Ubuntu Cappuccino Scuro
may I remind you that in order to mount an encrypted usb drive you need to know the password. Now why would you mount your encrypted usb into a sys that you don not trust. You don't do it! The problem is not that the thumbs are saved. Who cares about it when the sys knows your pass, that's the last of your worries.Originally Posted by jhwoods
YOU DO NOT MOUNT/OPEN ENCRYPTED DATA INTO AN UNTRUSTED SYSTEM. same concept goes for the webemail.
Ubuntu addict and loving it
Then open a bug and mark it as a Security issue, that is EXACTLY why this process exists.
Regards, David.
Please use the Forum search and Wiki search for immediate help
Please mark your thread as Solved when appropriate
New to technical forums?: How To Ask Questions The Smart Way
First Cup of Ubuntu
@snowpine - I understand what open source is. It should be clear from my workaround, a symlink to /dev/shm, that I'm not exactly a unix noob, either.
I am quite aware that I can use another file-browser, another distro, or I could mod nautilus to behave in a different way. None of that logically implies that I should overlook what seems to me to be a serious security flaw in a piece of software I have used.
Can someone can give me a good reason for centralising thumbnail storage? I am unconvinced that thumbnails from files on encrypted volumes should ever be stored elsewhere without the user deliberately choosing to make that happen.
First Cup of Ubuntu
@fdrake I do trust my home system, in that I believe it is not currently compromised. That doesn't stop me from believing my home-folder encryption to be weaker than that of my TrueCrypt volume, if for no other reason than password length (and there are other reasons).
The implication of your argument is that, if I choose to have my most sensitive work on a drive with a 40 character password, I should never mount it onto a system that has an 8 character password! In fact, if your argument were to hold sway, nobody would use TC for anything other than full disk encryption.
First Cup of Ubuntu
@dcstar - thanks, I am strongly tempted to do so. But I wanted to come to the forum first to see if I was missing something obvious. I'm not currently convinced by any of the counter arguments presented to me and if that continues to be the case I most certainly will raise it as a security issue.
Has headphones now.
Three reasons, as I see it:
1) It's more difficult to code for. If you've already got to figure out if you've got permissions on the drive to store thumbnails, whether the drive has the capacity or bandwidth required to store thumbnails (think floppy drives, one-write CDs, network shares), and whether the drive is nearly full or not, then thumbnailing is more of a headache.
2) It could slow down I/O traffic on old or network storage.
3) Dumping thumbnails in the directory they're in leaves rubbish all over the places you view in a file manager.
I can see where you're coming from, I was just thinking of reasons from a developer's point of view.
Systems Samurai
I wouldnt say it is a security issue, more of a privacy issue (though the 2 can be related depending on context). Unless the readable thumbnails contain security related information such as passwords.
If someone other than you has access to the thumbnails then security has already been compromised and then in addition your privacy also.
Peace
Backtrack - Giving machine guns to monkeys since 2006
Kali-Linux - Adding a grenade launcher to the machine guns since 2013
I Ubuntu, Therefore, I Am
Applications should only ever store data in your /home unless explicitly instructed otherwise, in my opinion.
Gee! These Aren't Roasted!
Because I have a more robust security mechanism for my computers, it's called a door lock. So if you don't have one of those and other people readily have access to your home folder then regardless of what kind of encryption you're running, with the cost and speed of data you can push through today's graphics chips, physical access to even encrypted data is nearly pointless.
And it sounds to me like if your home folder is encrypted with it's thumbnails, then it's just as secure as your encrypted USB key with the originals. So calling this a "MASSIVE security fail" seems a little sensationalist to me.
"If all else fails, immortality can always be assured by spectacular error." -John Kenneth Galbraith, Economist
Ubuntu Member
Really don't see any issue here at all. If one has files they have concerns about then take care of them yourselves.
(- And currently nautilus (3.6+), stores the vast majority of thumbnails in ~/.cache/thumbnails.
If one saves a text file & doesn't like what they see in the icon then they should also take care of it themselves, no big deal.
Adv Reply
Bookmarks