by GlitchMr on 1/20/21, 3:05 PM
I find interesting that GNOME Screensaver's security depends on it to not crash.
Meanwhile, in KDE the lock screen is managed by KDE Session Management Server which ensures that lock screen cannot be bypassed by simply crashing its process.
The way it works is follows: ksmserver draws a black rectangle over everything and spawns kscreenlocker. If kscreenlocker crashes, the black rectangle is still here, and ksmserver will spawn kscreenlocker again but this time with software rendering (just in case it crashed due to graphics driver issue). If kscreenlocker crashes four times then KDE Session Management Server gives up, stops respawning kscreenlocker and simply draws the following text on the screen.
The screen locker is broken and unlocking is not possible anymore.
In order to unlock switch to a virtual terminal (e.g. Ctrl+Alt+F2),
log in and execute the command:
loginctl unlock-session %1
Afterwards switch back to the running session (Ctrl+Alt+F%2).
If ksmserver itself crashes then the entire session closes.
I'm not sure why GNOME screensaver cannot do something like this. Lock screen crashing seems like something inevitable (especially considering buggy graphic card drivers and so on), and it makes sense to prepare for it so that crashes won't bypass the screen locker.
by gambiting on 1/20/21, 9:17 AM
Does anyone know why lockscreens in Linux have been such a joke? I remember trying Ubuntu couple years ago and when waking up my laptop it would show me my entire desktop with all the information displayed right there in the open for about 10-20 seconds before suddenly engaging the lockscreen. All you had to do was close the lid and open it again and you could just copy whatever was on the screen before the lock screen appeared. I guess it's because the lockscreen was a separate process that had to start up? Still, what an awful awful design.
by mightybyte on 1/20/21, 1:41 PM
Years ago I taught a high school typing class in a K-12 school. The school didn't have the funds to get a commercial typing program so I wrote my own typing program. It evolved over time with features to help me track the students' progress etc. One day we had a school open house where all the parents could come to school. We had a bunch of different activities set up in different classrooms and I ended up getting assigned to the 3rd grade classroom to set up my typing program so anyone coming through could test their typing speed. It was a DOS program and I didn't want people using anything other than my typing program, so I modified it so you couldn't quit the typing program. Over the course of the day the 3rd graders were hanging out in their homeroom not really doing anything productive. Of course the computer was a novel attraction and they were just smashing keys and exploring my program's UI. Eventually at one point I noticed that they had somehow crashed my program with a segfault in what had otherwise become a pretty stable piece of software. To this day I have absolutely no idea what the bug was.
by tauntz on 1/20/21, 10:04 AM
Mi kid got around the lock screen of my mac. Twice.
It was 4-5 years ago when he was about 2. I had a 15+ character random password (a generated one including symbols etc) so the chances of him being lucky were rather slim. He was just mashing button on the lock screen for less than a minute when boom, I was suddenly signed in. The first time I thought it was a fluke. Then it happened again after a couple of months. After that I took my phone, sat him behind my computer and started to record him playing with the buttons but it never happened again and my hopes of getting a bug bounty from Apple vanished :(
by diegoperini on 1/20/21, 9:16 AM
Step 1: Gather timings of key presses from a lot of kids.
2: Use ML to learn how to simulate it.
3: Sell it as a service, labeling it KaaS.
4: Profit, then go to jail because of a misunderstanding.
But seriously, is there such a tool to automate this?
by smarx007 on 1/20/21, 9:46 AM
by Qub3d on 1/20/21, 10:57 AM
by eth0up on 1/20/21, 10:24 AM
Physlock works comparatively well, but nothing can stop the omniscient stupidity of, eg ctrl-alt-del 10x (or similar) invoking reboot, which I've found no method of preventing. The general attitude encountered when seeking a solution to this madness is "if someone has physical access, you're pwned anyway", which is also supremely unimaginative and omnisciently stupid. This has gnawed at my cranial portions for years, and I now speak forth in due fury.
https://linuxcommandlibrary.com/man/physlock
by herpderperator on 1/20/21, 9:22 AM
In middle school long ago, I was using one of the library search computers. They ran Windows XP and were locked down to the point where you couldn't open anything except the software that was running and you had no access to the desktop. One day I was rapidly mashing the "Search" button in the native book-searching software they were using - for no reason at all - and it suddenly opened an Explorer window out of nowhere showing everything in the filesystem. I could reproduce it easily with rapid-enough clicks. I still have no idea why that happened.
by joshspankit on 1/20/21, 1:10 PM
My own anecdote:
My daughter was 1ish at the time, and I sat her down while I grabbed something from the fridge. Windows 98, locked.
When I came back the screensaver was on, the password dialog was still up, but the desktop was fully functional in front of it. I could navigate, open applications, and everything else.
Still no idea how she did it, but that’s not the first or last time she surprised me :)
by martin-adams on 1/20/21, 9:16 AM
This reminds me of when I was about 14. I had a Tamagotchi which I had for a record amount of time. My niece, about 2 at the time wanted to see it so let her hold it. Within 1/2 a second, she squeezed both buttons at the same time and crashed it.
My daughter managed to buy 24 hours of football pass with NowTV by pressing the same button repeatedly on the remote within about 5 seconds.
So a crash like this doesn't surprise me.
by kuter on 1/20/21, 9:29 AM
For anyone interested there is something called fuzzing that uses
usually code coverage based heuristics to generate data to find bugs.
For example LLVM's lib fuzzer uses instrumentation to track code coverage and mutates data to find invalid behaviour.
https://llvm.org/docs/LibFuzzer.html
It uses a compiler pass to insert code to branch points functions calls etc.
I think it uses genetic algorithms to increase coverage by changing the data.
There are others that work in similar ways one of them is.
https://github.com/google/AFL
by Leherenn on 1/20/21, 12:10 PM
Another tangentially linked anecdote. We had build artefacts stored on a Samba shared drive, that were write protected, since some people regularly used to move them instead of copying them. Then one day, the latest build was gone again. We asked around to see whether someone had purposefully removed the build, but no. Turns out someone on Windows 10 had tried to cut and paste the file, but his computer had crashed before pasting. Apparently the permissions were only checked on paste, but the file was unlinked on cut?
by dluan on 1/20/21, 9:37 AM
Something about this exchange was extremely pleasing and calming to read, maybe I'm irony poisoned from overly loud social media. But this was so nice to read through.
by mhh__ on 1/20/21, 11:03 AM
Unless there's something unbelievably wacky going on, this is why people use formal verification.
If you can describe your program as a state machine, you can ask an SMT solver to find any transitions that break stuff. Unfortunately it's a lot harder to do for software than hardware because of the plasticity people expect from the former, but works it was it's really nice.
by scalableUnicon on 1/20/21, 9:12 AM
by 12312311241231 on 1/20/21, 10:03 AM
Keep in mind that screensavers aren't the only untested dumpster fire on Linux Desktops (or ~ distributions in general).
The whole desktop architecture is out of date. I wouldn't be surprised if someone argued that screensavers aren't important because it's just your user data exposed, the root account is still safe!
by nrvn on 1/20/21, 7:02 PM
I enjoy to see my kid breaking software, POS terminals and causing ATMs to throw error windows. Nothing critical, just funny how random screen touching and keyboard mashing drives “serious” software crazy.
Fool-proof and child-proof software is yet to come.
Hire QA kids.
by mensetmanusman on 1/20/21, 2:04 PM
Hilarious, esp. if you have kids.
I see similar behavior with smartphones.
3 y.o. figure it out better than my parents because it seems their mindset is ‘do all the things’ to see what the i/o structure is. Their brain is built that way when they are so young.
by 0xTJ on 1/20/21, 2:29 PM
Not really the same, but I had fun back in high school. Finding the Novell messaging utility that let me send a message to (IIRC) anyone in the school board currently logged in, though not anonymously.
Using some a couple lines of VBScript to change a couple registry entries (computers didn't persist storage anyways) you could also give your local admin privileges, to install stuff. That one got me in a touch of trouble, and I lost my account for a couple weeks while they "looked at my files", because I stored it on my network drive folder.
by lostgame on 1/20/21, 3:44 PM
Huh. Am I alone in that I consistently test for a massive ton of random key or screen presses? Either manually or through automation?
by uoaei on 1/20/21, 7:48 PM
Linux Mint, and whatever it's built on, has been disappointing to me. The most worrying thing I've experienced is that, when waking up from sleep, the unlocked screen will sometimes flash before showing the lockscreen. That is a huge no-no and really betrays the fallibility of whatever security measures are employed.
by viro on 1/20/21, 4:05 PM
As an infosec person with no CVE's stories like this make me feel like a complete failure. ¯\_(ツ)_/¯
by Havoc on 1/20/21, 10:33 AM
Who needs fancy fuzzing tools anyway?
by boomboomsubban on 1/20/21, 9:54 AM
I'm surprised nobody had "ē" in their password to notice this earlier.
by technothrasher on 1/20/21, 4:55 PM
I remember finding a very similar issue with XDM on a Sun 3/60 back in about 1992. Just mash the keyboard while in the 'password' field and it would eventually drop a root shell. Oops!
by etxm on 1/20/21, 3:31 PM
I worked at a finance co pa y in the early 00s.
The QA team had a test they called “the elbow test” where they did exactly this.
Just kind of put their elbow randomly on the keyboard to see if stuff would break.
by causalmodels on 1/20/21, 3:04 PM
The first computer I ever bricked was a my father's work laptop running Windows 95. I was a toddler and wanted to press the buttons. Good to see the kids are still at it!
by Darmody on 1/20/21, 11:23 AM
If you leave a Virtual Box window open with Windows (I'm not sure about other OS) it'll bypass the lockscreen on Ubuntu, at least partially.
by Jerry2 on 1/20/21, 7:23 PM
That reminded me of the Linux GRUB2 bug where you could press Backspace key 28 times and bypass all security. [1]
>The source of the vulnerability is nothing but an integer underflow fault that was introduced with single commit in Grub version 1.98 (December 2009) – b391bdb2f2c5ccf29da66cecdbfb7566656a704d – affecting the grub_password_get() function.
[1] https://thehackernews.com/2015/12/hack-linux-grub-password.h...
by scotty79 on 1/20/21, 3:31 PM
I once had cat walk over my keybord and do hard reset on windows 95 in about 1 second.
No dialogs or confirmations. Just black screen and computer rebooting.
by WhompingWindows on 1/20/21, 3:14 PM
Is there an automated process security researchers use like this? Just mashes random buttons for hours until it finds vulnerabilities?
by atomize on 1/20/21, 5:47 PM
They learn so young these days! Never ceases to amaze me. They are totally set up for this industry. Would hire 10/10.
by z29LiTp5qUC30n on 1/20/21, 1:35 PM
The best part is the moved to physlock, specifically the version which you can bypass by hitting enter 3 times...
by inetknght on 1/20/21, 3:34 PM
A piece of GNOME easily crashes and causes security issues?
Color me surprised! /s
by exabrial on 1/20/21, 11:04 PM
My cat previously unlocked OSX Leopard with a similar attack.
by codeulike on 1/20/21, 9:20 AM
It works in the movies
by plumeria on 1/20/21, 3:14 PM
So, is this an instance of the infinite monkey theorem?
by rblion on 1/20/21, 10:54 AM
Imagine if Jurassic Park was real and this happened...
by fmakunbound on 1/20/21, 5:25 PM
There is no hope for us in this field, is there.
by johnwayne117 on 1/20/21, 8:36 PM
and they say, "monkey testing" is underrated
by chromatin on 1/20/21, 4:59 PM
Meatspace fuzzing
by greypowerOz on 1/20/21, 9:34 AM
warning: cat-like typing detected
by blackrock on 1/20/21, 9:40 AM
Is this the old monkey testing technique?
by stelf on 1/20/21, 9:19 AM
Time to make a joke about Windows lock screens? Or perhaps not...
by idiocrat on 1/20/21, 9:04 AM
Well, the original definition of the word "hacking".
Hacking on keyboard to exploit keypress timings, key combinations and key buffer overflows.