undefined | Better HN

0 pointssontek5y ago0 comments

JWZ has been complaining about these screensavers for a decade. His screensaver from 20 years ago still doesn't have these issues.

Its not an X11 problem.

- https://bit.ly/3o2qekz

- https://bit.ly/38Y6pGO

(using bit.ly because he gives a testicle if referrer is HN :P)

0 comments

shawnz5y ago

In fact jwz himself says in that very post that it is a fundamental problem with X11:

> X11 ... was designed with no security to speak of, and so lockers have to run as normal, unprivileged, user-level applications. ... This mistake of the X11 architecture can never, ever be fixed.

He also claims in the second post that Xscreensaver is actually vulnerable to exactly the same kind of attack:

> The xscreensaver daemon is a critical piece of security software. The reason for this is that, as a screen locker, any bug in the program that causes it to crash will cause the screen to unlock. As soon as xscreensaver is no longer running, the screen is no longer locked. Therefore, great care must be taken to ensure that the daemon never crash.

metafunctor5y ago

I don't understand the part about JWZ's testicles, so here are the links without bit.ly tracking for those whose ad blockers don't allow them:

- https://www.jwz.org/blog/2021/01/i-told-you-so-2021-edition/

- https://www.jwz.org/xscreensaver/toolkits.html

[Edit]: I understand now. My browser doesn't send referrer URLs, and I think that's the real fix instead of using something like bit.ly!

gambiting5y ago

You still get the testicles if you click this link, at least using Chrome you do. It's because the referrer field is set to HN so they know where the traffic is coming from.

FriedrichN5y ago

In Firefox set network.http.referer.XOriginPolicy and network.http.referer.XOriginTrimmingPolicy.

Source: https://wiki.mozilla.org/Security/Referrer

wernercd5y ago

I'm using Chrome with uMatrix and uBlock Origin... I assume one of those blocks the data because, somehow strangely, I feel left out that all I'm getting is the websites.

I wonder why someone would setup a "bad result" for specific referrers ...

lscotte5y ago

All good with Brave as far as I can tell. I don't know what everyone is talking about with testicles, but I don't see any with Brave.

drdec5y ago

In Firefox, right-click and open in a new private window and the links will work.

Just tested in Chrome and it works there as well.

tehwebguy5y ago

In mobile Safari tap and hold, then tap the preview or the open button

ascar5y ago

Time to switch to Firefox and give Google less data. Firefox doesn't seem to send the referrer :)

2 more replies

asddubs5y ago

just tried it in chrome, i got only one testicle

ohiovr5y ago

Does anyone know how to make this right? Would simply removing the mate-screen-saver package work?

sontekOP5y ago

haha, yeah. I don't like using URL shorteners either there is just a balance to be made between them tracking you and getting redirected to testicles.

Can't count on everyone having referrer turned off

nic_wilson5y ago

To others, you'll definitely still want to copy paste that URL into a new tab rather than clicking directly. :~)

erhan245y ago

Xscreensaver has crashed twice in my life and opened the desktop. That's still a good statistic but it may have crashed because of the animation.

throwanem5y ago

Savers can crash without the screen unlocking. Are you sure it was xscreensaver you were running, and not one of the innumerable incompetent knockoffs?

Liskni_si5y ago

I've also seen some xscreensaver crashes a while ago: https://news.ycombinator.com/item?id=21224179

sontekOP5y ago

Sounds like you were probably using gnome-screensaver or some of the many other poorly written alternatives like cinnamon that do this. I don't believe there is any way for xscreensaver to unlock the desktop even if it does crash

cbsks5y ago

Incorrect. It’s a limitation of X11 that if the screensaver daemon crashes, including xscreensaver, the desktop will be unlocked. See the JWZ links that are posted in this thread.

omoikane5y ago

xscreensaver has had some issues, for example: https://security-tracker.debian.org/tracker/CVE-2015-8025

Which can be found via this thread: https://news.ycombinator.com/item?id=11412081 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819703#400

j / k navigate · click thread line to collapse

0 comments

shawnz5y ago

In fact jwz himself says in that very post that it is a fundamental problem with X11:

> X11 ... was designed with no security to speak of, and so lockers have to run as normal, unprivileged, user-level applications. ... This mistake of the X11 architecture can never, ever be fixed.

He also claims in the second post that Xscreensaver is actually vulnerable to exactly the same kind of attack:

metafunctor5y ago

I don't understand the part about JWZ's testicles, so here are the links without bit.ly tracking for those whose ad blockers don't allow them:

- https://www.jwz.org/blog/2021/01/i-told-you-so-2021-edition/

- https://www.jwz.org/xscreensaver/toolkits.html

[Edit]: I understand now. My browser doesn't send referrer URLs, and I think that's the real fix instead of using something like bit.ly!

gambiting5y ago

You still get the testicles if you click this link, at least using Chrome you do. It's because the referrer field is set to HN so they know where the traffic is coming from.

FriedrichN5y ago

In Firefox set network.http.referer.XOriginPolicy and network.http.referer.XOriginTrimmingPolicy.

Source: https://wiki.mozilla.org/Security/Referrer

wernercd5y ago

I'm using Chrome with uMatrix and uBlock Origin... I assume one of those blocks the data because, somehow strangely, I feel left out that all I'm getting is the websites.

I wonder why someone would setup a "bad result" for specific referrers ...

lscotte5y ago

All good with Brave as far as I can tell. I don't know what everyone is talking about with testicles, but I don't see any with Brave.

drdec5y ago

In Firefox, right-click and open in a new private window and the links will work.

Just tested in Chrome and it works there as well.

tehwebguy5y ago

In mobile Safari tap and hold, then tap the preview or the open button

ascar5y ago

Time to switch to Firefox and give Google less data. Firefox doesn't seem to send the referrer :)

2 more replies

asddubs5y ago

just tried it in chrome, i got only one testicle

ohiovr5y ago

Does anyone know how to make this right? Would simply removing the mate-screen-saver package work?

sontekOP5y ago

haha, yeah. I don't like using URL shorteners either there is just a balance to be made between them tracking you and getting redirected to testicles.

Can't count on everyone having referrer turned off

nic_wilson5y ago

To others, you'll definitely still want to copy paste that URL into a new tab rather than clicking directly. :~)

erhan245y ago

Xscreensaver has crashed twice in my life and opened the desktop. That's still a good statistic but it may have crashed because of the animation.

throwanem5y ago

Savers can crash without the screen unlocking. Are you sure it was xscreensaver you were running, and not one of the innumerable incompetent knockoffs?

Liskni_si5y ago

I've also seen some xscreensaver crashes a while ago: https://news.ycombinator.com/item?id=21224179

sontekOP5y ago

cbsks5y ago

Incorrect. It’s a limitation of X11 that if the screensaver daemon crashes, including xscreensaver, the desktop will be unlocked. See the JWZ links that are posted in this thread.

omoikane5y ago

xscreensaver has had some issues, for example: https://security-tracker.debian.org/tracker/CVE-2015-8025

Which can be found via this thread: https://news.ycombinator.com/item?id=11412081 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819703#400

j / k navigate · click thread line to collapse