Hacker News new | ask | show | jobs
by teo_zero 21 days ago
> doesn't allow windows to stay on top.

Are you sure that windows that, without your consent, are allowed to stay on top and grab your input are a good idea? And spawned by Chrome? As if we hadn't already enough ad-ware, click-harvesters, and spoofed dialogs popping up everywhere!

I know there is a couple of legitimate uses for this, but the ways it can be abused are vastly more.

I think the sensitive default should be to block it, and allowing it should be behind some user's conscious action. Yes, it adds some friction to some workflows and it takes a bit to get accustomed to. But it doesn't deserve the label "security paranoia".
1 comments
account42 21 days ago
Are you aware that if software misuses the capabilities its given by the system you can choose to stop using that software?
link
orbital-decay 21 days ago
You can't do anything about a compromised app or JS from a random website. I always find it weird when people attack Wayland's security model, more isolation is obviously a great idea, as demonstrated by supply chain attacks in the recent decade.

It's that Wayland's design, implementation, their attitude, and everything else about it is terrible. It could have been implemented without compromising on features or convenience by explicitly specifying minimalistic controlled side channels in their security model from the start, instead of shifting it onto ad-hoc implementations. And of course the windowing system is already too large of an attack surface. Many people are thinking about going full Qubes due to the current realities, while the others live in denial and call even window isolation "paranoia". Fascinating.

link
chadgpt3 21 days ago
Turn off the web browser feature that allows JS in an advertisement in a background tab to globally grab your input.
link
orbital-decay 21 days ago
Sure, browsers had three decades of adversarial testing to evolve into sandboxes, but what are you going to do in case of something like the xz backdoor in a desktop application? It's no longer a hypothetical in 2020s.
link
chadgpt3 20 days ago
You're going to be hacked. There's no useful middle ground between letting programs modify how your computer works and not letting programs modify how your computer works.
link
orbital-decay 20 days ago
Of course there is: fine-grained access control and attack surface reduction. It's not all or nothing.
link
teo_zero 21 days ago
True. But it's often all or nothing: you can't surf the web without the ads.
link