Session tags in windows decoration UI
25 views
Skip to first unread message
Konstantin Ryabitsev
Jan 18, 2017, 4:06:33 PM1/18/17
to qubes...@googlegroups.com
Hi:
Joanna and I had a quick back-and-forth about this article today:
https://textslashplain.com/2017/01/14/the-line-of-death/
Pic-within-a-pic attack was mentioned, and I was wondering if we can do
more to prevent spear-attacks aimed at Qubes users. I'm willing to bet
your trusted work terminal looks exactly like this [1] (except my added
bash powerline bits). Most people won't rename it from [work] to
something else (partly for ease of copying files between VMs, partly out
of inertia), so I'm willing to bet most of you would have a blue frame
with the title "[work] user@work:~".
What if each login session generated a short random text label displayed
prominently as part of XFCE top bar UI, to act as your "session UI
fingerprint," like "<XoaZ>" for the sake of example. Then the window
decoration title would be:
<XoaZ>:[work] user@work:~
Identifying pic-within-a-pic attacks would be easier by quickly checking
if the random string in the window title matches the string displayed in
the XFCE ui (our "trusted pixels").
Just a thought for your consideration -- I have no idea how much work
this would be. :)
.. [1] http://imgur.com/a/7Fzd0
Joanna and I had a quick back-and-forth about this article today:
https://textslashplain.com/2017/01/14/the-line-of-death/
Pic-within-a-pic attack was mentioned, and I was wondering if we can do
more to prevent spear-attacks aimed at Qubes users. I'm willing to bet
your trusted work terminal looks exactly like this [1] (except my added
bash powerline bits). Most people won't rename it from [work] to
something else (partly for ease of copying files between VMs, partly out
of inertia), so I'm willing to bet most of you would have a blue frame
with the title "[work] user@work:~".
What if each login session generated a short random text label displayed
prominently as part of XFCE top bar UI, to act as your "session UI
fingerprint," like "<XoaZ>" for the sake of example. Then the window
decoration title would be:
<XoaZ>:[work] user@work:~
Identifying pic-within-a-pic attacks would be easier by quickly checking
if the random string in the window title matches the string displayed in
the XFCE ui (our "trusted pixels").
Just a thought for your consideration -- I have no idea how much work
this would be. :)
.. [1] http://imgur.com/a/7Fzd0
Sae
Jan 18, 2017, 4:44:17 PM1/18/17
to qubes...@googlegroups.com
think. In the end, comparing the two strings is probably just as
annoying as sliding the top window to not be over another window, as it
is recommended in the documentation.
But pic within a pic is a real threat, for example:
https://www.youtube.com/watch?v=G81hQOpdV2Y&feature=youtu.be&t=2796
Can we consider the background as safe (possibly by changing it on the
fly with something that can't be guessed depending on the active
window), and set each window that is not active to semi transparent?
Andrew David Wong
Jan 18, 2017, 5:12:23 PM1/18/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Solutions to this problem are already implemented in Qubes, and they are
described here:
https://www.qubes-os.org/getting-started/#running-an-application-full-screen
Are these solutions deficient? If so, in what specific way(s)? What does
the proposed visual string comparison solution get us that the existing
ones don't? Personally, I find it much easier just to drag a window or
hit alt + tab than to visually compare anything. There's a lot of room for
improvement, but I think that any new solutions should aim to make protecting
against UI attacks easier for the user than it currently is, not harder.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYf+g9AAoJENtN07w5UDAwcc4QAKe1XGs/IT2i1X8xlXQMAl8m
atEPT496bjpPkFowTJRUY0OwsSywtRc70u8Ptt79baif1BANnxah/4KUhNwjzAwk
UQJQHT0eoBKObRQULGLTm6jja0mcYRx8QmzjqAck3A8jYJyklf9gZxjIhA3FqgsV
MvkxWrMqQUOqu4JNKGhYX75Kcxf10YY3f903RutTYh/E/qBYVsfgTk5qWsXbN4x2
Fn3SQ1usPY5QSwnKQ0UKvuMlrro0VVG63CNVnI1r4TM81/yjJgtZvp4EbJu03U1U
jxtRLighoItQPWEmw2uPLx8KYvO/KGffNqBPXA6LAznDHewn6QV/W/wYCbXgGpJ8
VqehI111ot79POLX1qkpODL1wkzNIaYVibGU1DAY+Ld5u8P8K4CBExd/MQUe77CX
fNqBSPzve+XBssGLwiPr2URWpRhUrpbPv7NplfEdY1hgjMxuH/PvP/35wo3Qv4iL
Iq4CLIa4fJdqlsLW8XHarXhQX5D4eKaTIawTyTgouz+KUnYnZujd2zQXCUWQXfVc
tEnJ2eRitp3GqF4Oa8n73D9iRAb1RwqKOd0zhO/s5X3GzzcQqdqfPWvCsKefpmZ/
kO9tkKwN3U8AqDICl5VNO3/BqK+ybCh8tkoOItSicB+jgcdPmFbJGhSidt1oeCMI
vccaoM80lA9ctXfQl+Ur
=lw5h
-----END PGP SIGNATURE-----
Hash: SHA512
described here:
https://www.qubes-os.org/getting-started/#running-an-application-full-screen
Are these solutions deficient? If so, in what specific way(s)? What does
the proposed visual string comparison solution get us that the existing
ones don't? Personally, I find it much easier just to drag a window or
hit alt + tab than to visually compare anything. There's a lot of room for
improvement, but I think that any new solutions should aim to make protecting
against UI attacks easier for the user than it currently is, not harder.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYf+g9AAoJENtN07w5UDAwcc4QAKe1XGs/IT2i1X8xlXQMAl8m
atEPT496bjpPkFowTJRUY0OwsSywtRc70u8Ptt79baif1BANnxah/4KUhNwjzAwk
UQJQHT0eoBKObRQULGLTm6jja0mcYRx8QmzjqAck3A8jYJyklf9gZxjIhA3FqgsV
MvkxWrMqQUOqu4JNKGhYX75Kcxf10YY3f903RutTYh/E/qBYVsfgTk5qWsXbN4x2
Fn3SQ1usPY5QSwnKQ0UKvuMlrro0VVG63CNVnI1r4TM81/yjJgtZvp4EbJu03U1U
jxtRLighoItQPWEmw2uPLx8KYvO/KGffNqBPXA6LAznDHewn6QV/W/wYCbXgGpJ8
VqehI111ot79POLX1qkpODL1wkzNIaYVibGU1DAY+Ld5u8P8K4CBExd/MQUe77CX
fNqBSPzve+XBssGLwiPr2URWpRhUrpbPv7NplfEdY1hgjMxuH/PvP/35wo3Qv4iL
Iq4CLIa4fJdqlsLW8XHarXhQX5D4eKaTIawTyTgouz+KUnYnZujd2zQXCUWQXfVc
tEnJ2eRitp3GqF4Oa8n73D9iRAb1RwqKOd0zhO/s5X3GzzcQqdqfPWvCsKefpmZ/
kO9tkKwN3U8AqDICl5VNO3/BqK+ybCh8tkoOItSicB+jgcdPmFbJGhSidt1oeCMI
vccaoM80lA9ctXfQl+Ur
=lw5h
-----END PGP SIGNATURE-----
Konstantin Ryabitsev
Jan 18, 2017, 5:30:53 PM1/18/17
to Andrew David Wong, qubes...@googlegroups.com
On Wed, Jan 18, 2017 at 02:12:18PM -0800, Andrew David Wong wrote:
>Solutions to this problem are already implemented in Qubes, and they
>are
>described here:
>
>https://www.qubes-os.org/getting-started/#running-an-application-full-screen
>
>Are these solutions deficient? If so, in what specific way(s)? What does
>the proposed visual string comparison solution get us that the existing
>ones don't? Personally, I find it much easier just to drag a window or
>hit alt + tab than to visually compare anything. There's a lot of room for
>improvement, but I think that any new solutions should aim to make protecting
>against UI attacks easier for the user than it currently is, not
>harder.
The current solutions are:
>Solutions to this problem are already implemented in Qubes, and they
>are
>described here:
>
>https://www.qubes-os.org/getting-started/#running-an-application-full-screen
>
>Are these solutions deficient? If so, in what specific way(s)? What does
>the proposed visual string comparison solution get us that the existing
>ones don't? Personally, I find it much easier just to drag a window or
>hit alt + tab than to visually compare anything. There's a lot of room for
>improvement, but I think that any new solutions should aim to make protecting
>against UI attacks easier for the user than it currently is, not
>harder.
1. Use KDE's expose to discern real from fake windows.
2. When not using KDE, use Alt-Tab for the same effect.
3. Move the window so it crosses the background window UI.
I like #1, but with XFCE becoming the default in 3.2, it's of limited
value. If there was similar functionality in XFCE, that would be very
handy to have -- e.g. "press and hold the Win key to quickly hide/roll
up all unfocused windows, and release the key to restore things exactly
as they were." That would be perfectly acceptable as well.
I don't like #2, because with a lot of windows open, I lose focus half
the time and have to find my window again, plus it's visually
cumbersome.
I don't like #3 either, because it requires that I move my hands towards
the mouse, though it's currently the most effective.
-K
Andrew David Wong
Jan 18, 2017, 9:38:35 PM1/18/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
certainly open to existence of multiple UI features that allow users to
distinguish between security domains so that different users can focus
on the features they prefer.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
LrUd+pmi9BZxN7AnALvMsBAXLQDT3b10Ozs9WZcIpkhDmXoJwWWzz4toLNhnAc8I
QlAiroeKdGk2joSQNe2ScQaFEJKJcDK7Uw0W5T3FXRtzm6dQDMBYbEJMHpHGx3mI
y5CHDwx1nyDxy1W3nFbuIJMRkbGc/WMGFTnUGOtsbpfZMofPnutn4Oy3vd57ejD2
XghD8meSu1naaEVbivLFLulzSX1Ll43yNW0Hx7uYae3QXElOkPiGL2BtdboVC0Ay
9tmgk34n0+2O6C8/85/1mze5zNhlsjOse+CCZ5UmZlVzwO4z2CiMWC8dCZ2cuFUs
BAKgEcPjce2hPT9qkR5KXe0NTVya6xR2Jhz6H+7JI0IpUQYH+bpm8AyBOnr6en+6
ctnYz1+OSQpxXycsQ6tN8K7/QQQdJn7Fr3k8FGoyDFgjIhnSW6GCM2qJ4zSrwjlM
SM75Ru+uXmA2kBLH5I+AylYG4RWyb5tNPbfmSnkzpY/AqOtzUlqylNPDvyjHDpTS
OzN7QhIfLQiTYmUJwESP2m9r364uOjh4IAcO1mcWo3EYTDIFG5YJV2JdAzOkgxU2
paA4/ncyKbG8itgg+LJgKFgWDogEgahWX31NG8zxXyWK3hfRslCIF0axZUJryhG0
8NO6EJ/BvOs7l601gjtQ
=EH6P
-----END PGP SIGNATURE-----
Daniel Moerner
Jan 18, 2017, 9:55:47 PM1/18/17
to qubes...@googlegroups.com
On 01/18/2017 05:30 PM, Konstantin Ryabitsev wrote:
> The current solutions are:
>
> 1. Use KDE's expose to discern real from fake windows.
> 2. When not using KDE, use Alt-Tab for the same effect.
> 3. Move the window so it crosses the background window UI.
>
> I like #1, but with XFCE becoming the default in 3.2, it's of limited
> value. If there was similar functionality in XFCE, that would be very
> handy to have -- e.g. "press and hold the Win key to quickly hide/roll
> up all unfocused windows, and release the key to restore things exactly
> as they were." That would be perfectly acceptable as well.
>
> I don't like #2, because with a lot of windows open, I lose focus half
> the time and have to find my window again, plus it's visually cumbersome.
>
> I don't like #3 either, because it requires that I move my hands towards
> the mouse, though it's currently the most effective.
You can hack together a script to serve as a sort of poor-man's expose
> The current solutions are:
>
> 1. Use KDE's expose to discern real from fake windows.
> 2. When not using KDE, use Alt-Tab for the same effect.
> 3. Move the window so it crosses the background window UI.
>
> I like #1, but with XFCE becoming the default in 3.2, it's of limited
> value. If there was similar functionality in XFCE, that would be very
> handy to have -- e.g. "press and hold the Win key to quickly hide/roll
> up all unfocused windows, and release the key to restore things exactly
> as they were." That would be perfectly acceptable as well.
>
> I don't like #2, because with a lot of windows open, I lose focus half
> the time and have to find my window again, plus it's visually cumbersome.
>
> I don't like #3 either, because it requires that I move my hands towards
> the mouse, though it's currently the most effective.
for a single window in Xfce, which you could then bind to a convenient
hotkey. It would still be rather "visually cumbersome".
The gist of it would be:
1. "xdotool getactivewindow getwindowgeometry getwindowname". Gets the
position and size of the active window. Save this information.
2. Use wmctrl or xdotool to move the window. (You'd need to include some
handling if the window is maximized.)
3. Sleep n seconds, for humanly small n (.5? 1?)
4. Use wmctrl or xdotool to move the window back to its original location.
Daniel
Ángel
Jan 22, 2017, 6:56:46 PM1/22/17
to qubes...@googlegroups.com
Konstantin Ryabitsev wrote:
> Hi:
>
> Joanna and I had a quick back-and-forth about this article today:
> https://textslashplain.com/2017/01/14/the-line-of-death/
>
That's precisely one of the reasons I disliked Firefox move to
> Hi:
>
> Joanna and I had a quick back-and-forth about this article today:
> https://textslashplain.com/2017/01/14/the-line-of-death/
>
"tabs-on-top" years ago. The design with the tabs between the browser
bars and the content marks clearly (and intuitively) that line of death.
It also fixes "is the chevron a few pixels below where it should?" issue
by having a larger chrome space that can be overlapped.
> Pic-within-a-pic attack was mentioned, and I was wondering if we can do
> more to prevent spear-attacks aimed at Qubes users. I'm willing to bet
> your trusted work terminal looks exactly like this [1] (except my added
> bash powerline bits).
adding more colores to the current 8-level list, but some kind of
dot-and-dashes set of patterns could be added on top of those,
multiplying the available alternatives.
(That would also allow to group VMs by a different dimension, so you can
use different patterns for "work" and "fun", with VMs on different trust
zones for each of those domains)
> Most people won't rename it from [work] to
> something else (partly for ease of copying files between VMs, partly out
> of inertia), so I'm willing to bet most of you would have a blue frame
> with the title "[work] user@work:~".
VM name. So your VM called 'work' could show "[Konstantin Ryabitsev work
on Contoso Konstantin Ryabitsev] user@work:~"
A random session tag (generated once) could be manually added to the VM,
which I suspect would work better than a dynamic one.
Best regards
Reply all
Reply to author
Forward
0 new messages