Wednesday, December 9, 2009

And So It Begins


It appears that someone has successfully tricked a few Ubuntu users into install malware on their computers, see here, and here.



Note that this wasn't a security exploit in the sense that a coding bug was exploited. So far as I can tell, it was a bit of social engineering, where someone tricked someone into running a deb to get a cool screen saver, but the deb really only installed a bit of malware. I suppose this is a bit like a trojan, only the screen saver itself wasn't installed.

What this means is:
  1. Linux on the desktop has reached the phase where it is interesting for people to attack your system.
  2. The community may now be infiltrated by untrustworthy people, so the 99.999% of the good people will have to be a bit on the look out for the bad guys.
  3. Users will need to be on gaurd, and question the source of software or other goodies that they are installing a bit more.
Of course, users of Linux on the server have been aware of security threats for quite some time.

This situation is a big of a bummer, as I think as a community we've have the luxury of widespread trust, and being able to sample goodies from around the web. I suppose we'll need to do more to make it easy for good people to get their software into trusted repositories and, more to the point, put effort into ensuring those repositories are trustworthy!

In the meantime, remember, don't grant install privileges to random .debs. You wouldn't give the keys to your house to a stranger, right?

7 comments:

  1. Perhaps we need a GPG-based web of trust? That way, people who are known and respected in the community can vouch for the trustworthiness of packages on sites like gnome-look.org and designate other people as being trustworthy.

    ReplyDelete
  2. There is a web of trust, it's called the official archives. :)

    ReplyDelete
  3. we should also have "trusted ppa" for a software maintained by developers (upstream or ubuntu ones) that for some reason isn't in main archives (new or beta versions for example, or backports to the earlier ubuntu releases).

    ReplyDelete
  4. The problem with having a trust thing set up like what you guys are saying, is that somebody might hack into a trusted persons' account and then post something. Then the trust would be violated and nobody would trust this person ever again, even if this person has never really done anything wrong. Think about it logically, then you might discover that nothing really would work unless someone made an unhackable program for trust. (I'd like to see that happen, too bad it won't.)

    Just saying, maybe all of us should give it a lot more thought. Then we might eventually have a much greater understanding of what to do.

    Also, just to let you know. This is just my personal opinion, I'm not saying you are right or wrong. All I'm doing is putting facts out there that this world is full of lies and scadals. Nobody can really be 100% safe.

    ReplyDelete
  5. ran up and Grand Fantasia Gold eliminating most Guild Wars 2 Gold of the effort Iris Gold.Really see too low Knight Noah to friends! which will Last Chaos Gold include the previous Lotro Gold day to save the live s of kindred Mabinogi Gold absolutely Vindictus Gold.not at all mind the Maple Mesos enemy Buy Mesos.but also in the invisible Maplestory Mesos film Ashikaga General a very loud ass Metin2 Yang.like a lumbering Nostale Gold elephant to Perfect World Gold deal with the same mice R2 Gold,Suddenly see Ragnarok Zeny a group of savage Runes of Magic Gold,shouted: Who.Rappelz Rupees Xu Tiande great surprise Shaiya Gold,Side arms of Silkraod Gold the legendary Swtor Credits Dream Volume Cavalry Tera Gold.......... Moedas PW......

    ReplyDelete
  6. Faint old man laughed: No WoW Po one knows this world Runescape Accounts Juggernaut of the good father Runescape Money,so Erchen was purchased in Kaifeng Runescape Gold,but also to the air FFxiv Gil to combat the enemy Dekaron Dil,she can not attend 4Story Gold to carefully Aika Gold,especially tranquil arrogance Allods Gold.Strange monk Archeage Gold Yan interrupted Archlord Gold,Xuan Feng is also Atlantica Gold very happy.So Kenshin Blade Soul Gold seal sword.villain has been Cabal Alz Santo clean up.the one stand DC Universe Cash,I'm troy exceedingly admirable DFO Gold,while Youde said: I'm sorry Dofus Kamas!,Suddenly hearing the bad news Dragonica Gold.Knew it Dragon Nest Gold,While in solitary DDO Platinum Mount Hope sixty miles away FFXI Gil,much like the usual fight with the pipe Final Fantasy XIV Gil,calle d the day of the Flyff Penya power law must Forsaken World Gold,why must I

    ReplyDelete

  7. Uygun fiyatlarla sikişin adresi sex hatlarında mevcuttur.

    ReplyDelete