[qubes-users] Re: [qubes-devel] AEM: Should we drop .png support?

[Rusty Bird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Marek Marczykowski-Górecki:
> I think PNG support is a nice half-measure against shoulder surfing -
> details on the image are harder to copy/remember (or even photograph
> with a small camera), than some text.

You're right, it is better. I hadn't considered that the user can
manually clear the image from screen as soon as they've recognized it,
simply by pressing Esc to switch to text mode.

> When we get some better alternative, we can drop PNG.

Sounds good.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZRtGEXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfltsP/3prk/o8c3k/5F0E6pOVuzFb
JIrfc2Vct0Ai/LbUX9OlwNGKBlxZbUv/KoxrxPWnOXT5YUEmXRBOkKneZsOeGYk1
OleLQ4A2SJaq5+e4WTRvSY6nk+i9LswMMvTkWCi/2zNo08HMGdmHUpE3vmNkp+uJ
5OwCmR4pIbQ4hrQN+MWJPHXtz6NMmvksoB8OgSBEIULqtU0Hp5kijxW416kNi86q
sknnfk/kj7mnanQW9IRkmkiQ740RJP/1lQ93khrBdF2H+4Ue0g2PvxkMohVNWgGm
kfkVYjAeu3zVnLpsXsbtLu9VpMQ+xNFXY32rfm9kzg+X65Pd3GfTEj+IqdcV04ST
MhQ3KSuoZlyX6Tfk4jmd4acBHrWgSEwSB8NlsgK3qWxMn+NuAfEilQm4awYtwedw
ItpUTUcqDFg02nMfyfY3kvhnm2JjeIEVc4VrrB1452Tg/5exu+j1DyqLLHFd8WvY
KdmN0Gddfe70JZYB1fmutWF7OCY4FYMBi177avstVeAqlhC6Aa9UNJtSu88jrmdm
fnDpS3LS4anrjj3+OxLxJZJeJ3SNO6M16rhEIf81Y6FGzy+X3TOECBDsKGdycwNR
0FZM19X+8+8koQEUPt8ZxBZC6AphTpX1GNKXBzrWTovzflNUDiNklZm6DQU0rDhc
nR+E4brBA+9dfqPdkMg/
=TDgE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170618191620.GA8291%40mutt.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] AEM: Should we drop .png support?

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jun 16, 2017 at 01:47:25PM +, Rusty Bird wrote:
> Hi everyone,
> 
> What do you think about getting rid [1] of .png image secret support in
> the next major version of Anti Evil Maid? This would offset some of the
> increase in complexity incurred by the upcoming TOTP/keyfile support, in
> addition to other benefits:
> 
> - Considering that AEM is a security oriented feature, it's kind of bad
>   to implicitly encourage the user to copy a complex image format from
>   some VM to dom0 - where it will be parsed during boot. (It would be
>   possible to build something [2] secure using the qubes.GetImageRGBA
>   RPC service, but I don't know if anyone's particularly interested in
>   working on that.)
> 
> - .png support is hacky and weird: We show text secrets in the current
>   dialog, but images appear in the *next* dialog. And text secrets are
>   cleared from the screen as soon as possible, whereas image secrets
>   stay visible until Plymouth finishes.
> 
> For users who prefer the more visual approach, we could tweak the
> Plymouth theme to use a monospace font for text secrets. That should
> make ASCII art a viable replacement for conventional images.

I think PNG support is a nice half-measure against shoulder surfing -
details on the image are harder to copy/remember (or even photograph
with a small camera), than some text. When we get some better
alternative, we can drop PNG.

> 1. 
> https://github.com/rustybird/qubes-antievilmaid/commit/4e45af289d0e651a380f3182cb07901a3002905f
> 
> 2. Similar to the WIP dom0 wallpaper service:
>https://github.com/QubesOS/qubes-issues/issues/215
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZRszfAAoJENuP0xzK19csNPQIAI8ihNjr2yQsvWqJNdW0IjDa
Qy5JeFu89Xu0/YzqiyRb887q2RgnKBc+jwdQO+KypuFeLNVXvNvLOfwZA9Tx3NGW
zN3bqNmTdS9rNYo5qDvqgsdxNuGcHpfJlHwkIl97EulZZS1Y5jG+FT2p2U/x75GK
3X7kJmuPPCwSEhUD14j3URlsNWDVJi9MQST4q+XgXvmUOhtSr1h5TkKrWDyR3VXD
Dj1O2CXwVpyClf/IxU5mt6o60iL6cCDzvSFhMOEsaHzKZxkXDXe1Y7DdVIv7GU65
35rWmr6p842H6L+JeFXuUg8eLSsCfWuPof72BWveVLNH7pNnTxZnkQyIX8xwxmc=
=Lp1V
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170618185630.GA8758%40mail-itl.
For more options, visit https://groups.google.com/d/optout.