Slashdot Mirror
Canonical Addresses Ubuntu Linux Snap Store's 'Security Failure' (betanews.com)
Last week, an app on the Ubuntu Snap Store caused a stir when it was found to be riddled with a script that is programmed to mine cryptocurrency, a phenomenon whose traces has been found in several popular application stores in the recent months. Canonical promptly pulled the app from the store, but offered little explanation at the time. On Tuesday, Ubuntu-maker addressed the matter in detail. From a report: The big question is whether or not this is really malware. Canonical also pondered this and says the following. "The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself. That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetize software published under licenses that allow it, unaware of the social or technical consequences," the company wrote in a blog post.
"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.
Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.
"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.
Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.
Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store.
Tell me, again, why app stores are supposed to be such a good thing.
Did you know that there is a urologist in Austin TX named Dick Chopp?!! Isn’t that cray cray?!!
"Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them." I say the problem is that anyone has to decide to trust anyone before running their code. The problem is that our OS doesn't allow us to limit what applications can do, it's solely focused on limiting what users can do. "Trust" is just a distraction from the real problem.
Now explain to me why Canonical wouldn't permanently ban the publisher for damaging Canonical's reputation and business?
Canonical (or other companies) should offer a service that does code reviews and certifies that a specific revision is malware free for a small amount of money.
Sure, if you're developing a free software, you probably do not have the money to do so, but you could always ask the community to fund the certification.
Or Canonical could set up a voting system where the most voted apps get certified periodically.
There are plenty of solutions to this problem.
Video of some good progressive thrash music
Because they’re being given a chance to reform? Banning them would likely just lead to them submitting the same apps under a different name just like on the Google Play store.
Appbuntu should switch to appy APPS instead of not-as-appy snaps! More apps makes everything appier!
Apps!
I believe this attitude of Canonical to be highly problematic. The tight integration of Snap packages from their "store" into how software is managed on newer Ubuntu systems gives users the impression that the software that can be installed in this way has at least been curated to some extent by Canonical. I don't think an unexperienced user will be able to easily understand the difference between a Snap package a standard APT/dpkg package that is part of the underlying distribution. And because the software is not actually curated at all this creates a false sense of security. Apple and Google are also not great here, but given the volume of apps on Android and iOS they've at least thrown some resources at the problem instead of burying their head in the sand like Canonical is doing.
This is not the first place where Canonical has been horrible in this regard, if you look at how PPAs have been handled in the past. Get a launchpad account and you can upload anything you want - and a single call to "apt-add-repository" will enable that PPA on a local system - without any real indication to the user what the consequences of adding an APT repository actually are. In that sense Snap packages are actually an improvement here, because at least those don't get auto-root on your system.
That said: at least Canonical is doing other stuff right here - if I look at how people do development / DevOps nowadays, I'm actually quite impressed that not many more people have been owned already. "Oh, let me base my Docker container on some random image I found, which in turn is based on some other image, which in turn is based on yet another image, etc. because 10 random anonymous strangers would never introduce malware at some point in that chain.", "Build systems that auto-download stuff from the web without doing signature checks - what could possibly go wrong?"
Because they’re being given a chance to reform? Banning them would likely just lead to them submitting the same apps under a different name just like on the Google Play store.
Yeah... Because they will totally reform. We promise. No more tricks. Honest.
My likelihood to purchase a Snap is much reduced now that I know there is no quality control. And if they allow this asshole back in the store, it will be near zero.
Of course the publisher was doing something wrong, you are effectively stealing someones electricity to mine crypto for your benefit. For me this is plain theft and I would be surprised if a court would not come to the same conclusion. Actually I'll rephrase, it more like a trojan horse that is pushed to the victim without their knowledge which then steals electricity and processing power on behalf of the author.
On the scale computer malware wrongs, mining crypto-currency has to be one of the lesser evils. Get serious. It's annoying?: yes. It should be stopped?: yes.
Things that cause you to lose your data and/or your computer have to be the worse.
Then things that leave your computer open to remote-control, to do whatever (botnets, etc).-- those have got to be next. Related to this area are those who maintain remote control via "forced" updates and forced online connections -- they can constant degrade or disable old Software -- they can force you to buy new software to maintain features -- all through the legitimacy of an appstore.
Maybe next lower would be things that are constantly mining your private info to monetize all your info and make your behaviors accessible to anyone.
But things that drain off computer-cpu resources -- MS has been doing that for years and profiting way more than crypto-miners. It really depends on how much cpu resources they are hogging, but they can usually be stopped -- unless they control your OS...
Theree's so a GYN in Houston named Pinky
But this is a legitimate possibility for people to fund apps and news articles and such that they publish - separate from the tried and true "sell all the data you can get out of the user" or the mostly failed "advertising" models. I'd like to see cryptocurrency miners like this more widespread in free-to-use stuff (websites especially,) but things which stress the end user's hardware aren't the way to go because they inherently add a cost to using anything (plus who wants their computer to be bogged down because they forgot to close a news article.) A cryptocurrency where proof of work is based on active network connections might be a a wiser move - pings and pongs are cheap.
Things that cause you to lose your data and/or your computer have to be the worse.
And when your CPU or GPU overheats and shits out because it's being stressed beyond the limits of the cooling system you cheaped out on because you were only putting together a Facebook machine and didn't need it to be able to handle heavy loads? You don't think that qualifies?
I think it does.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
If it is true that Canonical cannot, and will not, review the packages in the store, then the service they provide is no better (and probably worse) than a google search. Where's the value here?
Netplan.io is a crap show that doesn't work! It's the systemd of networking and systemd networking isn't having any of it.
Linux is doomed.
>Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store.
Ahaha! Reeeeeal quality OS you gais got there. Cant wait for next week's revelations of NSA spyware in the network apps.
Yeah well I found MULTIPLE people named Cooper, Pooper S. years back when I picked up a phone book to move it from my doorstep to my recycling bin.
Telemetry data on their users.
Theyre moving into thr Extinguish phase now...
My understanding is that there was one app with one script containing the problematic issue.
While the whole repo thing seems to be another in a long line of Canonical great ideas, this one instance doesn't seem to fit "riddled with".
Example usage: Canonical is riddled with unqualified people making unjustified promises and changes to things they don't really seem to understand in the first place. Similar to Mars One or SystemD.
https://en.oxforddictionaries....
brandelf -t FreeBSD
This will only happen if you overclock. Plus, if you read the code in the snap, it's limited to 1 or 2 threads, which on modern cpu's, won't be more than a small handful of watts. Pennies a day, worst case. Modern CPU's, on stock heatsinks, with no overclock, have zero risk of crapping out due to heat. They'll thermal throttle *long* before then. Usually at 90 or 100'C. I run server CPU's pegged out at 100'C and let the thermal mgmt do its thing and they're fine for the life of the cpu warranty. As designed, and intended, by the TDP and silicon specs. Stop overblowing this.
Because CPU defects never happen. Certainly, no marginal CPU has ever been shipped, that was fine under moderate load but shit the bed when pushed to the point that it might thermal throttle. No, you're right, that's unheard of.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Your likelihood of downloading a snap was 0 anyway. Fuck out of here with that can't trust them shit.
Meanwhile...
You are probably on WindowZ 10 with the new creatorZ update, except your sound doesn't work today because you haven't updated the driver that is already updated that Microsoft decided wasn't the right one.
That's progress.
Citation needed. How often does that happen? And if does happen, isn't that something you could get replaced for free? Considering it is a bug in the hardware.
But that would be disregarding all of the other missteps they've taken over the years that leave their wider community high and dry. Don't get me wrong, I really like how Ubuntu has brought many people to Linux that may otherwise not have tried it..but the way Canonical runs things, IMHO of course, seems to ostracize their devs and users whenever they decide to go for the next new shiny thing.
It is pitch black. You are likely to be eaten by a grue.
Canonical doesn't have resources even to properly QA Ubuntu alone and make it 100% stable and working.
Ok, so they're worse. That doesn't even remotely imply it's not malware, though.
It was hidden and it was intended to work against the machine's owner's interests.
Incompetence is distinct from harmful intent.
Yeah, and lightning strikes and earthquakes happen. If something is just *running* on your cpu and that causes it to overheat -- you have alot more problems than crypto-mining. You really need a new computer.
Idle CPU, like 'free memory' is a waste of your computer. Used to be people would go donate cpu to things like distributed computing projects (https://en.wikipedia.org/wiki/List_of_distributed_computing_projects) like SETI (https://setiathome.berkeley.edu/) and run spare cycles 24/7. Computers that overheat when used are faulty (maybe dirty/dusty), but need maintenance or something fixed.
Idle CPU, like 'free memory' is a waste of your computer.
And processing things like SETI@Home and Folding@Home on a general purpose CPU when there are much more efficient dedicated chips for those purposes is a waste of electricity. Hell, in the summer, it's even worse in warmer climates, as the extra heat means the air conditioning will run longer, wasting even more electricity. See, it's not so cut and dry when you consider other factors.
Computers that overheat when used are faulty (maybe dirty/dusty), but need maintenance or something fixed.
That doesn't mean they aren't out there. Trust me when I say plenty of them are out there.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Because they determined it wasn't explicitly against policy and are working on a policy to make sure it doesn't happen again.
Sounds like a touch of small print is being added.
I don't like it, because they money spent on electricity far outweighs what the developer is going to get, and therefore it's a terrible way to monetize anything, but I'm sure there are people that prefer it to ads.
Computers crap out just outside of warranty all the time! It's especially prevalent with laptops and no, you can't get it replaced for free if it happens outside of warranty. Even in warranty, good luck fighting with the OEM.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
This is why we have a strict no Canonical/Ubuntu policy. Anything they come out with is nothing but a problem.
Things that cause you to lose your data and/or your computer have to be the worse.
And when your CPU or GPU overheats and shits out because it's being stressed beyond the limits of the cooling system you cheaped out on because you were only putting together a Facebook machine and didn't need it to be able to handle heavy loads? You don't think that qualifies?
Yes ok in the very rare circumstance that you happen to be running one of these bits of software on a system that you designed for using facebook that has a cpu defect that causes it to fail when it hits the point of thermal throttling you would probably consider this a qualification for something worse than a script that is annoying and should be stopped and if, for you, that means it falls into the category of malicious software that deletes your data then ok. In that circumstance, ok.
A store is a place where you can go to buy goods, and the rules are that the goods are clearly marked and suitable to purpose. Most bricks-and-mortar offer refunds for unsatisfactory goods or unhappy customers.
The other online stores have taken this to heart. Apple has the strongest vetting process AFAIK, but even Android has decided that their store and offerings had better have at least basic security scanning in place.
If Canonical tries to create a "store" that does not offer some guarantees, do they really have a store? Or is it more like some public closet, or a weird online garage sale? What is the value proposition here? "Take what you want but if something goes wrong, don't call us, we'll call you (and we never call)."
"Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them." What kind of nonsense is this? Every single user of one of their apps is supposed to "investigate" the developer of an app? If investigating the developer would succeed in preventing my downloading an app, then why doesn't Ubuntu do it?
Don't get me wrong, I don't really believe investigating developers would help. How am i supposed to do this, hire a private eye? But the notion that every user should do it is just ludicrous.
Don't look below this line.
==================
I *told* you not to do that!
Because it was Mark Shuttleworth's nephew who did it.
Okay I have nothing to back that up, but imagine if it was.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
I am sure. But if you have a limping computer that can't handle a cpu-load, there are steps you can take, like:
1) cleaning it
2) not overclocking
3) for multi-core, limit # cores in use using affinity
4) don't use hyperthreading
5) limit the cpu-clock -- most processors in the past 10 years have variable clock rates -- spinning down when idle, or to conserve power, ramping up under load. On Windows you can set the min and the max processor state (might need a patch on some OS's as MS enabled and later hid the controls; a reg-patch from bitsum.com can re-enable). But my cpu normally idles at about 36% max-clock rate. If I set the max-processor-state to 36% or lower, it will never go up from 1.18GHz to its max speed of 3.2GHz. That will save power and result in lower cpu temps: Using https://www.cpuid.com/download...,
Idle: 44C + power ~52W.
Normal w/100% load on all cores: 72C & 122W
with cpu perf limited to 36%: 52C & 62W
---
On linux (more pertinent to article), you can use:
https://git.kernel.org/cgit/li...
(cpupower) to set max frequencies to do the same thing.
There ya go: now you have no one to blame other than yourself for cpu overheating. :-)
Enjoy? Or more unsolvable problems?
It doesn't fit the definition of "malware". It was not evil intent. Under normal circumstances:
doesn't cause loss of data
doesn't cause harm to hardware
doesn't deny service or crash your sytem
doesn't steal your credentials, your money or your life.
It's only slightly worse than crapware and adware that get installed on new computers or with various free SW installs (like from Adobe, et al). Or Windows 10, which when it first came out saturated some user's network connections with MS's data-monitoring.
Now if you want to call MS-Win10 and Adobe-SW "malware", well, under that level of threat -- then mining SW is probably malware too. But given the other threats/attacks on your cpu/computer from supposedly legitimate sources -- something that uses background cpu is no worse than SETI @ home -- just that it went on behind your back -- like so many things that go on in the world. Only later might things come out about how various companies are misusing your data -- but just because you don't know about it doesn't mean it isn't happening -- and it's not illegal or "malware enough" that any of the abusers are going to jail (or even paying a token fine).
You want malware? How about DRM fails and SW updates that disable your old SW -- when you try to get support for fixing it, you are told your old SW is no longer supported (like Adobe CS5 products). They won't even give you a replacement license -- no support. Something that can take $100's a month in subscription fees to replace, or SW that downloads "replacement" software and tries to trick you into replacing your older, more functional SW....(MSWin10)....? But those things -- the companies paid for the laws to allow them to do it.
The bit-miners just haven't become big enough business to buy their laws yet. :-(
I never said I had a problem. That's a great write up, though, for the kind of people who pay Geek Squad and the like way too much money, if you can think of a place you can post it where someone with so little tech savvy might actually read it.
Otherwise, I'm sorry to say you wasted your time; even if I did have a PC that was just limping along, I wouldn't get hit with something like this in the first place, so it really wouldn't matter. Please, though, try not to hurt yourself too badly when you fall off that high horse.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
If we're being honest, malware that deletes my data would be the best case, as I'd just restore from a recent backup and be on my merry way, with maybe 5 hours of downtime. Something co-opting my CPU to mine cryptocurrency, though, well... that has a real cost, not only in additional electricity used for the mining activity, but also additional electricity used to cool the room that is now getting hotter as a result of that activity. Now that has a real impact on me, and I'm sure I'm not the only one.
In fact, it's probably costing the victims more than the assholes who profit from it are making; all parties involved would literally be better off if we were talking about armed robbery, literally stealing cash from wallets and cash registers. Law enforcement and incarceration costs notwithstanding, that's a zero-sum game, while this type of malware is a pure drain on society, much like when someone smashes a car window to steal a $200 stereo they're only gonna be able to get $20 for. Now someone has to pay hundreds to cover someone else's $20 gain -- and that's the case with this type of malware, where the cost to the victim is several times the amount gained by the criminal.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
"One of the most challenging aspects of running a modern software repository is just making sure that the published software is indeed only doing what it’s supposed to. In the classic Ubuntu repositories, we have the great privilege to work only with software built on trusted infrastructure, from source. That has obvious advantages but also requires a very long time for new bits to show up for millions of users."
who ever want to give up a trusted environment for less security? if you know what you are doing you can already do this (without the need for snaps), but otherwise, it is just a bad idea.
On a long enough timeline, the survival rate for everyone drops to zero.
They are a last resort for testing bleeding edge software, or a shim to get something more current on an outdated install, otherwise wait for it to hit your repository where each component is at least vetted by a group of maintainers and signed.
Twinstiq, game news
Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.
I'm sorry, but that just won't cut it. Google proved beyond a shadow of a doubt that if an app store isn't carefully curated, bad actors WILL in infest it as much as they can get away with.
If Canonical is worried about their reputation after this incident, they need to understand that this incident will be nothing compared to when they discover that there are hundreds of sketchy applications filled with genuine malware.
By comparison, Apple (ignoring their control-freakery for the moment) understands that developers cannot be blindly trusted. The result is that their platform hasn't seen remotely the issues that Android has.
Canonical needs to learn this lesson as well before their snap store goes to shit before it's even started.
Because they like to act ethically, based on principles, and so they don't want to simply ban someone on the basis you are talking about ("damaging one's reputation"), a reason which could be used to arbitrary decisions -- and make Canonical look like Facebook or Twitter.