[xubuntu-users] "System program problem detected"

[Ralf Mardorf]

On Fri, 10 Jul 2015 21:17:43 +1000, Rob Ward wrote:
>On 10/07/15 19:05, Ralf Mardorf wrote:
>> On Fri, 10 Jul 2015 17:21:55 +1000, Rob Ward wrote:
>>>> Eric Christopherson wrote:
>>>>
>>>>> Lately I've been getting this strange dialog saying
>>>>>
>>>>>       System program problem detected
>>>>>
>>>>>       Do you want to report the problem now?
>>>>>
>>>>>       [Cancel] [Report problem...]
>>> Just slightly off topic, but how we know when we respond to these
>>> alerts and we blithely type in our password to authorise the details
>>> to be sent off that we know that the alert is genuine and not just
>>> a faked up window to capture our password??
>>> I am never logged in as root, but routinely use my password in
>>> these situations.
>>> I am not doubting Eric's problem exists, but I am often unsure
>>> about various alerts I get, and how secure my response is?
>> It's dubious if a window pops up, asking for your password, to send
>> data through the Internet. I already would be careful with software
>> that asks to send a bug report, when the root password isn't needed.
>> Note, even the information of the full window size could be used to
>> track you, that's why TOR browser warns you to not full size the TOR
>> browser window. You might have stored some unencrypted passwords in
>> files that only need user permissions, that's why on serious mailing
>> lists, developers always mention to check log files, debug files etc.
>> against passwords and to remove them before posting them in a bug
>> report.
>>
>> Those bug report tools are simply spyware and should be abandoned.
>> Even if the original bug report software should guarantee complete
>> anonymity (but it doesn't!), you never know if it's the original
>> software or phishing software.
>>
>> Turn of all "phone home" options, of all the software you are using,
>> resp. be aware that you can't do this for e.g. some much used Web
>> Browsers.
>>
>> However, be careful with bug reports, especially with bots that
>> sends data to Canonical. Canonical is known for including spyware to
>> Ubuntu.
>>
>> http://www.gnu.org/philosophy/ubuntu-spyware.en.html
>>
>> Regards,
>> Ralf
>>
>Cheers Ralf,
>I appreciate your feedback,
>much appreciated.
>What does it mean though when the Root password_is _required?? erh, 
>requested??
>Most of them occur in Application windows not browser windows?
>And if we don't use them, can we expect software to improve?
>Rob

Most likely it's relative secure to use *buntu bug report software and
unlikely phishing software could be installed, but some users might not
like to give away to much information that isn't related to a bug.

A password for a bug report might be needed to give detailed
information about the install and computer by e.g. lshw and similar
commands.

$ lshw
WARNING: you should run this program as super-user.

IMO it's better to subscribe to bug trackers and manually provide
what's needed. This way the user also could work together with the
developers, provide information, if required and test bug fixes and
report back, if they solve the issue or don't solve it.

At least this automated bug report software should show what is send to
the Ubuntu or software upstream servers. Even if you encrypt all
passwords, a log file or debug file could contain passwords by human
readable text.

Sending e.g. all hardware information by e.g. lshw IMO already is
spying.

Does anybody know what's send by bug report software that asks for the
root password? lshw, hwinfo, dmesg, /var/log/Xorg.0.log,
~/.xsession-errors, /proc/foo etc. usually provide already too much
irrelevant information without the need to run/access them without root
privileges. Even the output of  wmctrl -m  or similar shouldn't always
be needed.

If software doesn't work, I would run it in a terminal emulation,
provide the output and the version of the used software, file manually
a bug report to a bug tracker and wait for a reply of a developer to
provide additional information, if needed.

2 Cents,
Ralf