Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday January 30 2023, @07:39PM   Printer-friendly
from the Security dept.

I found this on one of Devuan's forums

There's a software package called Zeitgeist that's been finding its way into nearly every Linux and BSD package repository. It's also on Devuan. Be sure to read the note at the bottom of this post even if you are not impacted by this.

It reads your emails, it monitors the websites you visit, listens to private conversations, and logs the files on your computer. and then it shares this information freely over D-Bus to any application that wishes to use it. You are given no warning and have no option to say which software can access it, and which can't. Any software can access D-bus, including closed-source software like Discord or Telegram (whether they do or not, who knows).

From the description, it looks as if it is designed to make spyware's job easy. Do you have it on your system? Do you want it on your system?

[Editor's Comment: The package has been around for quite some time (since at least 2012) without any security problems being reported. Ubuntu's repo describes it as:

Zeitgeist is a service which logs the user's activities and events (files opened, websites visited, conversations held with other people, etc.) and makes the relevant information available to other applications.

It does not appear to be installed as default on the small number of distros that I have looked at but it might be installed on others.]


Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Interesting) by Nuke on Monday January 30 2023, @07:46PM (10 children)

    by Nuke (3162) on Monday January 30 2023, @07:46PM (#1289357)

    I see it in the repository but it is not installed. Why would anyone install it? Is there supposed to be an upside?

    • (Score: 4, Informative) by aafcac on Monday January 30 2023, @08:32PM (8 children)

      by aafcac (17646) on Monday January 30 2023, @08:32PM (#1289367)

      It's personally for corporate users. Or, possibly for automation.

      • (Score: 4, Interesting) by RS3 on Monday January 30 2023, @10:05PM (6 children)

        by RS3 (6367) on Monday January 30 2023, @10:05PM (#1289382)

        Came to say that. It greatly pains me to say it, but a corporation may have legitimate reasons to keep tabs (pun not intended) on what employees are doing, or not doing.

        • (Score: 3, Insightful) by RS3 on Tuesday January 31 2023, @03:04AM (5 children)

          by RS3 (6367) on Tuesday January 31 2023, @03:04AM (#1289419)

          I meant to add that this kind of worker surveillance usually (obviously) lowers worker morale and productivity. Companies might try to keep it secret, but if and when someone finds out, finds another job, and lets the ex-coworkers know, the atmosphere won't likely be good.

          https://www.bbc.com/worklife/article/20230127-how-worker-surveillance-is-backfiring-on-employers?utm_source=bbc-news&utm_medium=right-hand-slot [bbc.com]

           

          • (Score: 5, Interesting) by Reziac on Tuesday January 31 2023, @03:23AM (1 child)

            by Reziac (2489) on Tuesday January 31 2023, @03:23AM (#1289424) Homepage

            It doesn't have to be for worker surveillance, tho. It can be documentation, which is to say ass-covering, to assure a client that a given action is or is not performed. Employees can be entirely aware, and have a stake in their actions being properly recorded. It can be total internal monitoring of, say, a police department, or a congresscritter's communications, where transparency and complete records are required for public trust.

            That assholes abuse a tool doesn't mean it can't have a perfectly honest function, or that it doesn't fill a legit need.

            However, I would certainly not install it on my personal PCs.

            --
            And there is no Alkibiades to come back and save us from ourselves.
            • (Score: 1, Informative) by Anonymous Coward on Tuesday January 31 2023, @08:22AM

              by Anonymous Coward on Tuesday January 31 2023, @08:22AM (#1289442)

              which is to say ass-covering, to assure a client that a given action is or is not performed

              Yeah. "Here's proof that I was not responsible for the screw up. You can see that everything I did on that VM was 100% according to SOP, company guidelines and perfectly reasonable for the task at hand."

              For similar reasons I often do video recordings of my screen while I do a task. Then later on the recordings and screenshots can be evidence of what I did and what happened.

          • (Score: 3, Insightful) by mcgrew on Tuesday January 31 2023, @08:20PM

            by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday January 31 2023, @08:20PM (#1289519) Homepage Journal

            Employers are still operating under "there are ten or mor applicants for every job, fuck the employee." They're too slow to realize, or hope that you are, that it's turned around since we boomers all retired.

            --
            mcgrewbooks.com mcgrew.info nooze.org
          • (Score: 3, Informative) by corey on Tuesday January 31 2023, @08:38PM (1 child)

            by corey (2202) on Tuesday January 31 2023, @08:38PM (#1289523)

            Certainly does lower productivity. On my corporate Windows laptop, they have a few security packages installed plus antivirus software by Sophos. It’s a 10th gen i7 with 32GB RAM and the fan in it runs pretty much constant all day every day. I’m often opening task manager and seeing what’s going on and it’s either an inventory scanner, virus scanner, windows modules installer, auditor running. It seems to scan every file open access and saving so there’sa delay in everything. It is pretty borked, it runs very slow most of the time for what it is and my home PC running Windows, which is a 2nd gen i5 overlocked, is significantly faster and snappier. Additionally, I can’t either install anything nor run any executable that’s in some white list. Thankfully I can still run Putty and Firefox but one day I tried to ask if I could run mupdf (because it’s infinitely faster to open and operate than Adobe Acrobat), but I had to fill out forms, get them signed by senior management and then wait for IT to get around to installing it or white listing it. Really is a joke. Think I’m going to go contractor and BYO hardware.

            • (Score: 2) by RS3 on Tuesday January 31 2023, @09:49PM

              by RS3 (6367) on Tuesday January 31 2023, @09:49PM (#1289541)

              I'm somewhat too passionate about machines, tools, etc., to deal with all of that. I'd have found another job long ago. They probably added all that stuff over time so you'd acclimate. Ugh. One of my great passions (and I'm not willing to undergo ECT to de-program my brain and remove it) is productivity and efficiency- mainly for myself. The rare times I've been in any kind of supervisory role I've never ever pressured anyone to work harder, faster, etc. I'm too busy doing my own thing to notice anyway.

              I've had friends and coworkers who have a very good attitude about work- they just don't care about such things. They don't have the tools or parts or supplies or time or cleared path to get something done? Aaa, they're happy to sit and wait until management does their jobs. I wish I didn't care.

              I'm curious- have you in any way documented, and/or communicated to IT and/or management about how you're being slowed down by all of the crapware on your company issued computer?

      • (Score: 5, Interesting) by richtopia on Tuesday January 31 2023, @12:12AM

        by richtopia (3160) on Tuesday January 31 2023, @12:12AM (#1289400) Homepage Journal

        I support industrial equipment (running Windows, so irrelevant). This sounds pretty handy for troubleshooting weird issues that are probably originating between the keyboard and chair.

    • (Score: 3, Informative) by Gaaark on Monday January 30 2023, @11:12PM

      by Gaaark (41) on Monday January 30 2023, @11:12PM (#1289392) Journal

      Same with Manjaro. :)

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
  • (Score: 2) by turgid on Monday January 30 2023, @08:38PM (1 child)

    by turgid (4318) Subscriber Badge on Monday January 30 2023, @08:38PM (#1289369) Journal

    I seem to remember Ubuntu having this sort of idea some years ago. Or have I misremembered?

    • (Score: -1, Offtopic) by Anonymous Coward on Tuesday January 31 2023, @06:45AM

      by Anonymous Coward on Tuesday January 31 2023, @06:45AM (#1289439)

      "misremembered"? Too gender specific. Mxremember is the currently correct title.

      https://nonbinary.wiki/wiki/Gender_neutral_titles [nonbinary.wiki]

  • (Score: 5, Informative) by turgid on Monday January 30 2023, @08:50PM

    by turgid (4318) Subscriber Badge on Monday January 30 2023, @08:50PM (#1289371) Journal

    Presumably it's FOSS so there's source code for it out there? From Wikipedia [wikipedia.org]:

    Zeitgeist is the main engine and logic behind GNOME Activity Journal which is currently seen to become one of the main means of viewing and managing activities in GNOME version 3.0.

    There's a list of features. It does a lot of spying. Apparently it's written in Vala [wikipedia.org] and the source repo is at https://gitlab.freedesktop.org/zeitgeist/zeitgeist [freedesktop.org]

  • (Score: 4, Touché) by Freeman on Monday January 30 2023, @08:57PM (4 children)

    by Freeman (732) on Monday January 30 2023, @08:57PM (#1289373) Journal

    FOSS program designed for tracking users/user data is easily used for spyware. News at 11. Now, if you said MX Linux is using it by default or something, or it reports to Microsoft servers or something. We might have a story.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    • (Score: 4, Insightful) by tizan on Monday January 30 2023, @09:48PM

      by tizan (3245) on Monday January 30 2023, @09:48PM (#1289380)

      FOSS: Well its like reading about the security of a bank safe. Does it make a bank easier to break into ? May be...but you have to reach the safe.
      So if you can write spyware because you read the code that does some personal data collection..deploying it is a big issue.
      Unless you work for some closed software like skype or slack or something like that otherwise all other linux apps deployed are FOSS too.
      Skype or Slack do not really need Zeitgeiss data collection to spy on people.

    • (Score: 4, Insightful) by janrinok on Tuesday January 31 2023, @07:05AM

      by janrinok (52) Subscriber Badge on Tuesday January 31 2023, @07:05AM (#1289440) Journal

      It isn't a story - it is under the 'Ask Soylent' banner. What do members of our community know about it and has anybody seen it in use? For what purpose?

    • (Score: 2) by corey on Tuesday January 31 2023, @08:40PM (1 child)

      by corey (2202) on Tuesday January 31 2023, @08:40PM (#1289525)

      Why not MX Linux?

      • (Score: 2) by Freeman on Friday February 03 2023, @04:16PM

        by Freeman (732) on Friday February 03 2023, @04:16PM (#1290035) Journal

        I meant, if a major distribution was using it by default. It could be a story, but to my knowledge, no one is. It's just a freely available package available in a repository. People happily download a lot more suspect programs than that.

        --
        Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
  • (Score: 4, Interesting) by Rosco P. Coltrane on Monday January 30 2023, @10:11PM

    by Rosco P. Coltrane (4757) on Monday January 30 2023, @10:11PM (#1289383)

    I cancel the apt-get install immediately.

    Yes, I'm one of those people who investigate what other packages something I want to install pulls. If a package pulls Zeitgeist, it can fuck right off.

  • (Score: 5, Interesting) by Rich on Monday January 30 2023, @10:38PM

    by Rich (945) on Monday January 30 2023, @10:38PM (#1289387) Journal

    This dates from a time when timelines (i.e. Facebook and stuff) were all the rage and the GNOME people wanted to surf that wave. Not that I like what GNOME did before or past 2 (I run MATE), but it was sort of legit. It's only been more recently that, now that all the bases are covered, money making turned to other directions. Which is siphoning off data, and lately, server-bound AI-as-a-service, which probably caters to rent-schemes even more. Apple have introduced barriers to AppleEvents (their equivalent of DBUS), where an application has to have a specific entitlement to do AE interaction at all, and this also has to be clicked as acceptable, to suppress TFA avenues of leakage. (*)

    This brings us to the point where the "line of defense" should be drawn: At the user level, with the user making sure that he will install no malware. Or at the application level, assuming the user is too stupid to keep his machine clean of nasty stuff. Apple does the latter (*), with all the entitlements and sandboxing of applications. The downside of the latter is that it brings all kinds of hassle to the power user. (e.g. I'm working on a large client suite that historically was designed as AE-interacting modules, and it's a PITA).

    If we assume the line of defense at the user level, what this GNOME thing does is just fine. And if we assume it at application level, Linux in general is nowhere near where it would have to be.

    (*) I feel this is more to keep competition away than to ensure privacy, because if they would really care about that, the first thing to be gated by their massive security theater would be network connections - which they don't gate at all, and at one point even prevented Little Snitch from third party gating of their own leaking.

  • (Score: 1) by ShovelOperator1 on Monday January 30 2023, @11:10PM

    by ShovelOperator1 (18058) on Monday January 30 2023, @11:10PM (#1289391)

    But aren't X doing the same philosophy? Like forwarding the events to many applications?
    The system is defective, but not the system we're trying to fix. The open source system should automatically workaround such issues, and free software should certainly do it. If it isn't then there is something really wrong with selecting software when using free-as-in-freedom operating system and software.

  • (Score: 3, Insightful) by its_gonna_be_yuge! on Monday January 30 2023, @11:17PM

    by its_gonna_be_yuge! (6454) on Monday January 30 2023, @11:17PM (#1289393)

    "There's a software package called Zeitgeist that's been finding its way into nearly every Linux and BSD package repository."

    Not on Gentoo. I really doubt that this is as widespread as rumoured.

  • (Score: 5, Interesting) by darkfeline on Tuesday January 31 2023, @12:33AM (1 child)

    by darkfeline (1030) on Tuesday January 31 2023, @12:33AM (#1289402) Homepage

    Every process on your machine running as your user already has access to all of your data. Providing an accessible API for that data only makes it easier to track what's accessing that data (assuming that you're running untrusted spyware (in which case try stop doing that) that switch to this new API over what they're already doing).

    With all due respect to the Devuan folks, they seem to have a habit of shrieking about the campfire with their backs turned toward the forest fire, so to speak.

    --
    Join the SDF Public Access UNIX System today!
    • (Score: 3, Insightful) by aafcac on Tuesday January 31 2023, @05:24AM

      by aafcac (17646) on Tuesday January 31 2023, @05:24AM (#1289435)

      Perhaps better permissions are in order. You shouldn't be seeing processes by other users if you care about privacy. There's little point in informed users seeing all those other processes anyways.

  • (Score: 5, Informative) by edinlinux on Tuesday January 31 2023, @12:38AM

    by edinlinux (4637) on Tuesday January 31 2023, @12:38AM (#1289403)

    I checked my setup (standard Linux Mint 21 with Mate as the window manager).

    zeitgeist-daemon and package zeitgeist-core are not installed by default.

    So for recent linux mint users at least, nothing to worry about it seems.

  • (Score: 4, Interesting) by Runaway1956 on Tuesday January 31 2023, @03:32AM

    by Runaway1956 (2926) Subscriber Badge on Tuesday January 31 2023, @03:32AM (#1289426) Journal

    Just like a bazillion other packages available in my repositories, it's not installed.

    event logging framework

    Zeitgeist is a service which logs the user's activities and events (files
    opened, websites visited, conversations held with other people, etc.) and
    makes the relevant information available to other applications.

    It serves as a comprehensive activity log and also makes it possible to
    determine relationships between items based on usage patterns.

    This metapackage depends on the Zeitgeist engine and a set of packages
    (such as data providers) commonly used together with it.

    The list of installed files is only available for installed packages

    OK, so it's spyware. I'm uhhhh - kinda OK with that.

    I just commissioned an Android tablet into service. The thing is riddled with spyware. The user can't scratch his/her arse without permission. Want to install an app? You'll wait until Google's Family Link queries me, unless you cancel installation first. My tablet, my grandchildren, my rules, and the spyware stays.

    Naturally, I wouldn't tolerate this software on my own machine. Or on my wife's machine. I wouldn't tolerate it on your machine. Unless, of course, you intentionally installed it on your own machine. Then, it would be cool.

    So, if Harding Hardware and Mike's Mechanic Shop install this hardware on their own machines to keep track of their own computers - it's cool.

    For info: There are far more packages in my distro's repositories that are not installed by default than there are installed by default. I don't think that it's especially noteworthy that one (actually three packages - zeitgeist zeitgeist-core and zeitgeist-datahub) of those packages is also a spyware.

  • (Score: 3, Informative) by RS3 on Tuesday January 31 2023, @10:14PM

    by RS3 (6367) on Tuesday January 31 2023, @10:14PM (#1289548)
(1)