[kwlug-disc] Malware found in Ubuntu Snaps Store

Chamunks chamunks at gmail.com
Sun May 13 22:04:32 EDT 2018 

Nothing is immune to supply chain attacks.  The supply chain attack has
been pretty common over the last year or two at this point in other
repository based software delivery systems.

See CCleaner, Chrome extensions, Android app stores, sometimes even the
Apple app store.

Your security system is only as secure as the weakest link in the chain and
who said you need to be good at security just to be an app or package
developer.

Compromise the source code and you've now technically created a far more
potent attack then you could have other ways. Because now in a world where
you're almost asking for trouble if you're not constantly on top of your
updates you're damned if you do damned if you don't.

On Sun, May 13, 2018, 12:03 PM Khalid Baheyeldin <kb at 2bits.com> wrote:

> On Sun, May 13, 2018 at 11:53 AM, Remi Gauvin <remi at georgianit.com> wrote:
>
>> On 2018-05-13 11:15 AM, Khalid Baheyeldin wrote:
>> > We were sheltered because the tried and tested methodology of
>> repositories
>> > made us immune to this for ~ 25 years or so.
>>
>> One of the things I like about Ubuntu is the great ecosystem of PPA's.
>> Over the past several years, I found PPA's did a great job of filling
>> the gaps between what makes it into a relatively stable distro, and
>> those software packages I need to be newer for a specific task.  PPA's
>> were certainly more convenient that downloading and compiling from source.
>>
>> In this regards, I'm a little torn.  On the one hand, it's just as easy
>> for a bad or careless actor to put a bad package in a PPA.  Without
>> Snaps isolation, such a package would root a system, essential requiring
>> a fresh install, or snapshot restore to guarantee system integrity.  Not
>> to mention her irrevocable lose of private/secret information.
>>
>> However, in the case of PPA's I could carefully choose which PPA I drew
>> packages from, (and therefore, essentially, who to trust with the
>> system.)  With the snap store just allowing anyone to put whatever in
>> one big repository...well,, we all already know exactly where that
>> leads, and Ubuntu has provided an example in record time.
>
>
> While PPAs can include malware, it less likely. Why? Because PPAs are
> usually created by someone to fill a niche (like you say). For example,
> having older, or newer, versions of packages available.
>
> Examples include:
>
> Older PHP versions on LTS releases,
> Newer still experimental GIMP releases with 16/32 bit colour,
> Newer KStars version with all the latest astrophotography features
>
> Usually, these PPAs have their source published somewhere (Launchpad)
> and are built nightly automatically from that source. So the source can
> be inspected.
>
> And usually, there is a community behind these, and many users. If
> someone tries to slip in malware, it will be discovered quickly.
>
> Reminds of some 12 or so years back, when the founder of Wordpress
> tried to slip in invisible link farm stuff in Wordpress, with negative CSS
> offsets, but was outed quickly, and apologized.
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180513/137413cc/attachment.htm>

More information about the kwlug-disc mailing list