Message-ID: <68953029@news.ausics.net>
From: not@telling.you.invalid (Computer Nerd Kev)
Subject: Re: Artix Linux and Xlibre
Newsgroups: comp.os.linux.misc
References: <1063lgp$jmj$2@reader1.panix.com> <1064ag9$1kvkq$1@dont-email.me> <1064m75$1lvr1$1@dont-email.me> <10667je$35rkf$2@dont-email.me> <106bdkb$2s14s$1@dont-email.me> <106bjgj$2t9mq$5@dont-email.me> <106cld0$33q3n$2@dont-email.me> <wwvzfchsxx8.fsf@LkoBDZeT.terraraq.uk> <106l5kp$133ed$3@dont-email.me> <wwvfre864jx.fsf@LkoBDZeT.terraraq.uk> <106ohbv$1q0ne$1@dont-email.me> <wwvms8fdsa9.fsf@LkoBDZeT.terraraq.uk> <106s6ae$2irb0$6@dont-email.me> <wwv7bziqkz4.fsf@LkoBDZeT.terraraq.uk> <106thun$2tl20$1@dont-email.me> <20250805120229.00002255@gmail.com> <106ulcf$35j8e$3@dont-email.me> <20250806090124.00005af4@gmail.com> <10716ac$3ok85$4@dont-email.me> <20250807141447.000028d3@gmail.com> <wwvwm7e230z.fsf@LkoBDZeT.terraraq.uk>
User-Agent: tin/2.6.5-20250707 ("Helmsdale") (Linux/2.4.31 (i586))
NNTP-Posting-Host: news.ausics.net
Date: 8 Aug 2025 09:00:57 +1000
Organization: Ausics - https://newsgroups.ausics.net
Lines: 39
X-Complaints: abuse@ausics.net
Path: csiph.com!news.bbs.nz!news.ausics.net!not-for-mail
Xref: csiph.com comp.os.linux.misc:70583

Richard Kettlewell <invalid@invalid.invalid> wrote:
> John Ames <commodorejohn@gmail.com> writes:
>> *However,* that does not make Wayland's rationale for hampering window-
>> management functionality not patent nonsense. Providing applications
>> with basic information about screen layout and allowing them to size
>> and position windows automatically does *not* implicitly require
>> allowing them to scrape the contents of *other* applications' windows,
>> snoop global keyboard input, or anything of that nature.
> 
> I think there is a legitimate risk here. If a bit of malware that looks
> like your bank's website (as it would appear in a browser) manages to
> position itself directly over the window that really has your bank's
> website at the point you're expecting to enter your credentials, you're
> going to take a loss.
> 
> That doesn't require intercepting global input (just input focus), or
> scraping another window (what your bank's website looks like is public
> knowledge).
> 
> It does require some knowledge about window positions; control of its
> own window position; and knowing what bank you're accessing and when
> you're doing it (not trivial but I can think of a couple of approaches
> that might be fruitful).

On most systems an easier approach would be for the malware to edit
the user's bank log-in bookmark to point to their fake log-in site.
Unless the malware is running in a container with extra file access
restrictions.

Running every program in a container for the sake of security
is too painful a sacrifice for me (I make the sacrifice of not
using online banking instead). A graphical desktop that forces
me to make similar sacrifices is therefore an obvious turn-off. But
it's fine for that to exist for those who care, so long as X11
remains an option for us users who don't.

-- 
__          __
#_ < |\| |< _#