Perl spies on a sniffer
Secret Agent

Many Ubuntu users are blissfully unaware that the Zeitgeist daemon is shoulder surfing them and logging their desktop actions. Several Perl scripts can help sanitize the sniffer report and reveal interesting facts about a user's habits.
Precisely how does the Nautilus browser know which files an Ubuntu user edited recently to be able to display them in the Recent column? Figure 1, for example, lists two screenshots that I recently viewed with the Eye of Gnome (eog
) photo viewer.

Nautilus and Eye of Gnome are two totally different applications that do not exchange any data, but an unofficial helper named zeitgeist
runs in the Ubuntu desktop's background, greedily absorbing information about what's going on with the numerous applications running on the desktop. If you are interested, you can type
ps aux | grep zeitgeist
to see the daemon running with your user ID in the process list. Gnome applications connect to the Zeitgeist daemon on D-Bus, and the daemon inquisitively logs any relevant transactions in its database, while providing this information in turn to other applications interested in it – for example, the Nautilus browser.
To store the desktop events, Zeitgeist uses a SQLite database, which other utilities or even a hand-crafted Perl sniffer can also read and evaluate. If you want to watch the daemon snapping up events that roll in from the desktop, you can type
zeitgeist-daemon -r --log-level=DEBUG
to launch the daemon in debug mode. The -r
option actually stops the daemon running in the background and replaces it with one running in the foreground.
The Future Is Uncertain
Having said this, the Zeitgeist project on Launchpad [1] seems to have been dormant since 2013. Today, searches return critical comments from users concerned about data protection, who are frantically trying to kill off the daemon without crippling their Ubuntu desktop at the same time. Although the project might not have a rosy future, however, it is still worthwhile peeking behind the curtains to perform a critical analysis of the collected data.
Respecting Private Matters
Because logging actions on the desktop without so much as a by-your-leave can infringe on users' privacy, the Unity desktop lets users restrict Zeitgeist's collecting mania and even discard all the data collected thus far. In System Settings below the Security & Privacy entry, users can tame the daemon by disabling a number of checkboxes. Zeitgeist is then given a blacklist and ignores any events that come in from blocked applications.
Figure 2 shows that Zeitgeist can also be talked into avoiding logging actions that relate to music, movies, photos, chat logs, or documents. You can even press Clear Data to tell the daemon to delete permanently any data it has collected thus far. To see what exactly the Zeitgeist daemon collects, you can use the graphical zeitgeist-explorer
from the package of the same name (Figure 3).


On a newly installed Ubuntu, Zeitgeist will log anything it can get its hands on. However, not all applications are as verbose as Eye of Gnome. For example, if you want Zeitgeist to record any tracks that you play with Rhythmbox, you actually need to install the rhythmbox-plugin-zeitgeist Ubuntu package. For Chrome or Firefox, other plugins are available for users who want to track their own web activities.
Perl Investigates
The Perl scripts introduced in the following sections rummage through the data collection. For example, to discover which new photos the user last viewed, Listing 1 [2] reads the uri
table in the SQLite activity.sqlite
database below .local/share/zeitgeist
in your home directory. The SQL SELECT * from uri
query simply lists all the rows of data from the uri
table in which Zeitgeist assigns index numbers to newly discovered paths or URLs.
Listing 1
urls-recent
The CPAN DBD::SQLite module used in the listings for querying SQLite contains not just the Perl wrapper but also the C code for the SQLite project itself. After installing the sqlite3 Ubuntu package, you can type
sqlite3 activity.sqlite .schema
in the Zeitgeist database's directory to see which tables exist in the database. Later, you can look into the table contents with interactively submitted SQL commands.
Listing 1 uses the DBI module's prepare()
method, with the loaded SQLite driver to prepare the SQL command, and then runs execute()
against the statement handle that is returned to transfer this to the SQLite engine. As is typical in DBI, repeating the call to fetchrow_array()
snaps up the rows of results returned by the database engine. Each of these rows contains (in the case of the uri
table) two column values – id
and value
– which the script assigns to two Perl variables of the same name.
Figure 4 shows that Listing 1 not only returns paths to images but also strange-sounding URLs, like application://firefox.desktop, which are indicative of events in which the user called specific applications (e.g., the Firefox browser).

Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
KDE Plasma 5.27 Beta is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.
-
Critical Linux Vulnerability Found to Impact SMB Servers
A Linux vulnerability with a CVSS score of 10 has been found to affect SMB servers and can lead to remote code execution.
-
Linux Mint 21.1 Now Available with Plenty of Look and Feel Changes
Vera has arrived and although it is still using kernel 5.15, there are plenty of improvements sure to please everyone.