> I guess you haven't read news about leaks happening once in a short while? > It seems as if in most cases the govt is interested mostly not in what was > leaked, but in who leaked it, so they can make an example of the > whistleblower.
The arguments against this seem to center on an attacker being on your running and decrypted computer as the targeted user. There are bigger fires. Maybe this is worse for some theoretical leaker, but the fact a sensitive document was leaked is something that's easy to track down. Servers keep logs, too. I still don't understand why for the regular user, the URL you got a document from is worse than the ability for an attacker to read the document itself. I'm really having a hard time caring about an xattr specifying a URI where it was downloaded from being worse than an attacker being able to read the "sensitive" document off your drive. It's just not a threat model I can comprehend. Is this worse for a leaker? Maybe. So is the fact they print documents using their ID badges, or email reporters from their work email. I can't stop that. Everything you do on a computer leaves a trace. What's worse is normal users getting owned because macros run on a file they downloaded after having it emailed to them. I don't know that we can optimize an operating system for a leaker and expect sane behavior for our users. I *guess* it'd be a problem if a user downloaded something that had an API key in the URL? Sure, maybe that's not great. Other than that, I really can't imagine why reading the url attributes of the file is worse than reading the file itself. Out of the list of privacy concerns, this isn't even on my top 10 - out of my imagined steps to harden the OS against stupid attacks, this is in my top 10 :) Maybe someone can send a patch to LibreOffice to disable macros on documents with this set? That'd be a nice productive thing to come out of this thread :) Paul
