Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Ubuntu

Canonical Addresses Ubuntu Linux Snap Store's 'Security Failure' (betanews.com) 79

Last week, an app on the Ubuntu Snap Store caused a stir when it was found to be riddled with a script that is programmed to mine cryptocurrency, a phenomenon whose traces has been found in several popular application stores in the recent months. Canonical promptly pulled the app from the store, but offered little explanation at the time. On Tuesday, Ubuntu-maker addressed the matter in detail. From a report: The big question is whether or not this is really malware. Canonical also pondered this and says the following. "The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself. That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetize software published under licenses that allow it, unaware of the social or technical consequences," the company wrote in a blog post.

"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.

Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.

This discussion has been archived. No new comments can be posted.

Canonical Addresses Ubuntu Linux Snap Store's 'Security Failure'

Comments Filter:
  • by fuzznutz ( 789413 ) on Tuesday May 15, 2018 @10:31AM (#56615002)

    "The publisher offered to stop doing that once contacted.

    Now explain to me why Canonical wouldn't permanently ban the publisher for damaging Canonical's reputation and business?

    • by Trogre ( 513942 )

      Because it was Mark Shuttleworth's nephew who did it.

      Okay I have nothing to back that up, but imagine if it was.

    • by apol ( 94049 )

      Because they like to act ethically, based on principles, and so they don't want to simply ban someone on the basis you are talking about ("damaging one's reputation"), a reason which could be used to arbitrary decisions -- and make Canonical look like Facebook or Twitter.

  • Canonical (or other companies) should offer a service that does code reviews and certifies that a specific revision is malware free for a small amount of money.

    Sure, if you're developing a free software, you probably do not have the money to do so, but you could always ask the community to fund the certification.

    Or Canonical could set up a voting system where the most voted apps get certified periodically.

    There are plenty of solutions to this problem.

    • by Desler ( 1608317 ) on Tuesday May 15, 2018 @10:38AM (#56615062)

      Why would they ever want to take on such liability especially for only “a small amount of money.” No one is gonna up themselves up to potential legal liability like that.

      • Because everything looks like a "Post" button when you're strongly opinionated and grossly under informed.

      • Because it's ethical. You protect your customers and perhaps friends. There are legions of witless users in internetland that trust people to do QA, to run parsers on source looking for unethical or stolen code.

        Canonical just doesn't want to pay for it. If one Snap is ugly, maybe all of them are. This is why chains-of-authorities and vetted repositories are so important-- TRUST. Without it, they're worthless.

        Canonical knows better. Fraudulent crap code has no place in a Canonical repo. Shame on them.

    • certifies that a specific revision is malware free

      Except that can be quite hard to do. There are even "obfuscated c" contests to write code that is almost impossible to understand if you are not a computer. Almost like a reversed Turing test. And those contests are usually just hard to understand and look hard to understand. I can imagine that renaming variables can make some evil code look harmless at first glance. And even a simple game would have far too much code to scrutinize in total.

  • by Anonymous Coward

    I believe this attitude of Canonical to be highly problematic. The tight integration of Snap packages from their "store" into how software is managed on newer Ubuntu systems gives users the impression that the software that can be installed in this way has at least been curated to some extent by Canonical. I don't think an unexperienced user will be able to easily understand the difference between a Snap package a standard APT/dpkg package that is part of the underlying distribution. And because the softwar

    • by HiThere ( 15173 )

      PPTs are actually quite reasonable. You have to decide to add each one, and take actions as a superuser. This is really no different than setting up an apt repository, which some applications have done.

      The thing about Snaps appears to be that a repository of miscellaneous applications that are uncurated are allowed in. Not good. But when they run, they need to run in a sandbox. Good. If it's a good sandbox, this avoids most of the security problems. It doesn't, of course, avoid extra computation...wh

  • Of course the publisher was doing something wrong, you are effectively stealing someones electricity to mine crypto for your benefit. For me this is plain theft and I would be surprised if a court would not come to the same conclusion. Actually I'll rephrase, it more like a trojan horse that is pushed to the victim without their knowledge which then steals electricity and processing power on behalf of the author.
    • It's not stealing if the user agrees to it in the TOS/eula. Hell. It's not even theft. Theft implies you take a thing and gain sole possession of it. All they're doing here is mildly increasing the electron usage of a cpu core or two. At full tilt, this might be a few pennies a day. And as electrons have no mass, there's nothing really there to steal.
      • by HiThere ( 15173 )

        Sorry, they are stealing computation cycles...unless the user agreed to allow them to do so. As to whether this amounts to pennies a day...that depends on how aggressively they steal them, what the price of electricity is in the user location, whether it makes them think their computer is broken so they buy a new one, etc.

        The evidence I've seen (i.e., the summary) doesn't provide me enough to decide whether this should be called theft, or how severe the impact was. But unless the TOS specifically stated t

        • When you download and run code, you don't sign an agreement with the maker that you will contribute $n compute cycles, no more, and no less. You download code, and it will use what it uses. This even varies per system depending on ram, arch, compiler versions, etc. It can not be specified, as doing so is flat out impossible. Additionally, there is a layer of informed consent on this matter where, you as the user, and owner of, of your power supply. It says (typically), on a label, through some fuzzy math w
      • Re:Stealing (Score:4, Insightful)

        by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Tuesday May 15, 2018 @01:03PM (#56615980) Homepage Journal

        If the user is expecting the program to mostly do one thing and it mostly does some other thing, hiding that fact deep in the EULA doesn't excuse it. It's a deliberate attempt to deceive.

  • On the scale computer malware wrongs, mining crypto-currency has to be one of the lesser evils. Get serious. It's annoying?: yes. It should be stopped?: yes.

    Things that cause you to lose your data and/or your computer have to be the worse.

    Then things that leave your computer open to remote-control, to do whatever (botnets, etc).-- those have got to be next. Related to this area are those who maintain remote control via "forced" updates and forced online connections -- they can constant degrade or disabl

    • Things that cause you to lose your data and/or your computer have to be the worse.

      And when your CPU or GPU overheats and shits out because it's being stressed beyond the limits of the cooling system you cheaped out on because you were only putting together a Facebook machine and didn't need it to be able to handle heavy loads? You don't think that qualifies?

      I think it does.

      • This will only happen if you overclock. Plus, if you read the code in the snap, it's limited to 1 or 2 threads, which on modern cpu's, won't be more than a small handful of watts. Pennies a day, worst case. Modern CPU's, on stock heatsinks, with no overclock, have zero risk of crapping out due to heat. They'll thermal throttle *long* before then. Usually at 90 or 100'C. I run server CPU's pegged out at 100'C and let the thermal mgmt do its thing and they're fine for the life of the cpu warranty. As desig
        • Because CPU defects never happen. Certainly, no marginal CPU has ever been shipped, that was fine under moderate load but shit the bed when pushed to the point that it might thermal throttle. No, you're right, that's unheard of.
          • by lpq ( 583377 )

            Yeah, and lightning strikes and earthquakes happen. If something is just *running* on your cpu and that causes it to overheat -- you have alot more problems than crypto-mining. You really need a new computer.

            Idle CPU, like 'free memory' is a waste of your computer. Used to be people would go donate cpu to things like distributed computing projects (https://en.wikipedia.org/wiki/List_of_distributed_computing_projects) like SETI (https://setiathome.berkeley.edu/) and run spare cycles 24/7. Computers that

            • Idle CPU, like 'free memory' is a waste of your computer.

              And processing things like SETI@Home and Folding@Home on a general purpose CPU when there are much more efficient dedicated chips for those purposes is a waste of electricity. Hell, in the summer, it's even worse in warmer climates, as the extra heat means the air conditioning will run longer, wasting even more electricity. See, it's not so cut and dry when you consider other factors.

              Computers that overheat when used are faulty (maybe dirty/dusty), but need maintenance or something fixed.

              That doesn't mean they aren't out there. Trust me when I say plenty of them are out there.

              • by lpq ( 583377 )

                I am sure. But if you have a limping computer that can't handle a cpu-load, there are steps you can take, like:
                1) cleaning it
                2) not overclocking
                3) for multi-core, limit # cores in use using affinity
                4) don't use hyperthreading
                5) limit the cpu-clock -- most processors in the past 10 years have variable clock rates -- spinning down when idle, or to conserve power, ramping up under load. On Windows you can set the min and the max processor state (might need a patch on some OS's as MS enabled and later hid th

                • I never said I had a problem. That's a great write up, though, for the kind of people who pay Geek Squad and the like way too much money, if you can think of a place you can post it where someone with so little tech savvy might actually read it.

                  Otherwise, I'm sorry to say you wasted your time; even if I did have a PC that was just limping along, I wouldn't get hit with something like this in the first place, so it really wouldn't matter. Please, though, try not to hurt yourself too badly when you fall off
      • by Anonymous Coward

        Things that cause you to lose your data and/or your computer have to be the worse.

        And when your CPU or GPU overheats and shits out because it's being stressed beyond the limits of the cooling system you cheaped out on because you were only putting together a Facebook machine and didn't need it to be able to handle heavy loads? You don't think that qualifies?

        Yes ok in the very rare circumstance that you happen to be running one of these bits of software on a system that you designed for using facebook that has a cpu defect [slashdot.org] that causes it to fail when it hits the point of thermal throttling you would probably consider this a qualification for something worse than a script that is annoying and should be stopped and if, for you, that means it falls into the category of malicious software that deletes your data then ok. In that circumstance, ok.

        • If we're being honest, malware that deletes my data would be the best case, as I'd just restore from a recent backup and be on my merry way, with maybe 5 hours of downtime. Something co-opting my CPU to mine cryptocurrency, though, well... that has a real cost, not only in additional electricity used for the mining activity, but also additional electricity used to cool the room that is now getting hotter as a result of that activity. Now that has a real impact on me, and I'm sure I'm not the only one.

          In f
  • But this is a legitimate possibility for people to fund apps and news articles and such that they publish - separate from the tried and true "sell all the data you can get out of the user" or the mostly failed "advertising" models. I'd like to see cryptocurrency miners like this more widespread in free-to-use stuff (websites especially,) but things which stress the end user's hardware aren't the way to go because they inherently add a cost to using anything (plus who wants their computer to be bogged down
  • My understanding is that there was one app with one script containing the problematic issue.

    While the whole repo thing seems to be another in a long line of Canonical great ideas, this one instance doesn't seem to fit "riddled with".

    Example usage: Canonical is riddled with unqualified people making unjustified promises and changes to things they don't really seem to understand in the first place. Similar to Mars One or SystemD.

    https://en.oxforddictionaries.... [oxforddictionaries.com]

    • by HiThere ( 15173 )

      Well, except that you should say "only detected one script containing the problematic". Given that they have stated that they don't curate the Snaps, there' little reason to believe that this is the only problem, or even the most serious one.

      OTOH, the Snaps are supposed to execute within a sandbox. If it's a *good* sandbox, the probability of serious problems is small.

      • That would have been acceptable among many other phrases like "may be riddled". Like the universe may riddled with life given the known occurrence of one instance and probabilities of scale.

        Major browsers have executed things for years in a sandbox. Let that show a sandbox not really a sufficient mechanism in itself.

  • But that would be disregarding all of the other missteps they've taken over the years that leave their wider community high and dry. Don't get me wrong, I really like how Ubuntu has brought many people to Linux that may otherwise not have tried it..but the way Canonical runs things, IMHO of course, seems to ostracize their devs and users whenever they decide to go for the next new shiny thing.

  • Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store.

    Canonical doesn't have resources even to properly QA Ubuntu alone and make it 100% stable and working.

  • "Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them." What kind of nonsense is this? Every single user of one of their apps is supposed to "investigate" the developer of an app? If investigating the developer would succeed in preventing my downloading an app, then why doesn't Ubuntu do it?

    Don't get me wrong, I don't really b

  • "One of the most challenging aspects of running a modern software repository is just making sure that the published software is indeed only doing what it’s supposed to. In the classic Ubuntu repositories, we have the great privilege to work only with software built on trusted infrastructure, from source. That has obvious advantages but also requires a very long time for new bits to show up for millions of users."

    who ever want to give up a trusted environment for less security? if you know what you are

  • They are a last resort for testing bleeding edge software, or a shim to get something more current on an outdated install, otherwise wait for it to hit your repository where each component is at least vetted by a group of maintainers and signed.

  • Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.

    I'm sorry, but that just won't cut it. Google proved beyond a shadow of a doubt that if an app store isn't carefully curated, bad actors WILL in infest it as much as they can get away with.

    If Canonical is worried about their reputation after this incident, they need to understand that this incident will be nothing compared to when they discover that there are hundreds of sketchy applications filled with genuine malware.

    By comparison, Apple (ignoring their control-freakery for the moment) understands that d

Avoid strange women and temporary variables.

Working...