 Hello everybody. So I was instructed to speed this up as much as I can because we are kind of late on the schedule So I'm going to skip everything. So the privacy goal is really well. It's going very well It's not never going to end because privacy is really hard so My current badge says that this is my first academy Which is which is really really cool Especially since I've been a part of Katie community for more than 10 years So it's really nice to be first time with all your people Yeah, it's it's a privacy feature. So nobody nobody knows that I've already been here so I'm wearing two hats. So I work on Katie stuff and I work at one of the Katie friendly companies The reason why I'm giving this talk is that I'm currently the privacy goalkeeper Whatever that means I invented the title It sounds really cool, right? so The only takeaway that I want you to To remember when you go out of this room is that security and privacy are difficult So this talk is going to be less about the goal itself I'm going to cover several things But the main thing that I want to stress is that security and privacy are very difficult Now this slide doesn't convey the importance and the difficultness of of privacy. So let's say extremely difficult So did you all remember these three sentences? So the privacy goal started with the idea that in five years Katie software enables and promotes privacy Now I'm not really a marketing guy. So I hate sentences like these For for several reasons they communicate that Katie didn't care about about privacy before and That after these five years we are going to be all of a sudden private. Which is obviously not true So an alternative is to say well We want the free software our free software to give us the fifth freedom So the freedom to control where to control our data Who we send the data to etc. So But what risks do we have as people when our data is compromised? Obviously the most popular in the movie is identity theft Which is always cool at least to watch other people In that problem, obviously you wouldn't want something to something like that to happen to you Obviously fraud then government fingerprinting they can follow your Your behavior and recognize you just by seeing metadata about your behavior, etc And obviously blackmail again really cool for movies So the next thing that is really cool in movies, but not in the real life is on the professional side so you have corporate espionage which sounds really nice and Intellectual property theft because of the espionage, etc So the idea of KDE should not only be to protect People's privacy, but also to give you to do something even for corporate environments So as far as the data that can be used is concerned We have metadata small data and big data Big data not in the sense of the buzzword big data. Obviously. So what is metadata metadata is? Let's say not not your name not your surname But for example the call logs from your from your phone so even if somebody doesn't know who is the person that you have been calling or Who is calling they can track the behavior and then then they can recognize you on the metadata itself then you have small data like your name your surname your That you like kaya kaya king at stuff so that they can show you advertisements as stuff and obviously the big data passwords for your bank account and Anything else and all of these levels needs to be protected somehow the main problem in the modern world obviously, I don't want to sound like Anti-social person that we should all become hermits Somewhere in mountains or something like that, but the problem is that Today the social aspect of everything is crucial gamification of everything Forces you to always be online and to share everything that you can online I had a friend that forgot to turn off. I think it was Twitter's feature That Twitter automatically publishes where she was Just imagine how easy it would be for some really problematic person to just track the girl so please Don't use services like that if you use services like that at least make sure that you are not leaking the data unconsciously unconsciously so as I said the problem with the five-year goal is that It implies that we haven't had the same goal even before it was publicly announced So we had K-Runner one of the features that People often you wanted K-Runner to have is like Ubuntu. I want just to start typing and it searches the internet and As soon as somebody proposed that all the plasma team was nope It's if you want to search something online, then you will you need to make an action Before that says okay, I want to search online You don't want anything that you type on your in your K-Runner to be sent to Amazon Google, etc And obviously users hated us for it Same thing happened to K-Mail a few times in the in the history the most recent one the HTML bar on the left-hand side in essence K-Mail was always privacy focused and users Sometimes he hated it before it because of it and obviously Copetta KTP and conversation the same story Unfortunately, most of those are not maintained today, but we can skip Then we have the new Let's say things in KD that respect privacy and improve privacy Okay, it's in a very I hope I spelled it correctly Which is something that walk is going to talk about I think tomorrow tomorrow plasma volts which Nobody's going to talk about because I'm going to skip that Plasma volts is let's say a secure way to keep your data In encrypted containers, then we have plasma mobile as the idea that Because all of the globalization and etc Currently the applications are only on your phones leak a lot of a lot of data to everybody and Plasma mobile in some perfect world would be an alternative OS that you could use instead of Android or iOS Which would be private by default Obviously projects like KD telemetry which will be privacy respecting telemetry collection framework a Couple of other things that are being worked on integration of KD applications with the store so instead of just using them normal HTTP connections or even HTTPS We could channel all the connections through tour for greater anonymization and One of the best things about KD is that we offer a lot of applications that people can use instead of the Let's say online counterparts, which are not Private by default. So for example, we have one of the greatest applications in KD in KD was always digicam You don't need because so you don't need whatever alternatives exist. You just need a digicam and We had Amarok. We had a lot of media players instead of going to YouTube and watching music videos So this was Quite quickly going through several Privacy-related things now since most of the people in the audience I assume are developers Raise your hands Okay, I assumed correctly a Couple of really really small and Stupid things that nobody is concerned about and we should all be so As I said people users often hate us because we value privacy That doesn't mean that we should stop value in privacy. Just ignore the users So I want to demonstrate to show a couple of security problems that Existed in all KD applications until a few months ago and in most in 99% of applications in the whole world really stupid things so Q string is is a class that obviously store strings and it's a backend for the password entry widget So whenever you type a password in any cute application on any or anywhere else It's going to be internally stored as a string That's fine, right? While you are typing it just changes the string that that's also fine. The problem is how the string behaves So when you distract a string, what happens to the previous contents? Absolutely nothing until something else takes the same memory and overwrites it You still have your password in memory So even if you destroy all the widgets all the windows that you use to enter passwords. It's still in memory the second thing when Does when you type a long long password what happens the string reallocates Copies the old data into a new buffer So you have the previous value again in memory and you have the new value in a separate part of the memory Obviously if you use swap as soon as some some of those Ends up on a swap you even wrote to the password on the hard drive Do you think that that's a safe thing to do? So the first thing that you need to do is if you are distracting a queue string that was used for passwords You need to zero out the memory before you call free or delete and The second thing that you should try somehow to do is when you resize a string of it Just pre-allocate enough memory to to save the Any users password in advance so the current version of cute zeros out the string data on the destruction of line edits if line edits are used as passwords and It pre-allocates. I think 64 characters for the buffer in order to avoid the Intermediary copies and resizing of the string Obviously, that's not a complete fix because still memory swapping is a danger, etc So my advice for everybody here is think about these things don't use swaps if you use swap Then at least have an encrypted swap So we are running on a huge stack. We have CPU. We have operating system You we have our own program and usually at least in KD. We love programs that have plugins So we are running even plugins CPUs have bugs as we have seen with meltdown spectra and everything That happened to mostly Intel processors recently the operating systems have bugs security issues obviously our programs have bugs and Plugins can have even more bugs and plugins can even have can be malicious obviously if we Create our programs to run C++ plugins Then we are to blame C++ a C++ plugin can do anything that he that it likes So if you're writing plugins based software, we choose a C++ then you need to ensure that only Verified plugins can be run If you are using something like Let's say virtual machine plugins like QML, etc We should be safe right because it's a VM QML plugins should not be able to do anything anything bad Do we all agree on that? Of course not If you provide just a limited set of API's and you ensure that only those things can be executed then we should be fine, right? Nope Because Qt provides the API's that somebody from QML can use and abuse to steal your data And I'm going to demonstrate something and Let's hope it works So this is a password prompt Should I zoom in so we have a password prompt and if I say click me and Start typing we are leaking the password into the text text field, which is fine. It's the same applet It's obvious that that this applet can read its own data. That's fine, right? What's not fine is this? Let's try to connect here. Nope. I Need something that will ask me for the password at your own probably the same Hmm nope This one Okay, so we have a password entry and if I say click me Let's type in off for the this is a Password and did I broke the code? so We have a separate applet. That's just printed out the password from another applet because as all the UI widget toolkits do you have a huge tree and From any node in the tree you can just traverse the whole graph and steal the data from everything else This applies to Qt QML Q widgets QML HTML GTK any other widget-based library and Nobody kind of thinks about these things So even if you create an API set Sometimes the underlying toolkit allows you to do much more than what you think that it allows The question is how to fix something like this Obviously, we can't really say it tell cute people. Okay from QML. You should never be able to access a parent and children, etc How should we fix this? Ideas welcome. So when you use plugins Don't If you need to use plugins again, don't and if you really really need to have a plugin based system At least add some kind of verification where you just install plugins that are verified by the developers of that you trust Don't install random stuff from even store KD org don't install random stuff from github from Malicious software dot com etc. Etc. So Apart from security and privacy being really really extremely hard Think of it like this Security and privacy needs to come before usability Which is a strange thing to say But even if users complain even if users tell you well, I know better than the developer Who is developing this application? Don't trust the users We are here to protect them even if they don't want to be protected Security and privacy before software design plugins are beautiful Not having to recompile the application just restarted with a different set of plugins is amazing But don't And I'm I'm also to blame for this almost all the applications that I created for KD the first thing that I always did was create a plug-in plug-in system and security and privacy before anything else You need to start thinking about these things before you even start writing that your first line of code security and privacy cannot be an afterthought and This is the last slide. I think I was fast enough any questions. Yeah, of course Okay My question would be Given the example of the of the password prompt from your network applet being snooped on by your other applet How much of that could be solved through a multi-process architecture? So taking a page out of the book of web browsers these days Okay, so Multiple processes are obviously harder just like it's much harder to Do something evil in a VM than in a normal C++ plugin It's much harder to do something Relying on the OS problem than on the program problem and Etc. Etc. So each of those levels that have shown are you each level is By an order of magnitude harder to exploit than the previous one with multiple processes if you don't rely on Operating system bugs or CPU bugs, then you cannot do anything. But if you do rely on For example, CPU bugs like meltdown, then you can steal absolutely whatever you want Any more questions, how can we secure a plugin base architecture? Disabled plugins So obviously If you just load the GPG signed plugins that are signed by Jonathan or somebody else Yeah, right Liz. I've got a question that's come in on the kitty Facebook page and it says I'm loving kitty neon and I'm loving my ability to store passwords, but I've forgotten my password to the plasma vault I created How can I find the data in it? Yeah, obviously He just needs to send me an email and I'll tell him the back door is usually KD dot the date Then the vault was created a dot really really secret password for the back door dot So for vaults if you forget a password you're screwed As far as I can understand most of those privacy issues you're highlighting. They're basically post being pwned Like we already installed a Trojan should we even care about what happens after you already installed malicious hardware and you got hacked Yes, I would I would say that's beyond our scope and it is people shouldn't get hacked Okay, so if somebody already is installed a Trojan then well who cares Yeah, but most of your example requires already installing a Trojan like like installing a malicious plug plug in as a Trojan I mean otherwise I do agree, but we don't We cater to users that are not tech savvy And users that are not tech savvy Kind of often do things that are not advised true But that that can also be protected by the operating system like like they do on windows and they might do one on Future Linux distributions where you you can't really install application that easily without them being signed Yeah, of course, but then we would need to have a central authority that signs the packages, etc the thing that I just wanted to add is that maybe we all have Trojans in our CPUs Because there are some Let's say by not binary blobs, but hardware blobs in CPUs both Intel and AMD Which we have no idea what they're doing like the IME and PSP from AMD so We should try to protect users even from those things in essence, we cannot ever have a complete protection but we can Put some let's say safeguards to protect in most common use cases because privacy is never complete Okay, sir. Thank you There is just one question more No, well, maybe So as far as I've heard the question is Am I suggesting to put down the store that kd.org? I'm not but we should have some people that are whitelisting the things inside of the store For for wallpapers and stuff. It should be fairly safe unless somebody exploits parsing of the desktop files, etc, but For for more serious things I would have a whitelist Don't trust anything don't don't trust anything least of all Ivan No So the store situation is such that given that all of the software for that is now hosted by KDE Anyone who would like to help with it, please get in touch Because that's a thing that we can totally make happen