can really be certain that's what I want do to. So connecting from my local machine to the VPN once I'm logged in is something I'm okay with, but I'm not okay with giving my VPN access to anyone who happens to walk up to my system while I'm in the break room getting a coffee or whatever.

It's been shown that Linux as a standard likes to protect users from themselves, hence the default use of sudo to do any system administration tasks. Following that methodology then getting into a Passwords and Encryption application should also require the user to enter a password.

i would say the opposite, linux makes very little attempt to save users from them selves, sudo privileges are in place because linux is designed as a multiuser system, administrator privileges are in place to stop every user of a system being able to install and delete at will, in addition its bad practice to run as root partly because linux doesnt try to save you from yourself, try sudo rm -rf /* ,linux wont try to save you then.
ps dont try ;)

I don't think it's necessary to require a password for approved applications to get into the system's keyring, but non-approved apps, should require a password. That way when it says "never ask again" I can really be certain that's what I want do to.

but that indicates your installing apps on your system that you dont trust, if that happens youve already lost most of the battle, in addition im not even sure it would be able to with withhold the password, your user password, and the encrypted password would have to be stored somewhere, in addition the encryption algorithm is open source so if a program needed to it could just decrypt the password itself.

So connecting from my local machine to the VPN once I'm logged in is something I'm okay with, but I'm not okay with giving my VPN access to anyone who happens to walk up to my system while I'm in the break room getting a coffee or whatever.

how would hiding passwords help?
locking your screen would help.

but that indicates your installing apps on your system that you dont trust, if that happens youve already lost most of the battle, in addition im not even sure it would be able to with withhold the password, your user password, and the encrypted password would have to be stored somewhere, in addition the encryption algorithm is open source so if a program needed to it could just decrypt the password itself.

how would hiding passwords help?
locking your screen would help.

I will address all your points because they are invalid.

The program I/we apparently numerous users have installed on our systems that we don't trust is Seahorse. Perhaps you didn't read the rest of the thread, please do so before continuing.

Hiding passwords would keep them from being ON THE SCREEN. You know where people can read them, where potentially unauthorized people can read them. Maybe you missed the first post in the thread, it's a good one.

Sure locking your screen would help, but what happens when someone forgets? I don't believe I ever got an answer to that question.

We are covering things again, how can we help you understand?

Ok so "stupid user" isn't the right phrase. None the less Coddling users like the one dodge listed is annoying and ruins the os for everyone. That is a bigger issue than just seahorse. I'll never understand why people think its acceptable to sit down with the kind of power a computer affords in this day and age without some basic education in how things work and how to protect yourself. You would hand over you car keys to someone who's never been taught how to drive. (I know the car again.)

The argument that if people know their passwords are available to their desktop, they will lock the screen. Hinges on that if. I've been using Linux for four years and never noticed that. (Never needed to actually open seahorse before.)

The argument that obscuring the password in any form is a false sense of security. Whats wrong with a little blurb explaining that? Ubuntu does it for other apps.

The quit complaining and file a bug argument. certainly a bug should be filed, with Ubuntu and upstream. Supported by healthy debate witch this is. Ubuntu sees fit to change gnome apps to suit their needs all the time, notiy-osd isn't part of gnome. So Ubuntu can and should come up with a solution thats sane and addresses it communities concerns.

The way I see it Ubuntu is almost there, seahorse does ask permission just no confirmation. And we do have the tools like gconf. And policykit, witch can handle non-root permissions and IMO is way under used.

Here's my idea, create a sane list of default apps that can access seahorse. The ability to change that list through gconf, and permission checks through policykit for unexpected apps, changing info or viewing passwords. And finally come up with a unified personal security policy for the desktop as a whole. (See above post 182 (http://ubuntuforums.org/showpost.php?p=8183511&postcount=182); you need your password to change your password and about me does not display clear text.)

I saw the email to the gnome dev's (Nice btw.)Has a bug report been started yet? if so post the link please.

Well, the first of the negative press has started. Joey-Elijah Alexithymia, The maintainer of the popular omgubuntu blog (omgubuntu.co.uk) is alarmed at this flaw and has made a blog post about it which you can read here. (http://www.omgubuntu.co.uk/2009/10/security-issue-in-gnome-lets-anyone-see.html)

Hopefully, with some negative press we can force the developers to change this, as much as I hate seeing negative press about Ubuntu, if the developers are going to be stubborn and not listen to the user community, I see no other option.

I was thinking about that but wanted to give them a chance to slap it with a won't fix tag. No bug report?

I will address all your points because they are invalid.

The program I/we apparently numerous users have installed on our systems that we don't trust is Seahorse. Perhaps you didn't read the rest of the thread, please do so before continuing.

Hiding passwords would keep them from being ON THE SCREEN. You know where people can read them, where potentially unauthorized people can read them. Maybe you missed the first post in the thread, it's a good one.

apologies, i took your post to mean that you were advocating asking a users permission to use seahorse for a newly installed app to protect the existing passwords within seahorse from potential malware, rather than protecting the newly installed apps password from being displayed in the menu.


Sure locking your screen would help, but what happens when someone forgets? I don't believe I ever got an answer to that question.

We are covering things again, how can we help you understand?

i understand i just obviously take a different view to you. to answer your question yes if you dont lock your screen someone will be able to use your password and assuming they know where to look will easily be able to get your password.
although even if the menu wasnt there it would be mildly harder but take just as long (with a script) to get all the passwords, plus they still have full access to your system, so that would be autologon to what ever sites you have passwords stored for, all your non password data, plus rm -rf ~ can be quite effective.

and it still doesnt answer the other what ifs, what if the user sets his wallpaper and screensaver to display is username and password, what if he posts them on this forum, so if his hard disk fails he still has access to them, etc etc etc.
surely a better way would be to educate said user that his passwords arent safe unless his pc is locked.

If you think any security measure is impossible to break (...)

I never said that, so everything you said after is irrelevant.

Sure locking your screen would help, but what happens when someone forgets?

What does happen I don't know. What might happen is something bad, regardless of seahorse behavior, as I mentioned before:

Opening a terminal and doing a "rm -rf ~" is faster and allows a much shorter reaction time than opening the keyring manager. And it's probably far more dangerous: the amount of people who has so-sensitive-that-my-world-will-explode-if-people-read-it information is probably smaller than the amount of people who makes regular backups of their home directory.

I was thinking about that but wanted to give them a chance to slap it with a won't fix tag. No bug report?

There is already a bug report (https://bugs.launchpad.net/seahorse/+bug/189774) on Launchpad, dated August last year. This problem has been around since the release of Hardy, and nothing's been done about it.

I found this thread here, (http://ubuntuforums.org/showthread.php?t=1075456) looks like this isn't an entirely new subject - but the first time it's been discussed this much.

Ok found it https://bugs.launchpad.net/seahorse/+bug/189774
man I hate searching bugs though

There's no point in complaining that nothing's been made about bug reports filed against conscious design decisions (http://live.gnome.org/GnomeKeyring/SecurityPhilosophy).

An update for those of you not following the seahorse mailing list:

Note, Me in italics, Adam Schreiber (Seahorse dev) in normal font.


Aside: Taking this back on the list as I must have hit reply instead
of reply all. The interim emails are below for those playing along at
home.

Okay, i'll do my best to try and summarize:
Basically, users are worried that passwords for empathy, wireless networks and other programs that use Seahorse to store passwords can be seen in clear text from less than four clicks of the mouse button from a desktop.

Technically, the passwords and secrets are stored in gnome-keyring, seahorse is just a manager/viewer.

The argument for changing it is to change the location of Passwords/Encryption to Preferences, remove the checkbox to show passwords in clear text (after all, you should know your own passwords) or prompt for you to enter in your user password to view them in clear text.

I think we've addressed prompting for the password before making it visible before but there's no really good way to "prompt" and check before displaying it. We have to work within the gnome-keyring API.

Also many people say that even Windows does not show MSN passwords in plain text from the main menu.
The argument for leaving it how it is, is that people should learn to lock their computers when leaving them for more than 30 seconds, and if they don't, they've got more to worry about than people seeing their passwords (ie, rm -rf commands, rootkit installers etc).
The debate continues with people saying 90% of people using your computer won't know how to install rootkits or run rm -rf commands, but with a bit of thoughtless rummaging, quite easily access your passwords. As one person points out, most criminals are stupid, so therefore an easy option to show passwords would be more relevant to them.

I think our current approach is consistent with the security model I linked previously. We don't want to give anyone the false impression that their data is more secure than it is. Lock your screen and the key ring's locked, unlock your screen and it's unlocked. If your screen is unlocked, they can just copy your keyring file and crack it at their leisure anyway. You have a secure user password right?


There are other arguments put forward by people, such as it is the users responsibility to make sure untrusty worthy people don't have physical access to your computer. The counter of that is that people such as co-workers, your family, teenagers that you trust to access your computer might stumble across your passwords easily. Teenagers could buy things using credit card details, co-workers and friends could use this information against you in the future if there was ever a fall out.
Among all this, there are a lot of posts debating analogies, with a car being used as the main analogy. If someone has access to your car door key, then the game is over - this key also starts the car. This equals one level of security, which is advised against in the security world. I haven't read the analogy posts in detail, but as you can imagine, there are arguments against this idea too.

It all comes down to an opinion about consistency and trade-offs between usability and security. I agree with Stef on this one. These are not new concerns and that's why we've discussed it in the past and posted an explanation as to our thought process. I'd like to remind everyone that the problem of password's in the open is not specific to seahorse. All someone with access to your user session and the ability to run a program would need to do is load a program and give it permission to query each secret on the keyring. Without the architecture of gnome-keyring changing there's not much to do on this front and as the security philosophy indicates, some things in Linux and the desktop in general would have to change for that to happen.

Cheers,

Adam


And, here's my reply:


That's fair enough, but I still think you're missing the point and not looking at it from an everyday user point of view. We're not asking for protection against people who can " load a program and give it permission to query each secret on the keyring" and then "copy your keyring file and crack it at their leisure." If the average Ubuntu user knew that there were guys out there trying to hack into their computer this way, i'm sure they would lock their computer.

We're trying to ask for measures to be put in place so that people who otherwise wouldn't go looking for your passwords might stumble across them in clear text out of plain curiosity.

Either way you look at it, it's still not acceptable to be able to view passwords in clear text this easily, and i'm sure something can be done to at least make it less obvious. Even a simple change of location to the Preferences menu would be a step in the right direction.

Cheers,
Benjamin

Sigh...

I'll repeat it again: filing bug reports against conscious design decisions (http://live.gnome.org/GnomeKeyring/SecurityPhilosophy) won't get you anywhere.

Hence why no one here has filed a bug, only linked to an existing one from last year.

And finally come up with a unified personal security policy for the desktop as a whole. (See above post 182 (http://ubuntuforums.org/showpost.php?p=8183511&postcount=182); you need your password to change your password and about me does not display clear text.)

without sudo permissions?

considering the only person on my system that has write permissions on the password files is root, you would obviously need to supply a password to modify it, although excluding that i hope you would agree you master password is an order of magnitude more important that any other password or anything else you may choose to store on the system

Sigh...

I'll repeat it again: filing bug reports against conscious design decisions (http://live.gnome.org/GnomeKeyring/SecurityPhilosophy) won't get you anywhere.
I beg to differ, doob(Gnome guy) asked for one. And thats what the "wish list" tag is for. The mailing list is where you argue your point. the bug report informs the community there is a usability issue. (even if its by design.)

You don't understand how policykit works. It has sudo permission. and grants access according to the rules set. Open about me or polkit and see for yourself.

and agreed the Master pass shouldn't even be on the system in the clear. EVER.

Hence why no one here has filed a bug, only linked to an existing one from last year.

Yep, I edited my original post to:

There's no point in complaining that nothing's been made about bug reports filed against conscious design decisions (http://live.gnome.org/GnomeKeyring/SecurityPhilosophy).

I beg to differ, doob(Gnome guy) asked for one. And thats what the "wish list" tag is for. The mailing list is where you argue your point. the bug report informs the community there is a usability issue. (even if its by design.)

"I disagree with the design" is not the same as "There is an issue with the design".

Thats right folks, blame gnome not seahorse or Ubuntu!

Yep, I edited my original post to:





"I disagree with the design" is not the same as "There is an issue with the design".

If you disagree that means you have an issue.

For those of you following along, I just edited my original post at the start of the thread to contain all the relevant links in one place... should make life a bit easier :)

You don't understand how policykit works. It has sudo permission. and grants access according to the rules set. Open about me or polkit and see for yourself.

and agreed the Master pass shouldn't even be on the system in the clear. EVER.

ok i get ya, didnt realise it used policykit. although i think it would still be consistent to maintain the password for changing the password, because it is an administrative task, in line with using sudo for adminitrative tasks.

@humphreybc
thanks for posting the reply

If you disagree that means you have an issue.

The keyword here is "you".

Bugs are facts, not opinions.

If you disagree that means you have an issue.

"i disagree with the design" indicates you have a fundamental problem with the design, ie you disagree with seahorse showing passwords.

"There is an issue with the design" indicates that you think the design is fundamentally sound, but it could do with improvement, or has a bug.

The keyword here is "you".

Bugs are facts, not opinions.

Bugs are a deviation from expected or intended bhaviour, that by its very nature is subjective. IMO I expect the keeper of my passwords not to give them up without more than a simple please. hence its a bug.

The argument that if people know their passwords are available to their desktop, they will lock the screen. Hinges on that if. I've been using Linux for four years and never noticed that. (Never needed to actually open seahorse before.)

Exactly! I asked this earlier and never got a response from most of the people here:

Here is the big thing people seem to be missing: Making it easy to view passwords doesn't make your program more secure! A raise of hands: How many people here knew Pidgin stored passwords in plain text when first installing? How many people knew Ubuntu allowed anyone to see all stored passwords in 5 seconds of clicking from the main menu?

If users aren't aware of these issues, you are only making them less secure.

If the people here don't know about it, what chance do the normal Ubuntu users have?

Bugs are a deviation from expected or intended bhaviour, that by its very nature is subjective.

Bugs are a deviation from expected or intended behavior regardless of personal opinions, which is not subjective.

IMO I expect the keeper of my passwords not to give them up without more than a simple please. hence its a bug.

Keyword (actually, keyexpression) here is "IMO". This thread proves that your opinion is not an unanimity. Hence, the place to voice your thoughts is the mailing list, not a bug report.

Could we keep the thread on-topic? It's starting to waver a bit into the definition of a bug.

Also, I sent a PM to one of the forum moderators asking if he could relocate this thread to somewhere else so the discussion can continue even when the Karmic Testing Forum dies tomorrow. So, if it's disappeared tomorrow, then you'll know what happened :P

Could we keep the thread on-topic? It's starting to waver a bit into the definition of a bug.

Which is very relevant to the discussion, since it's related to the fact that people are asking to "fix" a conscious design decision.

Which is very relevant to the discussion, since it's related to the fact that people are asking to "fix" a conscious design decision.

Alright then, fair enough. Perhaps instead of a bug on launchpad, an idea should be filed on Brainstorm...

Alright then, fair enough. Perhaps instead of a bug on launchpad, an idea should be filed on Brainstorm...

Brainstorm is not exactly an optimal place for discussions, either. The best course of action is to discuss this on the mailing list, because the devs themselves will read and reply.

Instead of pm'ing one of us, use the report button, that way it will be seen sooner and acted upon.

This thread has been moved to the security forum.

Alright then, fair enough. Perhaps instead of a bug on launchpad, an idea should be filed on Brainstorm...

you could do but not making users feel safer than they actually are is a pretty central design decision to the whole linux ecosystem.

i do agree its different to the windows approach of wrapping everything up in binary so the user thinks its secure, and it can take a bit of time to get your head around, it the same with alot of other areas of linux.

Is it wrong? well linux has shown to be more secure than windows in general, plus i personally would like to know where i stand, if somethings secure, i would like to know it actually is secure, rather than just appearing to be secure, plus the nature of open source means we cant hide behind glorified rot13 encryption, in the same way that windows can.
Could communicating all of this to users be improved?, probably yes, especially in ubuntu which aims to attract new users, but never forget you will never, ever be able to save users from themselves, no matter how many confirmation boxes etc you put in, they will still be able to mess the system up. the answer to that is more education, not more confirmation boxes

Here's the brainstorm idea.

Click on the link below, show your support by adding a comment, or propose your solution to the problem.

http://brainstorm.ubuntu.com/idea/22120/image/1/ (http://brainstorm.ubuntu.com/idea/22120/)

As I said earlier, like the Gnome/KDE .desktop flaw, this won't get fixed without sufficient negative press on the subject.

Here is the first article on it:

http://www.omgubuntu.co.uk/2009/10/security-issue-in-gnome-lets-anyone-see.html

It has just been dugg:

http://digg.com/linux_unix/OMG_UBUNTU_Gnome_Lets_Anyone_See_Your_Passwords_GM AIL

:popcorn:

The only passwords I have seahorse manage, or Firefox remember, are those for internet sites I don't care about. My bank login, my email login, and anything else that is important to me simply isn't stored anywhere except in my password safe. If you're ignorant enough to have your bank password stored in seahorse, or anywhere in Windows, then you deserve what you get. Who cares if the password is visible, if having the keyring remember it means anyone who has access to your computer can log in to any site it has the password for, automatically? With your bank password stored, anyone can just log in to the account without bothering to look for the password, encrypted or not. It's convenient, of course, but it's not secure, even if the passwords are encrypted, and encrypting them will only give the illusion of security, because it's not necessary to see them.

There is a lot of knee-jerk reaction to things lots of posters just don't understand.

The only passwords I have seahorse manage, or Firefox remember, are those for internet sites I don't care about...If you're ignorant enough to have your bank password stored in seahorse, or anywhere in Windows, then you deserve what you get...There is a lot of knee-jerk reaction to things lots of posters just don't understand.

I'll tell you what I don't understand: People who start off a comment saying that they don't even use the application being discussed, follow that by blaming people who do for whatever happens to them, and then finish by generically decrying the ignorance of the masses without having ever shared any useful knowledge.

The only passwords I have seahorse manage, or Firefox remember, are those for internet sites I don't care about. My bank login, my email login, and anything else that is important to me simply isn't stored anywhere except in my password safe. If you're ignorant enough to have your bank password stored in seahorse, or anywhere in Windows, then you deserve what you get. Who cares if the password is visible, if having the keyring remember it means anyone who has access to your computer can log in to any site it has the password for, automatically? With your bank password stored, anyone can just log in to the account without bothering to look for the password, encrypted or not. It's convenient, of course, but it's not secure, even if the passwords are encrypted, and encrypting them will only give the illusion of security, because it's not necessary to see them.

There is a lot of knee-jerk reaction to things lots of posters just don't understand.

Yea, I can tell you don't use the software, because you don't store your bank password directly into seahorse. One way to get it, for example:

Seahorse integrates with IM clients who stores your Gmail...etc passwords and places them in the Main Menu (unknowingly to the standard user).

Step 6 and step 1 are contradictory. Step 1 states enter password and step 6 you never enter a password throughout this procedure.

All right I read the bug reports, and the security philosophy. This is what I have gathered from that.

1. Everyone on both sides of the fence agree the current state of the keyring (and by extension seahorse.) is not good.
2. Rather than shilling people into thinking they are secure, it preferable to teach the user good practices. Except the end user isn't taught the lesson unless its the hard way.
3. The solution is way more complicated than the problem. Package A needs package B to do this to package C to get everything to work in a truly secure fashion. So the answer for now is to do nothing.
4. Ubuntu is dependent on upstream to find a solution.
5. The dev's have a solution (very similar to what I suggested.) but due to point 3 are passing the buck between the affected packages.

In summary Gnome has admitted this is a flaw, and therefore a bug. But they can't fix it (Or don't want to.) even though other user sensitive applications in Gnome do not behave this way. The dev's believe that the same users who they say can't reasonably answer the question "Do you want network-manager to to have your wep key?" are supposed to just know without being told, that they need to lock their session to secure the keyring. And Ubuntu is only interested in innovations that are flashy and can grab headlines like notify-osd.

Agree, disagree, flame me, Whatever. The point is as a new user or worse yet a migrating user none of this is inherent knowledge. No one is doing anything to inform the user. All the while there the program sits, in the main menu, unprotected.

Step 6 and step 1 are contradictory. Step 1 states enter password and step 6 you never enter a password throughout this procedure.

The first step is to log out and log back in, to make sure that you haven't inadvertently unlocked the keyring already.

Technically, the "procedure" doesn't start till step 2. The first step is just to make sure that everyone starts from the same place.

The first step is to log out and log back in, to make sure that you haven't inadvertently unlocked the keyring already.

Technically, the "procedure" doesn't start till step 2. The first step is just to make sure that everyone starts from the same place.

For your arguments sake, yes. However you have to log in with the password anyways. When you log in the keyring gets unlocked because you typed your password in to log in. This makes your PC unsecure for 15 minutes. Logging in should not unlock this IMO.

Try your steps again, however enable auto-login for your account and open up the passwords application and see if it prompts you for a password then.

I'm not saying the current method is best, I'm just trying to make sure all the details of what is going on is apparent to anyone viewing this thread. When you type your password to log in it unlocks the keyring for the temporary duration. If you have auto-login, you'll be prompted for your first attempt at trying to run something that requires the keyring.

I think that logging in should unlock the password.

I set my parents computer to log in automatically, but then my mum complained that Evolution was "broken" because it was asking for the keyring password. The keyring isn't something that a lot of users understand.

When you log out, and log in you inadvertenly unlock the keyring.

My head is just exploding with the fact that you guys don't realize it either. I first noticed this behaviour when I set empathy to auto launch on login. When I had auto-login it would prompt me for my password as soon as the auto-login got to my desktop.

Since I reverted back to having to manually log in on boot and when I entered my password I was no longer prompted because the manual log in unlocked my keyring (and keeps it unlocked for the temporary amount of time it would unlock it if you had auto-login enabled anyways).

Enter your keyring for synaptic and walk away. Go make a sammich or catch that TV show you like. After the allotted time (15 minutes I'm assuming honestly I'm not sure what the time-out is) and try to install something. You'll be prompted again. The timeout on login is a bad thing but the time out afterwards is a decent implementation.

A better one would be to have time outs coupled with closing the keyring when an application is closed.

Enter your keyring for synaptic and walk away. Go make a sammich or catch that TV show you like. After the allotted time (15 minutes I'm assuming honestly I'm not sure what the time-out is) and try to install something. You'll be prompted again. The timeout on login is a bad thing but the time out afterwards is a decent implementation.

A better one would be to have time outs coupled with closing the keyring when an application is closed.

Unfortunately, the keyring time-out does not apply to the PASSWORDS button in the main menu (seahorse).

To test it, login to your machine and walk away for 15+ minutes. Shoot walk away for an hour if you'd like :) When you return, your passwords will still be accessible from the main menu without entering your password again.

So the solution "seems" simple (I'm speaking from a noob-like perspective) in that the keyring should apply to the menu button (seahorse). I see now! Thanks for explaining.

Enter your keyring for synaptic and walk away. Go make a sammich or catch that TV show you like. After the allotted time (15 minutes I'm assuming honestly I'm not sure what the time-out is) and try to install something. You'll be prompted again. The timeout on login is a bad thing but the time out afterwards is a decent implementation.

A better one would be to have time outs coupled with closing the keyring when an application is closed.

You are confusing several different passwords.

Synaptic has nothing to do with the keyring. The password you give to start Synaptic and other administration tasks is your user password, used for sudo/policykit, not keyring password.

The 15-minute timeout applies for sudo password and policykit passwords, not for keyring (which, one unlocked, stays unlocked until you lock it manually, or log out). There is no timeout on log in. Keyring has no timeout, and neither has login password (why would it, you already logged in and are not going to do it again once already logged in).

T Who cares if the password is visible, if having the keyring remember it means anyone who has access to your computer can log in to any site it has the password for, automatically?


Its a huge difference. Having the password means the intruder has permanent access to these accounts (until you change the pw, but we all know how often we change our pw for our email and the like) and not just for the 5 min you went for a smoke. Its one thing someone can sit behind my pc and see my empathy contacts or even chat history, its something entirely else if he can log in at night pretending to be me.

Then there is the fact many people use the same password for more than one service. Most people probably only have 2 or 3 passwords and use them for a dozen services.

Sure, blame the user for reusing his pw and not changing it every 3 days, but thats not an excuse for this flaw. I dont know who to blame for this, whether it is seahorse developers, gnome or ubuntu. Probably it IS a the result of some fundamental issue, but the result is downright stupid and blaming the user doesn't change that. Its really like blaming the user for all of windows security holes "you shouldnt open attachements you cant trust, you should run a firewall, you should not log in as administrator, you should apply all patches every day" yada yada yada. All true but no excuse.

The fact remains...When you are logged in, you are assumed to be sitting in front of the screen. You should set your screensaver to say 5min or even shorter and set it to lock your account when it is activated should you forget to lock your screen or log out.

Even the home folder encryption option will mean nothing if you leave your logged in computer unattended.

So the only thing the developers of seahorse and Ubuntu are maybe quilty of is not explaining this issue to all users straight away with a nice message up front!

Should your car confirm your identity every time you stop at an intersection? Or just after you've locked it?

(Almost all websites assume you and only you have access to your email...So even if the passwords in seahorse where not visible in your logged in account, anybody having access to your logged in account could use the "Forgot password" option on most website which will have them send a confirmation email to your inbox with a clickable link wich would reset the passwords anyway!)

The fact remains...When you are logged in, you are assumed to be sitting in front of the screen. You should set your screensaver to say 5min or even shorter and set it to lock your account when it is activated should you forget to lock your screen or log out.

Then why oh why does sudo have a time out ?

Should your car confirm your identity every time you stop at an intersection? Or just after you've locked it?

Lets not lose ourselves in endless and pointless analogies.

(Almost all websites assume you and only you have access to your email...So even if the passwords in seahorse where not visible in your logged in account, anybody having access to your logged in account could use the "Forgot password" option on most website which will have them send a confirmation email to your inbox with a clickable link wich would reset the passwords anyway!)

Most websites will NOT email you the password for all of the above reasons, they will send you a link that lets you reset the password (and often on top of that requiring additional proof of identity like answering some secret question). Thats a huge difference. You might be able to change my password but at least I would be instantly informed someone was stealing my identity.

Lets not confuse the issue even more than it is. Ubuntu has two security policies. One for the system using sudo and policykit, and One for personal data using the keyring. Its unfortunate that your sudo password is the same as your login password. Its only enforces the confusion. login with an unprivileged user and its become clear where the line is.

Sudo times out because you are not root. While it is active you are working as root. If you don't know yet why this is not a good idea then you don't seem to know much about security.

Just putting up mindless password prompts everywhere doesn't mean you have good security. Maybe you should keep your computer in a locked room and switch it off. Then it will almost be secure.

Lets not confuse the issue even more than it is. Ubuntu has two security policies. One for the system using sudo and policykit, and One for personal data using the keyring.

Point is, if you follow revanb's logic then both make different assumptions about who is behind the keyboard. That makes a lot of sense.
not.

Either the sudo policy is nonsensical that it times out, since it should assume its the user who is (still) behind the kb, or seahorse should not make that assumption by showing passwords without renewed authentication.

Sudo times out because you are not root.

No. The reason i have to run sudo is because im not root. That doesnt explain why it times out. Once I elevated my privileges not everything I run runs as root! Only tasks I decide to run as root.

While it is active you are working as root. If you don't know yet why this is not a good idea then you don't seem to know much about security.

No! if I run something as sudo, that doesnt mean all other actions I take are as root! I just dont have to prove my identity for 15 minutes, I still need to type "sudo" to run something as root. Perhaps you are the one who doesnt quite understand

edit: let me rephrase it. Sudo authentication times out after 15 minutes. If not because its unsafe to assume the identity of the person behind the keyboard, then why? It could safely never expire, while still requiring me to either type in sudo to run root tasks or confirm apps to run as root. It would just not require a password, since it can assume its the user behind the kb. (Ironically thats how windows does it). You understand the difference now? Sudo doesnt assmue, seahorse does. One of them makes no sense.

As I said earlier, like the Gnome/KDE .desktop flaw, this won't get fixed without sufficient negative press on the subject.
Here is the first article on it:

http://www.omgubuntu.co.uk/2009/10/security-issue-in-gnome-lets-anyone-see.html

It has just been dugg:

http://digg.com/linux_unix/OMG_UBUNTU_Gnome_Lets_Anyone_See_Your_Passwords_GM AIL

:popcorn:

The article is sensationalist and misleading. Bullying the developers because you can't convince them through arguments is not the right course of action.

Luckily, several comments in the blog and the first comment in Digg seem to have noticed the sensationalism.

Like I said in my initial post..If you want you user account to time out set your screensaver to lock your account. End of argument.

If sudo didn't time out it leaves large windows of opportunity for scripts ( while you are in front of your screen ) to destroy your system in many ways. The only reason it has the 15min period is because it assumes you are the same person behind the keyboard so that you don't have to type in your password with every command you issue. (And you may run a script with hundreds of commands)

The issue is entirely different and entire clear.

Like I said in my initial post..If you want you user account to time out set your screensaver to lock your account. End of argument.


A locked screen also protects against sudo abuse. You're arguing in circles.

If sudo didn't time out it leaves large windows of opportunity for scripts ( while you are in front of your screen ) to destroy your system in many ways.

Of course not! Only tasks I decide to run as root would run as root even if sudo authentication never runs out.

The only reason it has the 15min period is because it assumes you are the same person behind the keyboard so that you don't have to type in your password with every command you issue. (And you may run a script with hundreds of commands)

It assumes so for 15 minutes. Then it no longer makes that assumption. You're still not getting it. 5 seconds after doing anything as root I will again need to type SUDO to run another task as root. I just dont have to prove my identity again, i still have to elevate my privileges. Never timing out sudo is absolutely not the same as running a root account, and would only have ONE security risk: that is if you are no longer the person behind the keyboard.