The officially official Devuan Forum!

You are not logged in.

#1 2022-12-16 02:56:30

pungentweasel
Member
Registered: 2022-12-11
Posts: 9  

Beware of the Zeitgeist... and a reminder to inspect packages/source.

There's a software package called Zeitgeist that's been finding its way into nearly every Linux and BSD package repository.  It's also on Devuan.  Be sure to read the note at the bottom of this post even if you are not impacted by this.

It reads your emails, it monitors the websites you visit, listens to private conversations, and logs the files on your computer.. and then it shares this information freely over D-Bus to any application that wishes to use it.  You are given no warning and have no option to say which software can access it, and which can't.  Any software can access D-bus, including closed-source software like Discord or Telegram (whether they do or not, who knows).

If this is running on your computer, it will have created a SQLite database in your home directory full of your private information and there will be services running in the background 24/7 collecting data.

Official website: https://zeitgeist.freedesktop.org/
Old website (archive): https://archive.vn/gMDQq

It originated as a GNOME project.. surprise, surprise.  It used to be called GNOME Zeitgeist (https://web.archive.org/web/20090418021015/http://live.gnome.org/GnomeZeitgeist)

image.png

From the old website:

Zeitgeist is a service which logs the users’ activities and events, anywhere from files opened to websites visited and conversations had.
It makes this information readily available for other applications to use.

People are sometimes scared that information Zeitgeist has logged can be dangerous if it gets leaked. If you feel worried that malware might gain access to your information you need to be a bit more paranoid.
Zeitgeist events are available in the same way your Firefox and Chrome browsing history is very easily accessible. Pidgin even saves your password in plain text in your home directory.
Now remember the two golden rules of security on a Linux installation.
* Don’t run as root
* Don’t install untrusted applications

Not only that, but there is code in the source to send user data to a remote server over unencrypted HTTP

https://gitlab.freedesktop.org/zeitgeist/zeitgeist/-/blob/main/datahub/telepathy-observer.vala#L33

using Zeitgeist;
using TelepathyGLib;
using Json;

public class TelepathyObserver : DataProvider
{

  private const string actor = "dbus://org.freedesktop.Telepathy.Logger.service";
  private const string tp_account_path = "x-telepathy-account-path:%s";
  private const string tp_identifier = "x-telepathy-identifier:%s";
  private const string ft_json_domain = "http://zeitgeist-project.com/1.0/telepathy/filetransfer";
  private const string call_json_domain = "http://zeitgeist-project.com/1.0/telepathy/call";

  private TelepathyGLib.DBusDaemon dbus = null;
  private TelepathyGLib.AutomaticClientFactory factory = null;
  private TelepathyGLib.SimpleObserver observer = null;
  private HashTable<string, Timer> call_timers = null;

Final note:

GNOME currently ships packages called gnome-tracker and gnome-tracker-miners (may be called tracker-miners or tracker3-miners, etc) that do something similar.  There was another called gnome-online-miners that logged online activity, I think the name is changing and I'm having trouble finding it. 

Gnome Tracker is a hard dependency of GTK4, which means if you have GTK4, you have GNOME Tracker on your system.   Like Zeitgeist, Gnome tracker keeps a SQLite database in your home directory and collects data via background service.  If you check out the database tables, it was developed with the intent of collecting an extraordinary amount of user data.  If you use gnome, you can tame Tracker's data collection a bit using dconf-editor (navigate to org.freedesktop.tracker).

Last edited by pungentweasel (2022-12-16 03:53:09)


Behold, I send you forth as sheep in the midst of wolves: be ye therefore wise as serpents, and harmless as doves. - Matthew 10:16

Offline

#2 2022-12-16 03:12:03

golinux
Administrator
Registered: 2016-11-25
Posts: 2,726  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Thanks for the heads up. I just checked my Refracta Chimaera install and no zeitgeist package is installed.

Offline

#3 2022-12-16 04:06:20

User479
Member
From: Central USA
Registered: 2021-11-07
Posts: 11  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

The tracker service can be disabled and masked.  Whether it gets surreptitiously enabled again is a question. Changing the directory where it stores its data to read-only might also hinder it.

Online

#4 2022-12-16 04:11:25

pungentweasel
Member
Registered: 2022-12-11
Posts: 9  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

User479 wrote:

The tracker service can be disabled and masked.  Whether it gets surreptitiously enabled again is a question. Changing the directory where it stores its data to read-only might also hinder it.

symlink it to /dev/null tongue

Last edited by pungentweasel (2022-12-16 04:36:20)


Behold, I send you forth as sheep in the midst of wolves: be ye therefore wise as serpents, and harmless as doves. - Matthew 10:16

Offline

#5 2022-12-16 04:32:56

Altoid
Member
Registered: 2017-05-07
Posts: 1,132  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Hello:

golinux wrote:

Thanks for the heads up.

Indeed ...
Thanks a lot.  8^)

golinux wrote:

... checked my Refracta Chimaera install ...

I don't have it in my Beowulf either.

But that's not the point.

User479 wrote:

The tracker service can be disabled and masked.

The point is that, independently of whether it can be disabled/masked, such a package has no place in the Debian/Devuan repositories.

Anyone know how it is that it got there?
And most important, how it eluded proper scrutiny from the devs?

I'd say it has to be banned.

A.

Offline

#6 2022-12-16 04:33:31

golinux
Administrator
Registered: 2016-11-25
Posts: 2,726  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Thank heavens for image blockers! Hope no one with epilepsy comes to this post . . .

Offline

#7 2022-12-16 05:03:24

pungentweasel
Member
Registered: 2022-12-11
Posts: 9  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Altoid wrote:

The point is that, independently of whether it can be disabled/masked, such a package has no place in the Debian/Devuan repositories.

Anyone know how it is that it got there?
And most important, how it eluded proper scrutiny from the devs?

I'd say it has to be banned.

They don't have time to sift though thousands of packages, so it's understandable. Zeitgeist I agree should be blacklisted, for the simple fact that it can send personal user data to an insecure remote server.  That would affect some other packages that depend on it though.  Gnome tracker is much more difficult to deal with because of its integration with GTK.

I would like to see package repositories add some kind of public reporting system, and forks of package managers that show flags for packages that have been reported by other users as potentially harmful.  I'm actually kind of surprised that a system like this doesn't already exist as a standard practice across all of linux.

Devuan actually has a page specifically devoted software without d-bus.  Hugely commendable.  In my opinion, d-bus should be ditched just like systemd.  It is useful, but dangerous as hell.  https://www.devuan.org/os/documentation/dev1fanboy/en/dbus-free-software.html

Last edited by pungentweasel (2022-12-16 05:31:02)


Behold, I send you forth as sheep in the midst of wolves: be ye therefore wise as serpents, and harmless as doves. - Matthew 10:16

Offline

#8 2022-12-16 05:31:27

zephyr
Member
From: as where the crow flies native
Registered: 2016-12-01
Posts: 370  
Website

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

It has been with Diodon (clipit) since it hit the Devuan repos!

oa734YMl.png

Also, Synapse has always had it, back to the before Devuan with Debian

ZBQGjLwl.png

Imagine it is in other apps, these two I'm aware of and don't use.

cheers

zephyr


CROWZ / STAR

...easier to light a candle, yet curse the dark instead / experience life, or simply ...merely exist / molon labe

Offline

#9 2022-12-16 05:48:19

pungentweasel
Member
Registered: 2022-12-11
Posts: 9  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

zephyr wrote:

Imagine it is in other apps, these two I'm aware of and don't use.

cheers

zephyr

It's been around the block for a while....

image.png

And in 2009 it was GNOME Zeitgeist. 13 years old at minimum, and still active.

Last edited by pungentweasel (2022-12-16 06:02:48)


Behold, I send you forth as sheep in the midst of wolves: be ye therefore wise as serpents, and harmless as doves. - Matthew 10:16

Offline

#10 2022-12-16 10:34:27

Altoid
Member
Registered: 2017-05-07
Posts: 1,132  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Hello:

pungentweasel wrote:

They don't have time to sift though thousands of packages, so it's understandable.

Yes, I agree.

But it would seem that it skipped both Debian and Devuan devs.
And the devs of other distributions that have it.

pungentweasel wrote:

... should be blacklisted ...
... personal user data to an insecure remote server.
... affect some other packages that depend on it though.

Then any other package that depends on it should also be banned from Devuan.
I cannot stress this enough:

                                                   ----> This is not an issue to be taken lightly <----

It is an infection which has actually originated from inside the Linux ecosystem.
Unbelievable.

An infection that, in my opinion, has taken root thanks to the slow but constant erosion of the basic principles Linux was built on.

ie: Do one thing and do it well

pungentweasel wrote:

Gnome tracker is much more difficult to deal with because of its integration with GTK.

Get the point I am attempting to make above?
Integration? Then off with it's ugly head, I say.

Integration is nothing but the negation of the Unix/Linux philosophy as put forth by Doug McIlroy et al.
Has the widespread implementation of systemd not raised enough flags yet?

pungentweasel wrote:

... surprised that a system like this doesn't already exist as a standard practice across all of linux.

Indeed.
So am I.
Very (very) much so.

Best,

A.

Last edited by Altoid (2022-12-16 10:37:39)

Offline

#11 2022-12-16 11:02:59

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

pungentweasel wrote:

There's a software package called Zeitgeist [...] It reads your emails, it monitors the websites you visit, listens to private conversations, and logs the files on your computer.. and then it shares this information freely over D-Bus to any application that wishes to use it.  You are given no warning and have no option to say which software can access it, and which can't.  Any software can access D-bus, including closed-source software like Discord or Telegram (whether they do or not, who knows)

So don't install it then.

The zeitgeist package is not installed by default in any of the desktop environments and it won't work properly in bare window manager desktops so this seems to be a complete non-issue.

Here is a list of the packages which will pull in zeitgeist:

$ aptitude search ~Dzeitgeist
p  budgie-applications-menu-applet - Stylish Applications Menu for Budgie-Desktop
p  cairo-dock-recent-events-plug-in - Recent events plug-in for Cairo-dock
p  diodon - GTK+ Clipboard manager
p  gir1.2-zeitgeist-2.0 - library to access Zeitgeist - GObject introspection data
p  gnome-activity-journal - graphical user interface for Zeitgeist
p  libdiodon0 - GTK+ Clipboard manager (main library)
p  liblomiri-app-launch0 - library for sending requests to Lomiri App Launch
p  libzeitgeist-2.0-dev - library to access Zeitgeist - development files
p  libzeitgeist-cil-dev - CLI bindings for Zeitgeist Project - development files
p  lomiri-app-launch - User space daemon for launching applications
p  lomiri-app-launch-tools - Tools for working wtih launched applications
p  python3-zeitgeist - event logging framework - Python 3 bindings
p  synapse - semantic file launcher
p  zeitgeist - event logging framework
p  zeitgeist-core - event logging framework - engine
p  zeitgeist-datahub - event logging framework - passive logging daemon
$

So unless any of those packages are installed zeitgeist will not be present.

Any tinfoil consumers can use this file at /etc/apt/preferences.d/stop-zeitgeist:

Package: zeitgeist*
Pin: version *
Pin-Priority: -1

^ That will stop any zeitgeist packages from ever being installed.

If the zeitgeist pakcage is installed then this file at ~/.config/autostart/zeitgeist-datahub.desktop will stop zeitgeist-datahub from starting in full desktop environments:

[Desktop Entry]
Name=Zeitgeist Datahub
Comment=Start the Zeitgeist Datahub for passive loggers
Exec=zeitgeist-datahub
Terminal=false
Type=Application
Hidden=true
User479 wrote:

The tracker service can be disabled and masked.  Whether it gets surreptitiously enabled again is a question.

The zeitgeist services can be masked with

systemctl --user mask zeitgeist{,-fts}

Masking a service under systemd means it can never be started, even if called by DBus or another service. Debian packages will never run unmask, even for system services, and certainly not for user services, so that modification would be permanent.

The bad news is that sysvinit/runit/s6/OpenRC can't do masking, they have no concept of that very useful feature.

EDIT: spelling, removed misinformation.

Last edited by Head_on_a_Stick (2022-12-16 13:11:29)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#12 2022-12-16 14:28:32

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,313  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Just be all minimalistic n'stuff tongue

dan@miyolinux:~$ apt search zeitgeist
Sorting... Done
Full Text Search... Done
budgie-applications-menu-applet/stable 1.1.0-1 amd64
  Stylish Applications Menu for Budgie-Desktop

diodon/stable 1.11.0-1 amd64
  GTK+ Clipboard manager

diodon-dev/stable 1.11.0-1 amd64
  GTK+ Clipboard manager (development files)

gir1.2-diodon-1.0/stable 1.11.0-1 amd64
  GTK+ Clipboard manager (GObject introspection data)

gir1.2-zeitgeist-2.0/stable 1.0.3-4 amd64
  library to access Zeitgeist - GObject introspection data

gnome-activity-journal/stable 1.0.0-3 all
  graphical user interface for Zeitgeist

libdiodon0/stable 1.11.0-1 amd64
  GTK+ Clipboard manager (main library)

libzeitgeist-2.0-0/stable 1.0.3-4 amd64
  library to access Zeitgeist - shared library

libzeitgeist-2.0-dev/stable 1.0.3-4 amd64
  library to access Zeitgeist - development files

libzeitgeist-2.0-doc/stable 1.0.3-4 all
  library to access Zeitgeist - documentation

libzeitgeist-cil-dev/stable 0.8.0.0-5.1 all
  CLI bindings for Zeitgeist Project - development files

libzeitgeist0.8-cil/stable 0.8.0.0-5.1 all
  CLI bindings for Zeitgeist Project

monodoc-zeitgeist-manual/stable 0.8.0.0-5.1 all
  compiled XML documentation for zeitgeist-sharp

python3-zeitgeist/stable 1.0.3-4 all
  event logging framework - Python 3 bindings

synapse/stable 0.2.99.4-3 amd64
  semantic file launcher

zeitgeist/stable 1.0.3-4 all
  event logging framework

zeitgeist-core/stable 1.0.3-4 amd64
  event logging framework - engine

[/cozeitgeist-datahub/stable 1.0.3-4 amd64
  event logging framework - passive logging daemonde]

I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#13 2022-12-16 18:37:34

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,313  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Head_on_a_Stick wrote:

pakcage

Head_on_a_Stick wrote:

EDIT: spelling,

Tee Hee... tongue


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#14 2022-12-17 11:24:35

Altoid
Member
Registered: 2017-05-07
Posts: 1,132  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Hello:

Head_on_a_Stick wrote:

... don't install it then.

I think you are missing the point.
By a mile or so.

Head_on_a_Stick wrote:

... is not installed by default in any of the desktop environments ...

Yes, as of today.

As you can surely gather, that list can change and expand to a great many other packages within the Linux ecosystem.
Very quickly.

Head_on_a_Stick wrote:

... seems to be a complete non-issue.

I beg to differ.
The point being that a package such as this one does not have a place or reason to be in any Linux repository.
Much less in Devuan's repositories.

pungentweasel wrote:

Not only that, but there is code in the source to send user data to a remote server over unencrypted HTTP
https://gitlab.freedesktop.org/zeitgeist/zeitgeist/-/blob/main/datahub/telepathy-observer.vala#L33

In the same way that Wednesday night's sushi has no place or reason to be in your refrigerator because you expect no one will eat it.
Or will try to find the receipt from the delivery chap to see when it was purchased/delivered before taking a bite and getting scombroid poisoning.

Head_on_a_Stick wrote:

... a list of the packages which will pull in zeitgeist ...

Thanks for the heads-up.  8^)
But until pungentweasel posted his warning and you posted this list, here at Dev1 no one knew all this was happening.

As well as most if not all Linux users who installed budgie, cairo-dock, diodon etc. and ignored this fact.
Unless they read your post or done the research to find out.

ie: find out that this crap was being pulled in when they installed their chosen xxyyzz application.

Which is something that a Linux user should not have to do when they install an application from a trusted source such as their distribution's repository.

Why?
Because (up to yesterday) no one in their right mind would have thought that a Linux repository would have this crap available for installation.

Head_on_a_Stick wrote:

... tinfoil consumers can use this file ...
... will stop any zeitgeist packages from ever being installed.

Done.
Thanks.  8^)

Note to devs:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Please consider banning zeitgeist from the Devuan repository.

Consequently, any application that requires zeitgeist to be installed to work properly should be sanitized just like any application that needs systemd to be present but can work without it.

And if it cannot be sanitized, it should also be banned.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Best,

A.

Last edited by Altoid (2022-12-17 11:32:07)

Offline

#15 2022-12-17 11:58:07

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,097  
Website

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Altoid wrote:

The point being that a package such as this one does not have a place or reason to be in any Linux repository.
Much less in Devuan's repositories.

Of course it has a reason. It is a useful piece of software. If I was administrating a highly secure multi-user system I would want to keep a very close check on what my users were doing. The same goes for my teenage grandchild — I am very tempted to install Zeitgeist on their box to aid safekeeping.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#16 2022-12-17 15:49:29

Altoid
Member
Registered: 2017-05-07
Posts: 1,132  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

Hello:

Head_on_a_Stick wrote:

... a useful piece of software.

Not to contradict you or wanting to polemise any further, but I'd say that depends heavily on the what for aspect.

Some brillantly written worms and trojans will also fit into the "useful piece of software" slot. 
But ...

Head_on_a_Stick wrote:

... administrating a highly secure multi-user system ...

... you would have a very secure and properly segmented/firewalled network with strictly vetted users with assigned security clearances on a per case basis.

You do not need to have zeitgeist installed to have highly secure multi-user system.

But while I can understand your point of view, I don't agree with it and insist:

There's no need for zeitgeist to be in any Linux repository, much less Devuan's.

So let's agree to disagree. 8^)

Best,

A.

Last edited by Altoid (2022-12-17 18:28:21)

Offline

#17 2022-12-17 18:37:19

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,313  

Re: Beware of the Zeitgeist... and a reminder to inspect packages/source.

...still rockin' a minimal install of Devuan with no zeitgeist-n-hophtereinstaeist installed.

...I'm not sure what all of this is about, but then again...I don't care. HAHAHAHA!!!

I'll exit the conversation now. Sorry for the intrusion...but I'm happy. tongue


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

Board footer