Feature request: Show clipboard size when hitting the magic hotkey Ctrl-Shift-C.
40 views
Skip to first unread message
tokidev
May 18, 2017, 12:49:30 AM5/18/17
to qubes-devel
Hello everyone,
like the subject already says, I'd like to request for a feature which
shows the exact clipboard size when hitting the magic hotkey Ctrl-Shift-C.
Due to lack of hardware, I didn't test if this is already the case, but
I couldn't find any suggesting.
AFAIK, after hitting the mentioned hotkey there appears a dom0 message
box confirming that hit. This seems to be the ideal place where to
inform the user about the current clipboard size.
The aim is to enable the user to estimate if the clipboard seems to be
reasonable without parsing it. As Joanna mentioned here [1], parsing is
potentially dangerous. So, this feature here could be a practicable
middle course.
I know that this should not let the user feel safe. Even with this
feature, it's still potentially dangerous to copy from a less trusted VM
to a more trusted one. However, this feature could prevent some
malicious attacks in an easy way, independent from the trust to a VM.
Let's say, a malware tries to put harmful code into the clipboard a
hundred times per second, thus, it'll override the users clipboard
content before pasting it and also before hitting Ctrl-Shift-C. Okay, I
have to admit that an even smarter malware might keep the size of the
big enough clipboard when putting its payload to it.
Of course, the user should be "trained" in guessing the necessary
clipboard size before using that feature. A new "Estimating Clipboard
Size" documentation section or page, showing examples for ASCII plain
text, UTF-8 plain text, HTML text, images etc., could help.
Besides that, it could be useful to show the size again after hitting
the magic hotkey Ctrl-Shift-V.
What do you think about it?
Kind regards,
Tobias
[1] https://groups.google.com/d/msg/qubes-devel/JJN9GZMmp5s/AW7gzjK1tEgJ
like the subject already says, I'd like to request for a feature which
shows the exact clipboard size when hitting the magic hotkey Ctrl-Shift-C.
Due to lack of hardware, I didn't test if this is already the case, but
I couldn't find any suggesting.
AFAIK, after hitting the mentioned hotkey there appears a dom0 message
box confirming that hit. This seems to be the ideal place where to
inform the user about the current clipboard size.
The aim is to enable the user to estimate if the clipboard seems to be
reasonable without parsing it. As Joanna mentioned here [1], parsing is
potentially dangerous. So, this feature here could be a practicable
middle course.
I know that this should not let the user feel safe. Even with this
feature, it's still potentially dangerous to copy from a less trusted VM
to a more trusted one. However, this feature could prevent some
malicious attacks in an easy way, independent from the trust to a VM.
Let's say, a malware tries to put harmful code into the clipboard a
hundred times per second, thus, it'll override the users clipboard
content before pasting it and also before hitting Ctrl-Shift-C. Okay, I
have to admit that an even smarter malware might keep the size of the
big enough clipboard when putting its payload to it.
Of course, the user should be "trained" in guessing the necessary
clipboard size before using that feature. A new "Estimating Clipboard
Size" documentation section or page, showing examples for ASCII plain
text, UTF-8 plain text, HTML text, images etc., could help.
Besides that, it could be useful to show the size again after hitting
the magic hotkey Ctrl-Shift-V.
What do you think about it?
Kind regards,
Tobias
[1] https://groups.google.com/d/msg/qubes-devel/JJN9GZMmp5s/AW7gzjK1tEgJ
Andrew David Wong
May 20, 2017, 7:54:20 PM5/20/17
to tokidev, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Interesting idea. If I understand correctly, it would working something
like this:
I copy one sentence, and the dom0 notification says something like,
"Copied X bytes to the clipboard."
But if, instead, I copy one sentence, and the notification says, "Copied
X *kilobytes* to the clipboard," then this tips me off that the VM from
which I copied has replaced my single sentence with a large, potentially
malicious payload.
Is that the idea?
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZINccAAoJENtN07w5UDAwevAQAK61jRyny4RHIcaKgBdwmQ3b
PUH9v+sri1E67WmN9JmKrYCzWTkxmPcX3FME8GOSNH472C9cG5Q8tqaLJivQf8nv
vPy/8HK51mmFW3oeJeu6sBDPKBIyjB+XmE4UZmZc8jtouc7vRHP7NWLQacA9PC8C
9Ew9xdlrWinPkqY89k2fKTr55Vft4v717Owi3eBdmgVAdtWpSYrhCZ2OWu1Ly3zN
A943rRTkhh70f7sRbY7/X1kzsHEZdhaIG+/KWVc1FDrIvdg8IRMuXNoK8bXTEfzi
BO6sG5fDcasLzCAhpWD+q1UOIvxWOKLImUn4jvxdB5T1IpkAqRiYblzQzUlnPb2L
zWzlvzfwdYtLc7/JAl6vYzBkqMu4l37yFHk/r9Bhl+QLwGG2MxXxbbMws4tRFqB/
2w39jHVfDfo8MMPWzEcM8wJ5tZ61v6kOQymnEkr7kHcrzAT+AkpGwvRMMtZgZayB
CgcL56eCIdeEZtC26phCE8fW/syUxzJE9PNlFejYUnGGbx/+Cy12Qjxmmzs5US/A
cCsD7K4DzpOQD0cPGF20hgL0cO7/8Zt5RD2mO2T2bdM5iXOYv4RP23I03TIAKQIM
AEIIpbcy0EKBDdUB5FbGAn4/hi3fBgSXfL5nH58s0rBAzeF45GZBsO8Z4UiWeKqD
4yRcMxj/fHG9GLT508Zc
=+qOS
-----END PGP SIGNATURE-----
Hash: SHA512
like this:
I copy one sentence, and the dom0 notification says something like,
"Copied X bytes to the clipboard."
But if, instead, I copy one sentence, and the notification says, "Copied
X *kilobytes* to the clipboard," then this tips me off that the VM from
which I copied has replaced my single sentence with a large, potentially
malicious payload.
Is that the idea?
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZINccAAoJENtN07w5UDAwevAQAK61jRyny4RHIcaKgBdwmQ3b
PUH9v+sri1E67WmN9JmKrYCzWTkxmPcX3FME8GOSNH472C9cG5Q8tqaLJivQf8nv
vPy/8HK51mmFW3oeJeu6sBDPKBIyjB+XmE4UZmZc8jtouc7vRHP7NWLQacA9PC8C
9Ew9xdlrWinPkqY89k2fKTr55Vft4v717Owi3eBdmgVAdtWpSYrhCZ2OWu1Ly3zN
A943rRTkhh70f7sRbY7/X1kzsHEZdhaIG+/KWVc1FDrIvdg8IRMuXNoK8bXTEfzi
BO6sG5fDcasLzCAhpWD+q1UOIvxWOKLImUn4jvxdB5T1IpkAqRiYblzQzUlnPb2L
zWzlvzfwdYtLc7/JAl6vYzBkqMu4l37yFHk/r9Bhl+QLwGG2MxXxbbMws4tRFqB/
2w39jHVfDfo8MMPWzEcM8wJ5tZ61v6kOQymnEkr7kHcrzAT+AkpGwvRMMtZgZayB
CgcL56eCIdeEZtC26phCE8fW/syUxzJE9PNlFejYUnGGbx/+Cy12Qjxmmzs5US/A
cCsD7K4DzpOQD0cPGF20hgL0cO7/8Zt5RD2mO2T2bdM5iXOYv4RP23I03TIAKQIM
AEIIpbcy0EKBDdUB5FbGAn4/hi3fBgSXfL5nH58s0rBAzeF45GZBsO8Z4UiWeKqD
4yRcMxj/fHG9GLT508Zc
=+qOS
-----END PGP SIGNATURE-----
tokidev
May 21, 2017, 4:45:39 AM5/21/17
to Andrew David Wong, qubes-devel
It could also work the other way around: Let's say, in the GIMP you copy
a large bitmap image but afterwards the clipboard is just a few hundred
bytes big.
I prefer to show the exact number of bytes, besides an optional
representation with a unit prefix when numbers become very big, e.g.,
"Copied 2,560 bytes (2,5 kiB) to the clipboard." but "Copied 128 bytes
to the clipboard."
Of course, the bigger the expected clipboard size the more difficult to
estimate that size. Thus, for providing the user a measure, the message
could also say something like "This could be a big sentence in plaintext
or a few file names." or "This could be e.g. a bitmap image of size
1024x1024 or an MP3 file of around 2 minutes."
A nicer approach: Assuming that it's safe to extract the type(s) of the
clipboard content(s) then those estimates could be in relation to that
type(s), e.g.:
"Copied 2,560 bytes (2,5 kiB) to the clipboard.
Content type: Uncompressed bitmap image.
Estimated dimensions:
- 29x29 pixels at 24-bit color resolution.
- 50x50 pixels at 8-bit color resolution.
- 143x143 pixels at 1-bit color resolution."
Tobias
Andrew David Wong
May 21, 2017, 2:45:50 PM5/21/17
to tokidev, qubes-devel, Marek Marczykowski-Górecki
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
users. Would most users understand it? Would they even read it? If we
make the messages even longer by adding the "examples," it seems even
less likely they would read it. Trying to report the content type
might require too much parsing.
What do you think, Marek?
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
7yeWMkG1/UG/H8dFro5L1xn6l8MniokR6dl34Pabpj6q8XIU9oYDQHrmFV2Cop71
oVqrmO4EnbNm8M8AZ1hJ49f2EuVGQI+cQqhulB9ja8tCHtEupiRCsJyuvSroiw3s
SSWOEvdrFoKyBRhA/3jSfqXzzLS0hlGTNr8gTNwa7q5cpMFepGr0zqQFhpDVYW+L
HxcRQaexMoSo6qieXR2S9GGJh0O/VDzHgluOlkO8eEn5gdxlWqYSE2o6uw9Gr6+G
vgzFm9AZ+iDlwhh/vxXnjPc+WN91tVX41r2NEwnjuS1lRLdy/nuSXA2T9mowu1oQ
sDH23F4jfScjEanoiNsrg3niT5YFpem7MYkcFMv21//GwlP7d+ULAVZzWz/2NNCB
7xqzSyHAOZLuf5xzGx40tFWzwZdrm6bzqsSwNobM4GFScLkF0HUYlOKZr0hkuH0e
/B/frU7ghFL9wn4ypkn63JmCefANkpp4P6levES3peWWrksQwPgoketaBJBmsh0V
aszmuMFytY79+2JewIiHTboPuthM5rGb5mk/bbxZoFKgLV2yjE7JBTcp4AeR09l/
C7Ks7q2z9sbMwZq1+eq9hXrx8A7cHajEYJFKUB5cZF+D1G8E0CgzOFVMsUbI91Yk
stBnCzs3cVL+qHfc+DIP
=lMFA
-----END PGP SIGNATURE-----
blacklight
May 21, 2017, 2:54:06 PM5/21/17
to qubes-devel
You could make it a optional feature, that you could enable via a gui or via command linr in dom0.
Marek Marczykowski-Górecki
May 21, 2017, 5:23:32 PM5/21/17
to Andrew David Wong, tokidev, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Guessing content type here IMO is a bad idea - it would require parsing
arbitrary complex file format in dom0 (*), so would be a huge attack
surface. But just clipboard size is perfectly possible. I don't think it
would be meaningful security feature (if you expect 2.5 kiB data, it can
be still 2.5 kiB data, but completely different), but could be useful
for spotting user errors (missing Ctrl-C before Ctrl-Shift-C or so).
(*) well, you could imagine using DispVM for that, but starting new
DispVM just for showing a bit more verbose message looks like an
overkill.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZIgVOAAoJENuP0xzK19csh4kIAIuc/fBz2Eo+pUyP+Xvnx0dI
VPGQl7ha8yYaqhWx1U1Aq6Hc8nlyDWLQuAskey+0br7ClVszT55NgLz4RbpmIdR/
H7CfsrqgNVWGErfsXh3rL/9P2zCtxEtjDp2jcLjPNfq+L36iia/Cb2y4Muz4X+Xq
R3YSoxATTMOXFKPdW6druNxI+t+8I5h/i7pJ/MNK2lGxSqwSlJMaTjVGyfm8cZ3a
MkKoqxZiXm2XisS5bv8vv83Rj6toZdlmeewibkBRwnVjN1+Ms0iB4oskajaOQkYN
YfJgj/tRqEzY/CJS0CI3HqtH7YGUoHEu0stUdF3rcIEo6kQgucjLjra6jSiR4zU=
=AYFq
-----END PGP SIGNATURE-----
Hash: SHA256
arbitrary complex file format in dom0 (*), so would be a huge attack
surface. But just clipboard size is perfectly possible. I don't think it
would be meaningful security feature (if you expect 2.5 kiB data, it can
be still 2.5 kiB data, but completely different), but could be useful
for spotting user errors (missing Ctrl-C before Ctrl-Shift-C or so).
(*) well, you could imagine using DispVM for that, but starting new
DispVM just for showing a bit more verbose message looks like an
overkill.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZIgVOAAoJENuP0xzK19csh4kIAIuc/fBz2Eo+pUyP+Xvnx0dI
VPGQl7ha8yYaqhWx1U1Aq6Hc8nlyDWLQuAskey+0br7ClVszT55NgLz4RbpmIdR/
H7CfsrqgNVWGErfsXh3rL/9P2zCtxEtjDp2jcLjPNfq+L36iia/Cb2y4Muz4X+Xq
R3YSoxATTMOXFKPdW6druNxI+t+8I5h/i7pJ/MNK2lGxSqwSlJMaTjVGyfm8cZ3a
MkKoqxZiXm2XisS5bv8vv83Rj6toZdlmeewibkBRwnVjN1+Ms0iB4oskajaOQkYN
YfJgj/tRqEzY/CJS0CI3HqtH7YGUoHEu0stUdF3rcIEo6kQgucjLjra6jSiR4zU=
=AYFq
-----END PGP SIGNATURE-----
Andrew David Wong
May 21, 2017, 5:29:27 PM5/21/17
to Marek Marczykowski-Górecki, tokidev, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2017-05-21 16:23, Marek Marczykowski-Górecki wrote:
> On Sun, May 21, 2017 at 01:45:42PM -0500, Andrew David Wong wrote:
[...]
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZIgaiAAoJENtN07w5UDAw4cAP/i9+YlMN+F7ubzBPPf+cv4CG
0LGev8baUpISCbgYIbma+WVH6VleovEVRutEteJAy8oADYKr9rYFSNE+uWPK+huM
38KyC94WedLodTcLwubNgLGMS894lwVav/bWD5lsVHVB4Rx6FrnLz0pCjbyX2iDs
MuqxXXMyR2C9ts7gYqWDWrtbHsxofKrRv+WbJaQSkSezDRyLu77Kj2OXrIRZijYU
leMRDLjBzc3qeyPfZuWvHamTKEQQVuUym8+yMqRN16MQQz/xPmdb2HoLlz7jXaZJ
rK/f6RM/t3E26pbMdX34Aww3GuPCaiTSun6adPH+Ai95MzBVLeTXp3Jc3RTyWOxJ
t2tadjX6VuVGNswAdiUmCH9a6kLJlzmnJ0Ujd3HhnP0cORaEjlUi8ik+Zgq+tc1N
ytWpSgm8HDvA6Fby8AIn8jlWxVlS+mKBSmnwK3iesW7xEYDNen3UMijsIawkN4ya
JWgOlZubXe61BNlv9fbeQmsm9aGrNQfQpyeKzXAR5OQ9vxCnIp1VIgC02Y+lTX75
lF+Iq3vdM71X2JxlQ9VHCm3jClSQ2NbkJUN7shMpoRVD8sE0s76/vqliHe6zgGTE
NX8Cp5QIlS/q7ofaU941CdX+djNMsUoMSwzI5cx90vo0bNrYkesWwdqsrMdvUMW7
oasPVKrP0XBsiAOJMRUh
=whFb
-----END PGP SIGNATURE-----
Hash: SHA512
On 2017-05-21 16:23, Marek Marczykowski-Górecki wrote:
> On Sun, May 21, 2017 at 01:45:42PM -0500, Andrew David Wong wrote:
>> It's an interesting idea. I don't know how useful it would be to most
>> users. Would most users understand it? Would they even read it? If we
>> make the messages even longer by adding the "examples," it seems even
>> less likely they would read it. Trying to report the content type
>> might require too much parsing.
>
>> What do you think, Marek?
>
> Guessing content type here IMO is a bad idea - it would require parsing
> arbitrary complex file format in dom0 (*), so would be a huge attack
> surface. But just clipboard size is perfectly possible. I don't think it
> would be meaningful security feature (if you expect 2.5 kiB data, it can
> be still 2.5 kiB data, but completely different), but could be useful
> for spotting user errors (missing Ctrl-C before Ctrl-Shift-C or so).
>
> (*) well, you could imagine using DispVM for that, but starting new
> DispVM just for showing a bit more verbose message looks like an
> overkill.
>
Issue created: https://github.com/QubesOS/qubes-issues/issues/2825
>> users. Would most users understand it? Would they even read it? If we
>> make the messages even longer by adding the "examples," it seems even
>> less likely they would read it. Trying to report the content type
>> might require too much parsing.
>
>> What do you think, Marek?
>
> Guessing content type here IMO is a bad idea - it would require parsing
> arbitrary complex file format in dom0 (*), so would be a huge attack
> surface. But just clipboard size is perfectly possible. I don't think it
> would be meaningful security feature (if you expect 2.5 kiB data, it can
> be still 2.5 kiB data, but completely different), but could be useful
> for spotting user errors (missing Ctrl-C before Ctrl-Shift-C or so).
>
> (*) well, you could imagine using DispVM for that, but starting new
> DispVM just for showing a bit more verbose message looks like an
> overkill.
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
0LGev8baUpISCbgYIbma+WVH6VleovEVRutEteJAy8oADYKr9rYFSNE+uWPK+huM
38KyC94WedLodTcLwubNgLGMS894lwVav/bWD5lsVHVB4Rx6FrnLz0pCjbyX2iDs
MuqxXXMyR2C9ts7gYqWDWrtbHsxofKrRv+WbJaQSkSezDRyLu77Kj2OXrIRZijYU
leMRDLjBzc3qeyPfZuWvHamTKEQQVuUym8+yMqRN16MQQz/xPmdb2HoLlz7jXaZJ
rK/f6RM/t3E26pbMdX34Aww3GuPCaiTSun6adPH+Ai95MzBVLeTXp3Jc3RTyWOxJ
t2tadjX6VuVGNswAdiUmCH9a6kLJlzmnJ0Ujd3HhnP0cORaEjlUi8ik+Zgq+tc1N
ytWpSgm8HDvA6Fby8AIn8jlWxVlS+mKBSmnwK3iesW7xEYDNen3UMijsIawkN4ya
JWgOlZubXe61BNlv9fbeQmsm9aGrNQfQpyeKzXAR5OQ9vxCnIp1VIgC02Y+lTX75
lF+Iq3vdM71X2JxlQ9VHCm3jClSQ2NbkJUN7shMpoRVD8sE0s76/vqliHe6zgGTE
NX8Cp5QIlS/q7ofaU941CdX+djNMsUoMSwzI5cx90vo0bNrYkesWwdqsrMdvUMW7
oasPVKrP0XBsiAOJMRUh
=whFb
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages