KDE Defaults Privacy/Security Pitfalls/Landmines

I am planning on testing a distro with KDE again, and I remember the last time I ran KDE, I was rudely surprised to find borderline key-logger software built-in and enabled by default: Klipper (technically only logs clipboard, not all keypresses, but maybe also text selections).

Are there any other bizarre privacy-hostile features like this to watch out for? It is too early for a KDE Recall I hope?

Any privacy-related setup tips or configuration changes are welcome.

The thread has been somewhat derailed by discussion about how objectionable or not Klipper is to different groups of people, but the intent of this thread is to collect a list of features or settings—erring on the side of being overly security or privacy conscious—that a newcomer to KDE would not know about or would not expect to be included or enabled in the base installation or common distro configurations.

Features to some, can be security concerns to others. But you can just uninstall what you don’t want, I wouldn’t be as blunt and call it privacy-hostile.
KDE has a lot of bells and whistles built in, if you want total security, disable all plugins/extensions and the ability to download themes too, as all of those are essentially providing 3rd party scripts.
Gnome has a feature to lockdown extensions, I’d assume KDE has a similar config available.

If you don’t feel comfortable with a particular package or its dependencies, just don’t use it. Everyone decides for themselves what software to run on his linux machine.

I find Klipper very helpful for providing a history of my copy+paste activity. Digging through the webs AGAIN to find that one command I needed earlier/yesterday…not great workflow. Great work on this small but convenient piece of software, making everyone’s life and work a bit easier.

I think we should watch out for paranoid users telling us how logs or caches and stuff are an inherent and looming threat.

If you see the the world in black and white, you obviously can connect Klipper to Recall, because that fits your agenda, fears and lack of trust. For everyone else, this is an absolutely ludicrous and laughable proposition.

.bash_history is a trusty and immensely useful tool, command-logging your activity for decades. From a privacy perspective, this is far more critical than a damn clipboard is.

It’s fine. Put your tinfoil hat away.

If you think a clipboard is a security concern and a clipboard manager a full on privacy assault then you should be running something like TAILS withOUT a normal DE. Vett all your own software and build things from the ground up because yeah, you’re going to have more surprises if you think a clipboard manager is an issue. Never mind all the Kbus Dbus WeeeeBus stuff sending various hardware/software states to other things…(shifty eyes) maybe rogue agents outside your network…Virtually everything, cough everything is an attack vector.

I suspect my humor will also be lost but yes, hang up the tinfoil hat and chill out or build ground up…LFS with whatever insane other things you think will keep you safe from yourself.

As a last unneeded note Clipboard manager shouldn’t be a concern unless you have physical access worries and/or your drives aren’t encrypted…or maybe I’m wrong man…like the FEDS are lying they can decrypt anything these days…maybe I should like just buy a new laptop every day and enough thermite to burn it after every use~

Considering Klipper of all things to be security risk is not reasonable or even comprehensible. It implements basic functionality common in all oses since the bleeding 90s.

Its just clipboard manager after all. If clipboard functionality is your security breaking point, I don’t think there is any OS that is “safe” for you.

borderline key-logger software

Explanation desperately needed, it really does not compute no matter how hard I look.

Only theoretical risk involved with clipboarrd manager necessitates your system being fully compromised already while you are using it and then Klipper is irrelevant from security perspective.

Everything has already been owned and you have lost.

Depending on the environment, it can be. Imagine a corpo environment where you have classified access, and a helpdesk guy who remotes into your machine can read your clipboard history.
Niche case and there’s other business strategies in place, but just making a point.

Tinfoil hat jokes aside there are places where such a thing would be an issue but it’s like a drop of p_ss in the ocean. There filemanagers, recent used file lists in all your document-centric applications, web browsers (nightmare in itself). If the clipboard is the first thing that “triggers you” you’ve got a MASSIVE blind spot.

More so using anything “off the shelf” closed or open source you have to contend with 99% being for someone elses purposes and or designed for ease of use which will all cause some security issue.

If OP is paranoid or in some high states situation they need to either seriously vett all software or write their own. Build their own kernels and so on…you know stop living life because vetting takes forever even with a good environment for monitoring things and building/writing will just pile on the fact all you will ever do is run in place heh. Want the one EZ cheat to this? Set your computers on fire and go live in a cave.

With that last joke I’m not advocating to ignore the issues but look; you can’t trust any web browser anymore…NONE! Which is the defacto interface for at LEAST 90% networked machines. Unless you’re running headless machines for specific workloads we’re all screwed right off the bat because a Browser isn’t something you can willynilly/fix/change etc. There is a point where you make the decision to not use at all or you take the risk…If the day comes the risk isn’t acceptable anymore…well then you opt out and go make a new chair for your cave.

Plus KDE? REALLY? (this has to be a troll) Huge, Bloated, impossible for one person to sift through all the potential issues. Go back to stuff made before the mid 1990’s. Then you will have a chance.

Thanks for the shout out.

I dontnuse KDE, but am glad for the heads up that a clipboard app, may be not-ephemeral.

I use a passphrase manager, and often copy/paste passhprases.

If the clipboard is persistent, I hope it is at least encrypted, and requires a passphrase to open it (like, only opens with user session, so other users can’t look at each others secrets)

(Obviously ram is not encrypted by default… But still…)

I think you are underestimating the amount of sensitive material that passes through the clipboard, even for users who do not have password managers that use the clipboard.

If you are the kind of person who has no issue with or would intentionally enable Windows Recall, then I completely understand why Klipper seems trivial to you by comparison—but for the average user, learning that your clipboard is being logged is very unexpected and a betrayal of trust.

No one expects clipboards to be anything but ephemeral, in a default configuration. Installing addition extensions or software is a different thing, but Klipper is part of KDE Plasma by default, and the last time I used KDE there was no warning that it was on, even on first login.

This sounds exactly like comments in support of Recall or Rewind AI that I come across; as with Recall, I do not at all doubt that some find it very helpful, but it is not the expected behaviour for the vast majority of all types of users (from neophytes to “power” users).

The usage of shell command history is one of the first things you learn when using the terminal, even if accidentally, the first time you press the up arrow in a new window. Quickly referring to previous commands is nearly essential to use the command line efficiently, especially when a beginner. Clipboard managers are in no way as central to the GUI experience, nor are they usually part of the default install/config.

Average user expectations

I understand that Level1 is a particular subset of the population, but I am shocked by how normal many of you consider this to be. I cannot overstate how much this violates the expectations of the average user, who expects the clipboard to be very ephemeral.

The best analogy I can quickly imagine is suddenly learning that your house or apartment keeps pictures of you every time you walk through a doorway, or that a motion activated light is actually recording and storing a video every time it activates.

There is at least an option to not save contents on exit, so presumably only storing in RAM, but I have not been able to find information about the clipboard history sqlite database being encrypted.

Apparently some users rely on clipboard persistence so much that losing clipboard history during a system upgrades was a user-reported bug (helpfully this page also describes where the clipboard database is stored)

It is interesting to see the security workarounds KDE users discuss, like feature requests for having Klipper reference a blacklisted hashes file of passwords everything else that should not to be saved in history, or user-made shell scripts running in the background to continually clear Klipper’s history

For the curious, there is command to export clipboard history.

Totally agree. Everytime I open discord a KDE wallet prompt pops up. Also, I am now testing a gnome instance because my cyberpunk and inquisitor martyr on fedora 40 is crashy. My fedora 42 was updated and then crashed at start up, but fedora 42 for gaming is real nice. So will do further testing later on.

Kwallet is not the same as Klipper; is this popup you see an option to fill in discord’s password from, or save the password you just typed to kwallet, or something different altogether?

As I said…there is only black and white. You see pattern X about Y, so I must be black too. That’s just ignorance. These are totally different matters , a fallacy on top of it and probably also dishonest.

And Klipper is one of very few default icons in the sys tray you see when using KDE. It’s right in your face, not hidden by any means. That’s why I found out about it.

I’m in no position or have the authority to speak or speculate on behalf of “the average user”, but neither do you.

The world has gone crazy and I’m the only sane person left.

If you perceive this to be equivalent to Klipper, I can follow your argumentation. But to me this is a vast exaggeration for the sake of escalating the problem to more than it really is. It’s a clickbait argument.

Yes. Everything that is happening in Linux can be redirected to a file. Nothing new under the sun. Same goes for .bash_history and dozens/hundreds of other logs. If that is surprising to you, you must be new in computing.

Get a typewriter. 100% bug-free privacy.

My intent is not to accuse you of a heretical crime of liking something I do not, as you seem to imagine, I am simply saying that the benefits you attribute to having Klipper record your clipboard activity is very similar to the benefits I have seen others ascribe to Rewind AI or Windows Recall.

I do not resent Klipper’s functionality for existing, there are many other clipboard managers as well, but it seems very inappropriate to have it be a core part of KDE.

I really do not understand your perspective here, you seem to be specifically bristling at the idea that the average user does not expect this behaviour, when no other OS or DE does this to my knowledge.
You try to insult me as viewing everything as black or white, then simultaneously tell me I must either shut up and deal with it or GTFO and use a typewriter. What am I supposed to make of this?

My perspective is that an OS and a DE should allow users to organize their desktop and save preferences and log and save stuff. That’s what ~ and dotfiles are for. To save your settings, to read personal or system data if you need it again, because system behaves wierdly, you open a document you saved yesterday. You want to get back to the website you visited earlier but can’t remember the URL, access code snippets.

It’s your personal cache of stuff. And we need this. Because pressing is such much productivity. And so is auto-completion. This entire stuff is there first and foremost to help us.

It’s not some code uploading stuff to a public URL, Cloud or some company (which I would object to), these are dotfiles protected by access control, permissions, MAC (SELinux). Check your dotfiles…there is A LOT of stuff that is saved and kept there.
And KDE has the KDEWallet, which may seem annoying to some, but provides additional security and encryption for a lot of stuff you do on your desktop. The wallet alone sets KDE apart from many others in that regard.

Not everything that is logged is made or is ultimately used for malicious purposes. Klipper is not a conspiratorial plot by KDE developers to have an easy backdoor or to fish for user data or act recklessly on privacy. Putting them into the same corner as Microsoft or other corporate interests (that actually have a financial interest in doing malicious stuff) is just wrong.

You don’t have to deal with it. If you like KDE and want to voice your concern in the KDE development community, that’s ok. Or choose a different DE, Linux is what you make of it after all. With all the customization in KDE, having a built-in “annoyance” doesn’t feel good, I agree. But I chose KDE not because it’s perfect, but the DE with the least amount of compromises for the stuff I like. And while we disagree on Klipper, I probably hate other things in KDE where you don’t mind at all.

But you won’t get rid of your dotfiles that are littered with very personal information about you and your actions on that system. That is built into Linux like /etc.

Unless you run an immutable distro with default settings.
Basically your Live ISO. And there are some of them out there and an audience too. So falling back to a typewriter probably won’t be needed if you keep some OPsec during your sessions. Because even there, there are .dotfiles and logs.

To me, Klipper is just a GUI-extension of what .bash_history (and why I used that example) is for the terminal. It logs my actions (copy&paste in this case) in a dotfile so I can quickly get back to it if needed. I often use cached clipboard along with bash history for the same terminal command. And the QR-code generator is amazing and a great synergy, I love QR codes.

I’ve been a KDE guy most of my life…and I’m usually very happy with the development KDE is making. You can’t please everyone. And if you try, you make stuff worse for most of them. And that’s why having 20 different DE and WM are great to have.
In Linux, we always have a choice (and the right to check the code).

If out of the box a clipboard manager is saving your clipboard to a SQLite DB on disk that’s not great. If it’s a SQLite DB in memory, that’s better. I don’t use klippy so do not know what the default is.

I would like it if DEs informed / let users decide such things during a first login wizard.

In the case of klippy at one point it’s defaults captured any text you had selected! [klipper] Ignore selection by default (!940) · Merge requests · Plasma / Plasma Workspace · GitLab

An attacker doesn’t have to defeat FDE, and the circumstances don’t have to be that inconceivable for a clipboard manager saving information to be an issue. For instance typo squatting (pypi, npm) package names to get malicious code on desktops is increasingly popular. Once one has malicious code running, you may be subject to a relatively beign crypto mining process. But in the worser cases malware will vacuum up browser session tokens, ssh keys, shell history, anything small and that may have valuable data in it.

Clipboards definitely do have valuable data such as credential information, and we should expect them to make their way into popular things for malware to vacuum up.

Shell history provides a similar concern, users at my workplaces are conscious of its existence and will generally know better than to let secrets end up in their shell history.

Logs do also persist data, but as a general rule it’s metadata not user data, authors of applications should be very cautious of what they do log and the implications of it.

Clipboards on the other hand is all user data, and should be treated carefully.

To answer the original question I do some combination over the years of:

• Avoid large DEs
• Know roughly what each thing in pstree|ps --forest... is doing
• Check for unexpected network traffic with tcpdump and friends
• Flag reading of sensitive files with auditd rules
• Observe whats happening on my system with the likes of opensnoop, execsnoop, strace, lsof etc

This isn’t much work if you run a minimalist system with only a WM and a few apps you’ve picked. If you’re running KDE though, it might be a lot more work!

No I am not and klipper is still trivially secure compared to poorly thought out monstrosity of recall. They are not even in the same category of either functional scope and overall badness. Recall is persistent local surveillance database of user activity after all.

Klipper is just clipboard manager with limited history, situations where that is an is issue are small to nonexistent. Defaults are relatively sane, and stored input is always initiated by user.

Rolling buffer of what 5-10 entries is not really a problem, thats what gone after average hour of actual work?

If even that is and problem , lower history to 1 and disable persistence across reboot.

Problem solved.

I’ve read your PS and this is, frankly, a lost cause. You cannot feasibly make a system traceless where nobody else cares about it. You have been listed an example of recent folders in the file manager. What about file thumbnails? What if this ends up capturing media from a previously connected encrypted disk? The only reliable solution: full-disk encryption. Then aspects like Klipper history will be downgraded to minor tuning. Browsers: TLS fingerprints and service workers are stored somewhere in your profile too. about:serviceworkers in Firefox. It’s not just KDE.

I have reduced Klipper history significantly… and idk if I got used to my old ways so much, but I still don’t remember using it. I just go back to re-retrieve the content or rarely lose it to begin with. I keep mental track of what’s in my clipboard and where I was going with it.

On an architectural aspect of systems: X11 lives by outdated separation principles. Windows does too. Anything can pull and poll the clipboard, keystrokes. Wayland is an improvement because it restricts access a lot. And both software and users will need to get used to it. Will Windows ever manage to? I shall remain doubtful.

Smartphones did it, Apple kickstarted the PR hell and user awareness by showing up clipboard access in real time. Maybe we need such an app for Windows too to make it known and visible.