Slashdot Mirror
Canonical Addresses Ubuntu Linux Snap Store's 'Security Failure' (betanews.com)
Last week, an app on the Ubuntu Snap Store caused a stir when it was found to be riddled with a script that is programmed to mine cryptocurrency, a phenomenon whose traces has been found in several popular application stores in the recent months. Canonical promptly pulled the app from the store, but offered little explanation at the time. On Tuesday, Ubuntu-maker addressed the matter in detail. From a report: The big question is whether or not this is really malware. Canonical also pondered this and says the following. "The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself. That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetize software published under licenses that allow it, unaware of the social or technical consequences," the company wrote in a blog post.
"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.
Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.
"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.
Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.
Now explain to me why Canonical wouldn't permanently ban the publisher for damaging Canonical's reputation and business?
Snaps are sandboxes precisely to limit what an application can do and have to be whitelisted by the user to access any protected features.
Canonical (or other companies) should offer a service that does code reviews and certifies that a specific revision is malware free for a small amount of money.
Sure, if you're developing a free software, you probably do not have the money to do so, but you could always ask the community to fund the certification.
Or Canonical could set up a voting system where the most voted apps get certified periodically.
There are plenty of solutions to this problem.
Video of some good progressive thrash music
Dependency Hell.
Doing a make configure && make && make install (or whatever version you prefer) will often fail after a long time realizing that there is one stupid library is missing.
RPM you can get the problem of recursive dependencies. Where Package A need Package B need Package C which needs Package A. And it is up to you to know witch one for force.
Static Binaries, can get big, and also make doing a security patch near impossible.
Install scripts are often not well configured to your distribution.
App Repositories, where the Apps are configured and load in all the Dependencies in the right order, As well perform all the necessary distribution particular configuration. Has greatly simpleminded the process.
Although this particular occurrence had some bad code, when spotted and removed it was fixed, vs downloading it from the source, where the bad code was there to stay.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Appbuntu should switch to appy APPS instead of not-as-appy snaps! More apps makes everything appier!
Apps!
I believe this attitude of Canonical to be highly problematic. The tight integration of Snap packages from their "store" into how software is managed on newer Ubuntu systems gives users the impression that the software that can be installed in this way has at least been curated to some extent by Canonical. I don't think an unexperienced user will be able to easily understand the difference between a Snap package a standard APT/dpkg package that is part of the underlying distribution. And because the software is not actually curated at all this creates a false sense of security. Apple and Google are also not great here, but given the volume of apps on Android and iOS they've at least thrown some resources at the problem instead of burying their head in the sand like Canonical is doing.
This is not the first place where Canonical has been horrible in this regard, if you look at how PPAs have been handled in the past. Get a launchpad account and you can upload anything you want - and a single call to "apt-add-repository" will enable that PPA on a local system - without any real indication to the user what the consequences of adding an APT repository actually are. In that sense Snap packages are actually an improvement here, because at least those don't get auto-root on your system.
That said: at least Canonical is doing other stuff right here - if I look at how people do development / DevOps nowadays, I'm actually quite impressed that not many more people have been owned already. "Oh, let me base my Docker container on some random image I found, which in turn is based on some other image, which in turn is based on yet another image, etc. because 10 random anonymous strangers would never introduce malware at some point in that chain.", "Build systems that auto-download stuff from the web without doing signature checks - what could possibly go wrong?"
Do these sandboxes allow the user to see how much CPU is being used and what the application is doing on the network? If so then I don't see what the problem was here. I assume the user could see how much CPU and network the app was using, and decide from there whether they liked the app or whether they wanted to find a more efficient one. Does it really matter whether the app was using the CPU to mine bitcoin vs. just being written really inefficiently and wasting CPU time and network resources on nothing of value? Either way it's just a shitty app.
Perhaps software should be up-front about this, but assuming a good sandbox, this wasn't a "security failure" at all.
Of course the publisher was doing something wrong, you are effectively stealing someones electricity to mine crypto for your benefit. For me this is plain theft and I would be surprised if a court would not come to the same conclusion. Actually I'll rephrase, it more like a trojan horse that is pushed to the victim without their knowledge which then steals electricity and processing power on behalf of the author.
Because doing a full code review of all the code I need to use on a daily bases will encompass all the time that I would need the code to do.
Civilization is based on a degree of trust, its advancements is due to people doing what they are good at, and someone else doing something else that matches what they are good at.
I doubt anyone is using a computer that they had started with finding a stick, a large rock, and picked some grass. Weaved the grass into a Rope, and using the stick and rope and rock to fashion a hammer. Which you could use to mine all the minerals you need to make a computer, plus to make all the other tools needed to build it.... Doing all the work smelting, and mining forming... Until you can make yourself a computer from scratch. Then you have to write code for it, starting with some method to set the original bits for some type of text entry, then typing in the binary code to get to a point where you can have an assembler, where you can efficiently make a text editor to make the OS......
We take shortcuts, if we say we built our own PC, we had gotten parts already built and we trust that these parts will do what they say they do. Will that Mosfet Transistor actually work as a transistor, or did the vendor sneak in a tiny microchip and radio device in its casing, to record and broadcast the bits over wifi to some outside place. Trust is needed because it is impossible for us to validate everything.
They are bad actors, and their are people who's job is to validate things, but we will need to trust their assessment of the validation.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
On the scale computer malware wrongs, mining crypto-currency has to be one of the lesser evils. Get serious. It's annoying?: yes. It should be stopped?: yes.
Things that cause you to lose your data and/or your computer have to be the worse.
Then things that leave your computer open to remote-control, to do whatever (botnets, etc).-- those have got to be next. Related to this area are those who maintain remote control via "forced" updates and forced online connections -- they can constant degrade or disable old Software -- they can force you to buy new software to maintain features -- all through the legitimacy of an appstore.
Maybe next lower would be things that are constantly mining your private info to monetize all your info and make your behaviors accessible to anyone.
But things that drain off computer-cpu resources -- MS has been doing that for years and profiting way more than crypto-miners. It really depends on how much cpu resources they are hogging, but they can usually be stopped -- unless they control your OS...
But this is a legitimate possibility for people to fund apps and news articles and such that they publish - separate from the tried and true "sell all the data you can get out of the user" or the mostly failed "advertising" models. I'd like to see cryptocurrency miners like this more widespread in free-to-use stuff (websites especially,) but things which stress the end user's hardware aren't the way to go because they inherently add a cost to using anything (plus who wants their computer to be bogged down because they forgot to close a news article.) A cryptocurrency where proof of work is based on active network connections might be a a wiser move - pings and pongs are cheap.
Things that cause you to lose your data and/or your computer have to be the worse.
And when your CPU or GPU overheats and shits out because it's being stressed beyond the limits of the cooling system you cheaped out on because you were only putting together a Facebook machine and didn't need it to be able to handle heavy loads? You don't think that qualifies?
I think it does.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Doing a make configure && make && make install (or whatever version you prefer) will often fail after a long time realizing that there is one stupid library is missing.
Not really a contender...
RPM you can get the problem of recursive dependencies. Where Package A need Package B need Package C which needs Package A. And it is up to you to know witch one for force.
While it is possible, in practice such a packaging mistake would be a bug to fix. Generally speaking apt and yum/dnf give value based on the dependency.
Static Binaries, can get big, and also make doing a security patch near impossible.
A container-per-app is even bigger, and not much easier to patch when used as intended. Container based apps are basically the return of static linked applications and a bit more.
Install scripts are often not well configured to your distribution.
Haven't seen something like that in over a decade, save for some proprietary applications that also make terrible containers that don't work well either.
XML is like violence. If it doesn't solve the problem, use more.
Yeah well I found MULTIPLE people named Cooper, Pooper S. years back when I picked up a phone book to move it from my doorstep to my recycling bin.
My understanding is that there was one app with one script containing the problematic issue.
While the whole repo thing seems to be another in a long line of Canonical great ideas, this one instance doesn't seem to fit "riddled with".
Example usage: Canonical is riddled with unqualified people making unjustified promises and changes to things they don't really seem to understand in the first place. Similar to Mars One or SystemD.
https://en.oxforddictionaries....
brandelf -t FreeBSD
Because CPU defects never happen. Certainly, no marginal CPU has ever been shipped, that was fine under moderate load but shit the bed when pushed to the point that it might thermal throttle. No, you're right, that's unheard of.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Perhaps you didn't clearly write your position.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I think it's more likely that you read only half of it before assuming you knew exactly what I was saying.
I see that far too often online. Once on Reddit I wrote something which, to say what I wanted to say, required a first sentence that made it appear as if my position was the exact opposite of what the rest of that paragraph and the following three supported. At least half of the replies were people who held the same position as me, but only read that first sentence before replying to try to convince me of what I had already made it obvious that I believed.
Too many people online want to talk but not listen.
APT-GET is just an other App Store.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
But that would be disregarding all of the other missteps they've taken over the years that leave their wider community high and dry. Don't get me wrong, I really like how Ubuntu has brought many people to Linux that may otherwise not have tried it..but the way Canonical runs things, IMHO of course, seems to ostracize their devs and users whenever they decide to go for the next new shiny thing.
It is pitch black. You are likely to be eaten by a grue.
Canonical doesn't have resources even to properly QA Ubuntu alone and make it 100% stable and working.
Yeah, and lightning strikes and earthquakes happen. If something is just *running* on your cpu and that causes it to overheat -- you have alot more problems than crypto-mining. You really need a new computer.
Idle CPU, like 'free memory' is a waste of your computer. Used to be people would go donate cpu to things like distributed computing projects (https://en.wikipedia.org/wiki/List_of_distributed_computing_projects) like SETI (https://setiathome.berkeley.edu/) and run spare cycles 24/7. Computers that overheat when used are faulty (maybe dirty/dusty), but need maintenance or something fixed.
Idle CPU, like 'free memory' is a waste of your computer.
And processing things like SETI@Home and Folding@Home on a general purpose CPU when there are much more efficient dedicated chips for those purposes is a waste of electricity. Hell, in the summer, it's even worse in warmer climates, as the extra heat means the air conditioning will run longer, wasting even more electricity. See, it's not so cut and dry when you consider other factors.
Computers that overheat when used are faulty (maybe dirty/dusty), but need maintenance or something fixed.
That doesn't mean they aren't out there. Trust me when I say plenty of them are out there.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Computers crap out just outside of warranty all the time! It's especially prevalent with laptops and no, you can't get it replaced for free if it happens outside of warranty. Even in warranty, good luck fighting with the OEM.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Things that cause you to lose your data and/or your computer have to be the worse.
And when your CPU or GPU overheats and shits out because it's being stressed beyond the limits of the cooling system you cheaped out on because you were only putting together a Facebook machine and didn't need it to be able to handle heavy loads? You don't think that qualifies?
Yes ok in the very rare circumstance that you happen to be running one of these bits of software on a system that you designed for using facebook that has a cpu defect that causes it to fail when it hits the point of thermal throttling you would probably consider this a qualification for something worse than a script that is annoying and should be stopped and if, for you, that means it falls into the category of malicious software that deletes your data then ok. In that circumstance, ok.
"Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them." What kind of nonsense is this? Every single user of one of their apps is supposed to "investigate" the developer of an app? If investigating the developer would succeed in preventing my downloading an app, then why doesn't Ubuntu do it?
Don't get me wrong, I don't really believe investigating developers would help. How am i supposed to do this, hire a private eye? But the notion that every user should do it is just ludicrous.
Don't look below this line.
==================
I *told* you not to do that!
Because it was Mark Shuttleworth's nephew who did it.
Okay I have nothing to back that up, but imagine if it was.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Well, that's true in a way, but one facet of the app store in this case is the "self-publish" that lands this in hot water. Sure you can have ppas in apt world, copr in fedora land, and just random 3rd party yum/apt repoes, but you are a bit more aware of who is 'vouching' for what in which repository. It's not perfect or perhaps thorough enough either, but to get to overwhelmingly more packages in a 'store', some amount of curation falls by the wayside compared to the core yum/apt repoes...
XML is like violence. If it doesn't solve the problem, use more.
I am sure. But if you have a limping computer that can't handle a cpu-load, there are steps you can take, like:
1) cleaning it
2) not overclocking
3) for multi-core, limit # cores in use using affinity
4) don't use hyperthreading
5) limit the cpu-clock -- most processors in the past 10 years have variable clock rates -- spinning down when idle, or to conserve power, ramping up under load. On Windows you can set the min and the max processor state (might need a patch on some OS's as MS enabled and later hid the controls; a reg-patch from bitsum.com can re-enable). But my cpu normally idles at about 36% max-clock rate. If I set the max-processor-state to 36% or lower, it will never go up from 1.18GHz to its max speed of 3.2GHz. That will save power and result in lower cpu temps: Using https://www.cpuid.com/download...,
Idle: 44C + power ~52W.
Normal w/100% load on all cores: 72C & 122W
with cpu perf limited to 36%: 52C & 62W
---
On linux (more pertinent to article), you can use:
https://git.kernel.org/cgit/li...
(cpupower) to set max frequencies to do the same thing.
There ya go: now you have no one to blame other than yourself for cpu overheating. :-)
Enjoy? Or more unsolvable problems?
It doesn't fit the definition of "malware". It was not evil intent. Under normal circumstances:
doesn't cause loss of data
doesn't cause harm to hardware
doesn't deny service or crash your sytem
doesn't steal your credentials, your money or your life.
It's only slightly worse than crapware and adware that get installed on new computers or with various free SW installs (like from Adobe, et al). Or Windows 10, which when it first came out saturated some user's network connections with MS's data-monitoring.
Now if you want to call MS-Win10 and Adobe-SW "malware", well, under that level of threat -- then mining SW is probably malware too. But given the other threats/attacks on your cpu/computer from supposedly legitimate sources -- something that uses background cpu is no worse than SETI @ home -- just that it went on behind your back -- like so many things that go on in the world. Only later might things come out about how various companies are misusing your data -- but just because you don't know about it doesn't mean it isn't happening -- and it's not illegal or "malware enough" that any of the abusers are going to jail (or even paying a token fine).
You want malware? How about DRM fails and SW updates that disable your old SW -- when you try to get support for fixing it, you are told your old SW is no longer supported (like Adobe CS5 products). They won't even give you a replacement license -- no support. Something that can take $100's a month in subscription fees to replace, or SW that downloads "replacement" software and tries to trick you into replacing your older, more functional SW....(MSWin10)....? But those things -- the companies paid for the laws to allow them to do it.
The bit-miners just haven't become big enough business to buy their laws yet. :-(
I never said I had a problem. That's a great write up, though, for the kind of people who pay Geek Squad and the like way too much money, if you can think of a place you can post it where someone with so little tech savvy might actually read it.
Otherwise, I'm sorry to say you wasted your time; even if I did have a PC that was just limping along, I wouldn't get hit with something like this in the first place, so it really wouldn't matter. Please, though, try not to hurt yourself too badly when you fall off that high horse.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
If we're being honest, malware that deletes my data would be the best case, as I'd just restore from a recent backup and be on my merry way, with maybe 5 hours of downtime. Something co-opting my CPU to mine cryptocurrency, though, well... that has a real cost, not only in additional electricity used for the mining activity, but also additional electricity used to cool the room that is now getting hotter as a result of that activity. Now that has a real impact on me, and I'm sure I'm not the only one.
In fact, it's probably costing the victims more than the assholes who profit from it are making; all parties involved would literally be better off if we were talking about armed robbery, literally stealing cash from wallets and cash registers. Law enforcement and incarceration costs notwithstanding, that's a zero-sum game, while this type of malware is a pure drain on society, much like when someone smashes a car window to steal a $200 stereo they're only gonna be able to get $20 for. Now someone has to pay hundreds to cover someone else's $20 gain -- and that's the case with this type of malware, where the cost to the victim is several times the amount gained by the criminal.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
"One of the most challenging aspects of running a modern software repository is just making sure that the published software is indeed only doing what it’s supposed to. In the classic Ubuntu repositories, we have the great privilege to work only with software built on trusted infrastructure, from source. That has obvious advantages but also requires a very long time for new bits to show up for millions of users."
who ever want to give up a trusted environment for less security? if you know what you are doing you can already do this (without the need for snaps), but otherwise, it is just a bad idea.
On a long enough timeline, the survival rate for everyone drops to zero.
I am keenly watching snaps and docker for this reason. Package managers while simplifying processes are not a panacea, the big problem being that they frequently aren't up to date. Sure you can install a repository from someone else, but that is just step one to hosing your system.
They are a last resort for testing bleeding edge software, or a shim to get something more current on an outdated install, otherwise wait for it to hit your repository where each component is at least vetted by a group of maintainers and signed.
Twinstiq, game news
Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.
I'm sorry, but that just won't cut it. Google proved beyond a shadow of a doubt that if an app store isn't carefully curated, bad actors WILL in infest it as much as they can get away with.
If Canonical is worried about their reputation after this incident, they need to understand that this incident will be nothing compared to when they discover that there are hundreds of sketchy applications filled with genuine malware.
By comparison, Apple (ignoring their control-freakery for the moment) understands that developers cannot be blindly trusted. The result is that their platform hasn't seen remotely the issues that Android has.
Canonical needs to learn this lesson as well before their snap store goes to shit before it's even started.
Because they like to act ethically, based on principles, and so they don't want to simply ban someone on the basis you are talking about ("damaging one's reputation"), a reason which could be used to arbitrary decisions -- and make Canonical look like Facebook or Twitter.