Description

When it comes to permanently connected computers, knowing and limiting what is being sent to a third party and what your computer is doing for a third party become a major concern. In fact, privacy is the new challenge for Free Software as it is for internet users. As stated by open source users, security ranks as the second priority, after stability, and transparency ranks as fifth priority for "what open source users value in software". Security can't be dissociated with privacy because if it isn't secure, it can't be private.

Providing a perfectly secure and privacy compliant system may be a overwhelming project, but it must be a direction in which we move forward to. As users gets more exposed to privacy and security features, they will develop a better awareness of it and with time become more proactive in securing their system and protecting their information. Users and developers should care about privacy.

As open source operating systems are gaining more popularity, they are adapting in accommodating less tech savvy users. Users are now expecting better control of their computers without all the hassle of hard learning curves. As KDE can be considered a major and one of the leading desktop environment (getting first place is some reddit user survey and opensourcesurvey), it has a broader reach and probably a larger spectrum of technically enthusiast users. As such, KDE is in a unique position to offer users a complete software environment that helps them to protect their privacy. KDE, being community-driven and user-focused, has the opportunity to put privacy on top of the agenda, arguably, being in this position, KDE has the obligation to do this, in the interest of the users.

There are many ways user may have their privacy violated, most notable are :

• Passively collected data (ie: when accessing a service)
  • Insecure communication (unencrypted packets ie: http and public wifi)
  • Global surveillance and mega corporations
  • Targeted Surveillance (politically motivated or industrial espionage)
• Actively collected data (by a running application or being monitored from a backdoor)
• Security breach of your system or of a company that has your information
  • A virus, a worm, a trojan or malware
  • A software bug/vulnerability that leads to an exploit
  • Rogue local software
  • Stolen device
  • Physical intrusion

Aggregating those information may lead to :

• Possible to identify you personally and where you live (AOL user No. 4417749)
• Know sensible information as health, political opinions, religion beliefs, sentimental life ...
• Targeted publicity and/or attempts to influence your opinions (the dark art of political advertising online)
• Be discriminating or prejudicial; (unintentional or not; affect job hunting)
• Building a psychological profile of you and know your habits
• Used for profiling, blackmailing and extortion
• Exposing strategic commercial information or strategic gouvernemental information
• Being stolen by criminals, used by trolls or online abusers
• Identity theft
• Certainty of your information being used somehow by someone without you knowing it

KDE is expected to:

1. Offer users the tools to protect privacy and to lead a private and safe digital life without compromising their identity, exposing their habits and communications.
2. Setting a high standard and example for others to follow, define the state of the art of privacy protection in the age of big data and force others to follow suit, thereby increasing pressure on the whole industry and eco-system to protect users privacy better.

Current ways to protect privacy and security

• Open Source Software "proponents say constant peer review creates more secure applications"
• Security by design
• Trusted repositories
• Up to date system and software
• Secure screen saver, user password and bios password
• Secure and encrypted connections (ssh, vpn, wireguard, https)
• Data encryption at rest
• Disable USB mount and separated guest OS
• Chkrootkit and antivirus
• Firewall
• SELinux, AppArmor or grsecurity
• Ad blocker and DNS sinkhole
• Panic button in case of intrusion
• Virtualization, containers and isolators
• Inspection of what an application can do and has done
• ... (Submit any missing) ...

What it will take

Secure by design

Adopt strict guidelines for KDE framework and application considering that "malicious practices are taken for granted and care is taken to minimize impact in anticipation of security vulnerabilities" (Wikipedia). This includes, but not limited to :

• Have a way to limit and control access to sensible information like identity and credentials.
• Have a way for applications to integrate a system tray icon without it knowing anything else about your system.
• Have a way to limit applications access to memory or functions not deemed needed (ie: reading clipboard/inputs without user consent)
• Have a way to check checksum/signatures of binary files before execution to prevent malicious code injection.
• Make sure all KDE applications are maintained and that code is often reviewed.

Strong privacy respecting defaults

• Only collect and send data when necessary and clear and sensible from within the context and using a vetted privacy-preserving methods (e.g. rappor which is used by Chrome and Firefox). No hidden telemetry sending user stats, not HTTP connections downloading content, no search queries to online services without the users explicit consent (or where it's entirely clear from the context, e.g. web browsers, software updater, etc.).
• Use anonymity where it is possible, for example by using Tor connections for things like telemetry and weather updates which don't require third party user identification (because we cannot control third party services and if they will behave)
• No collection of privacy-relevant data without clear purpose and without doing the best we can to preserve your privacy (for example by using differential privacy)
• Privacy-preserving defaults: a user should not have to make changes to the software configuration to avoid leaking data. Secure and private by default. (Software may be configured to be more leaky if that benefits the user, but the risk to that should be clear, either from context or explicitly stated.)
• Use clear and consistent UI and design language around network-related options

Offering the Right Tools

KDE needs to make an effort to provide a comprehensive set of tools for most users' needs, for example:

• An email client allowing encrypted communication
• Chat and instant messaging with state-of-the art protocol security (Signal Protocol and derivatives like Briar and Matrix)
• A web-browser that has private default settings
• Allow users to easily scrub metadata from files (e.g. dolphin integration of MAT)
• Other tools that allow offline operation and independence from popular cloud services (e.g. File storage and groupware solutions)
• Support for online services that can be operated as private instances, not depending on a 3rd party providers
• State-of-the-art support and integration for projects like Tor, MAT, secure-delete tools, etc.
• Password creation and sync across devices (Like Keepassx and Firefox sync together)
• Provide GUI applications for command line driven or config file driven security tools.

Virtualization and containers are the way to the future

Virtualization and containers are gaining popularity while not really integrated in the graphical user interface as they are relatively new and more used in the cloud space. They also have their own challenges while addressing most preoccupations related to security and privacy.
They do offer an easy approach to isolate and secure :

• closed source software
• poorly written software
• software that provides large window of attack (email, web browser, etc.; expected to open and execute code that may be malicious)

Using containers to sandbox an application can drastically improve security. The application may be imposed restrictions and be isolated from the rest of the computer, but it share the same kernel as your other applications. An other advantage is that it can be "reset" and it will always return to a clean state every time the application is restarted.
The current challenge is that there is no universal GUI or interface to those containers and all configuration is done by scripts. With the augmentation of AppImage, Flatpak and Snaps distributed application and games, plus the proliferation of containers, we can be sure that they are here to stay and KDE must take consideration on how it can be integrated and managed.

Virtualization is running a full blown separate operating system leveraging special instructions (Intel-VT or AMD-V) to have a host run an hypervisor.
One such brilliant example is how QubesOS integrated the management and visual representations of XEN VMs in their custom XFCE GUI. By the way, QubesOS was implemented in KDE up to version R3.2. Their work should be used as a reference on how KDE could evolve to present containerized applications in a meaningful way.

Virtualization tools like VMware and Virtualbox provide ways to disable clipboard sharing easily while containers still require manual command lines arguments to enable/disable them. KDE should provide an universal way of setting those features for GUI applications from the taskbar and in System Settings panel.

Proposed KDE security and privacy roadmap:

For short term, KDE should focus on endorsing and promoting security and privacy :

• Adopt a privacy, security and transparency pledge. See this example.
• Ask that official KDE applications and contributors adopt and conform to the privacy, security and transparency pledge.
• Have a general security audit of KDE applications (are them maintained and using up to date libraries?; see @dvratil's comment on legacy code in T11069).
• Promote security and privacy as an integral part of KDE ecosystem.

For medium term, KDE should focus on providing general security and privacy :

• Integrate command line security tools in KDE
• Ksysguard should expose more about applications and provide some profiling and logging mechanism.
• Better identity and credential management with possibility to restrict and monitor application usage (see discussion in T11069).
• Review how KDE share information with applications; what are the implications of running malicious code and how could KDE help minimize damage by integrating restrictions.
• Guaranty quick turn-around times for software updates, especially security fixes.
• Put in place strong privacy respecting defaults.
• Developing a full featured section called Security in KDE's System Settings.
• Add a "Audit my system" under "Security" in System Settings that make it possible for users to audit the security of their system in a simple and convenient way.

For long term, KDE should focus on conceptualizing how they want to deeply ingrain security and privacy :

• Put in place a functioning code-review and regular security audits for KDE framework and KDE applications.
• Start to plan and consult users on how to integrate the next generation of security and privacy options in KDE ecosystem for containerized and isolated (sandboxing) applications.
• Moving away from inherently insecure technologies and using more secure technologies.
• How to develop set of tools to be bundled in KDE for inspecting an application in a convenient and easy way (GUI).

Ways to go

Audit my system

Providing users with a simple way to audit their system and provide a security score after checking presence or absence of features. This will allow users to compare their system to relevant security profile and know how secure they could consider their system.

• Ex: Disk encryption, Firewall, VPN/Wireguard/Proxy, opened ports, locked screen saver (laptop vs workstation), lunch applications in containers, most used applications adhere to KDE privacy statement or have a similar statement ...

The score should be valid for the current year as the scoring values should be updated yearly (elements and values) and be inspired by security audit tools already available.

KDE Container and sandbox center

Provide a intuitive way to integrate containers, distinguish applications running in them and configure their privileges.
Includes but not limited to :

• Provide a way of knowing where an application is residing (native, container, flatpak, snap, appimage, remote).
• Provide a way to modify on the fly an application rights/privilege
  • File access
  • Hardware access (keyboard, mouse, disk, network, gpu, usb, etc.).
  • Network access
  • Clipboard access
• Provide a way to manage all containers that have access to the GUI and what is currently accessing/using it.

In KDE

Static and run-time analysis tools integrated into KDE, such as:

• KDE Inspector : an application that can provide information on a running task, the process list it is associated with and a log of privilege usage. Initially it would be about open/change of files/devices and internet connectivity monitoring. Things like reading keyboard input while not in focus should also be noted.
• Wireshark
• gdb
• [...]

Use already available libraries :

• lsof
• sockets
• [...]

Containers :

• Firejail
• Docker
• Podman
• LXC
• OpenVZ
• Snap
• Flatpak
• Katacontainers

VM :

• Xen
• KVM
• Virtualbox
• VMware
• Xvisor
• Lguest

KDE software can be audited for security vulnerabilities by security experts, organizations, and firms, such as:

• Mozila Open Source Support https://www.mozilla.org/en-US/moss/secure-open-source/
• Open Crypto Audit https://opencryptoaudit.org/
• Cure52 https://cure53.de/
• Least Authority https://leastauthority.com/
• NCC Group https://www.nccgroup.trust/
• Radically Open Security https://radicallyopensecurity.com/
• Trail of Bits https://www.trailofbits.com/

KDE software can be audited for compliance with common, security related standards, such as:

• NIST Cybersecurity Framework (NIST CSF)
• ISO 15408
• RFC2196
• Cyber Essentials (UK Government Standard)

How we know we succeeded

• KDE adopt a privacy, security and transparency pledge.
• KDE Framework audited by at least one organization or authority.
• All applications and KDE framework adopt Secure by design guidelines.
• KDE is known as a secure and privacy oriented desktop environment.
• KDE has put in place many security functions for developers and users and they are being used.
• When users work on improving their system security score and asking more questions about security and privacy.

"Soft" criteria include:

• Press and 3rd party refer to KDE as carrying the gold-standard for such software
• Journalists prefer KDE software for their work
• The NSA hates KDE
• The CCC loves KDE ♥

Relevant links

• General reading about cyber security standards: https://en.wikipedia.org/wiki/Cyber_security_standards
• NIST CSF: https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework
• RFC2196: https://tools.ietf.org/html/rfc2196
• Tor Project: https://www.torproject.org
• https://reproducible-builds.org/
• https://trustable.gitlab.io/
• http://blog.martin-graesslin.com/blog/2013/08/floss-after-prism-anonymity-by-default/
• https://blog.martin-graesslin.com/blog/2013/08/floss-after-prism-privacy-by-default/
• Schneier On Security; advocate, security professional: https://www.schneier.com/
• Security pledge. https://www.securitypledge.com
• https://www.qubes-os.org/
• Wikipedia, Secure by design. Source : https://en.wikipedia.org/wiki/Secure_by_design
• What is the easiest way to sandbox an application in a *NIX environment? https://security.stackexchange.com/a/175373/165253
• Making Containers More Isolated: An Overview of Sandboxed Container Technologies https://unit42.paloaltonetworks.com/making-containers-more-isolated-an-overview-of-sandboxed-container-technologies/

Further reading

• Many Americans struggle to understand the nature and scope of data collected about them.
• Comparison of European and American Privacy Law
• Americans’ complicated feelings about social media in an era of privacy concerns

I am willing to put work into this

I am interested

• Carl Schwan (@ognarb)
• Lydia Pintscher (@lydia)