Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday January 30 2023, @07:39PM   Printer-friendly
from the Security dept.

I found this on one of Devuan's forums

There's a software package called Zeitgeist that's been finding its way into nearly every Linux and BSD package repository. It's also on Devuan. Be sure to read the note at the bottom of this post even if you are not impacted by this.

It reads your emails, it monitors the websites you visit, listens to private conversations, and logs the files on your computer. and then it shares this information freely over D-Bus to any application that wishes to use it. You are given no warning and have no option to say which software can access it, and which can't. Any software can access D-bus, including closed-source software like Discord or Telegram (whether they do or not, who knows).

From the description, it looks as if it is designed to make spyware's job easy. Do you have it on your system? Do you want it on your system?

[Editor's Comment: The package has been around for quite some time (since at least 2012) without any security problems being reported. Ubuntu's repo describes it as:

Zeitgeist is a service which logs the user's activities and events (files opened, websites visited, conversations held with other people, etc.) and makes the relevant information available to other applications.

It does not appear to be installed as default on the small number of distros that I have looked at but it might be installed on others.]


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by Rich on Monday January 30 2023, @10:38PM

    by Rich (945) on Monday January 30 2023, @10:38PM (#1289387) Journal

    This dates from a time when timelines (i.e. Facebook and stuff) were all the rage and the GNOME people wanted to surf that wave. Not that I like what GNOME did before or past 2 (I run MATE), but it was sort of legit. It's only been more recently that, now that all the bases are covered, money making turned to other directions. Which is siphoning off data, and lately, server-bound AI-as-a-service, which probably caters to rent-schemes even more. Apple have introduced barriers to AppleEvents (their equivalent of DBUS), where an application has to have a specific entitlement to do AE interaction at all, and this also has to be clicked as acceptable, to suppress TFA avenues of leakage. (*)

    This brings us to the point where the "line of defense" should be drawn: At the user level, with the user making sure that he will install no malware. Or at the application level, assuming the user is too stupid to keep his machine clean of nasty stuff. Apple does the latter (*), with all the entitlements and sandboxing of applications. The downside of the latter is that it brings all kinds of hassle to the power user. (e.g. I'm working on a large client suite that historically was designed as AE-interacting modules, and it's a PITA).

    If we assume the line of defense at the user level, what this GNOME thing does is just fine. And if we assume it at application level, Linux in general is nowhere near where it would have to be.

    (*) I feel this is more to keep competition away than to ensure privacy, because if they would really care about that, the first thing to be gated by their massive security theater would be network connections - which they don't gate at all, and at one point even prevented Little Snitch from third party gating of their own leaking.

    Starting Score:    1  point
    Moderation   +3  
       Interesting=2, Informative=1, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5