Canonical Addresses Ubuntu Linux Snap Store's 'Security Failure'

Last week, an app on the Ubuntu Snap Store caused a stir when it was found to be riddled with a script that is programmed to mine cryptocurrency, a phenomenon whose traces has been found in several popular application stores in the recent months. Canonical promptly pulled the app from the store, but offered little explanation at the time. On Tuesday, Ubuntu-maker addressed the matter in detail. From a report: The big question is whether or not this is really malware. Canonical also pondered this and says the following. "The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself. That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetize software published under licenses that allow it, unaware of the social or technical consequences," the company wrote in a blog post.

"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.

Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.

Re:

[sexconker]

Yeah well I found MULTIPLE people named Cooper, Pooper S. years back when I picked up a phone book to move it from my doorstep to my recycling bin.

Re:App stores are crap stores

[jellomizer]

Dependency Hell.
Doing a make configure && make && make install (or whatever version you prefer) will often fail after a long time realizing that there is one stupid library is missing.
RPM you can get the problem of recursive dependencies. Where Package A need Package B need Package C which needs Package A. And it is up to you to know witch one for force.
Static Binaries, can get big, and also make doing a security patch near impossible.
Install scripts are often not well configured to your distribution.
App Repositories, where the Apps are configured and load in all the Dependencies in the right order, As well perform all the necessary distribution particular configuration. Has greatly simpleminded the process.

Although this particular occurrence had some bad code, when spotted and removed it was fixed, vs downloading it from the source, where the bad code was there to stay.

Re:

[jellomizer]

APT-GET is just an other App Store.

Re:

[Junta]

Well, that's true in a way, but one facet of the app store in this case is the "self-publish" that lands this in hot water. Sure you can have ppas in apt world, copr in fedora land, and just random 3rd party yum/apt repoes, but you are a bit more aware of who is 'vouching' for what in which repository. It's not perfect or perhaps thorough enough either, but to get to overwhelmingly more packages in a 'store', some amount of curation falls by the wayside compared to the core yum/apt repoes...

Re:

[Junta]

Doing a make configure && make && make install (or whatever version you prefer) will often fail after a long time realizing that there is one stupid library is missing.

Not really a contender...

RPM you can get the problem of recursive dependencies. Where Package A need Package B need Package C which needs Package A. And it is up to you to know witch one for force.

While it is possible, in practice such a packaging mistake would be a bug to fix. Generally speaking apt and yum/dnf give value based on the dependency.

Static Binaries, can get big, and also make doing a security patch near impossible.

A container-per-app is even bigger, and not much easier to patch when used as intended. Container based apps are basically the return of static linked applications and a bit more.

Install scripts are often not well configured to your distribution.

Haven't seen something like that in over a decade, save for some proprietary applications that also make terrible containers that don't work well either.

Re:

[thegarbz]

I am keenly watching snaps and docker for this reason. Package managers while simplifying processes are not a panacea, the big problem being that they frequently aren't up to date. Sure you can install a repository from someone else, but that is just step one to hosing your system.

Only apps can app apps!

[Anonymous Coward]

Appbuntu should switch to appy APPS instead of not-as-appy snaps! More apps makes everything appier!

Apps!

Re:

[Entropius]

The extra rhyme makes this one meta-meta-funny. Good job, app-mocking troll, good job. Here's a cookie.

Re:

[Desler]

Snaps are sandboxes precisely to limit what an application can do and have to be whitelisted by the user to access any protected features.

Re:

[Anonymous Coward]

Do these sandboxes allow the user to see how much CPU is being used and what the application is doing on the network? If so then I don't see what the problem was here. I assume the user could see how much CPU and network the app was using, and decide from there whether they liked the app or whether they wanted to find a more efficient one. Does it really matter whether the app was using the CPU to mine bitcoin vs. just being written really inefficiently and wasting CPU time and network resources on nothi

Re:

[jellomizer]

Because doing a full code review of all the code I need to use on a daily bases will encompass all the time that I would need the code to do.
Civilization is based on a degree of trust, its advancements is due to people doing what they are good at, and someone else doing something else that matches what they are good at.
I doubt anyone is using a computer that they had started with finding a stick, a large rock, and picked some grass. Weaved the grass into a Rope, and using the stick and rope and rock to fas

Re:

[jellomizer]

Perhaps you didn't clearly write your position.

Re:

[Anonymous Coward]

I think it's more likely that you read only half of it before assuming you knew exactly what I was saying.

I see that far too often online. Once on Reddit I wrote something which, to say what I wanted to say, required a first sentence that made it appear as if my position was the exact opposite of what the rest of that paragraph and the following three supported. At least half of the replies were people who held the same position as me, but only read that first sentence before replying to try to convince m

It's easier to beg forgiveness that ask permission

[fuzznutz]

"The publisher offered to stop doing that once contacted.

Now explain to me why Canonical wouldn't permanently ban the publisher for damaging Canonical's reputation and business?

Re:

[Trogre]

Because it was Mark Shuttleworth's nephew who did it.

Okay I have nothing to back that up, but imagine if it was.

Re:

[apol]

Because they like to act ethically, based on principles, and so they don't want to simply ban someone on the basis you are talking about ("damaging one's reputation"), a reason which could be used to arbitrary decisions -- and make Canonical look like Facebook or Twitter.

Pay canonical or other trusted institution

[lorinc]

Canonical (or other companies) should offer a service that does code reviews and certifies that a specific revision is malware free for a small amount of money.

Sure, if you're developing a free software, you probably do not have the money to do so, but you could always ask the community to fund the certification.

Or Canonical could set up a voting system where the most voted apps get certified periodically.

There are plenty of solutions to this problem.

Re:Pay canonical or other trusted institution

[Desler]

Why would they ever want to take on such liability especially for only “a small amount of money.” No one is gonna up themselves up to potential legal liability like that.

Re:

[Galactic Dominator]

Because everything looks like a "Post" button when you're strongly opinionated and grossly under informed.

Re:

[postbigbang]

Because it's ethical. You protect your customers and perhaps friends. There are legions of witless users in internetland that trust people to do QA, to run parsers on source looking for unethical or stolen code.

Canonical just doesn't want to pay for it. If one Snap is ugly, maybe all of them are. This is why chains-of-authorities and vetted repositories are so important-- TRUST. Without it, they're worthless.

Canonical knows better. Fraudulent crap code has no place in a Canonical repo. Shame on them.

Re:

[Errol backfiring]

certifies that a specific revision is malware free

Except that can be quite hard to do. There are even "obfuscated c" contests to write code that is almost impossible to understand if you are not a computer. Almost like a reversed Turing test. And those contests are usually just hard to understand and look hard to understand. I can imagine that renaming variables can make some evil code look harmless at first glance. And even a simple game would have far too much code to scrutinize in total.

Re: Pay canonical or other trusted institution

[Anonymous Coward]

If the code can't be understood, there is no ground to certify it.

App Stores considered harmful

[Anonymous Coward]

I believe this attitude of Canonical to be highly problematic. The tight integration of Snap packages from their "store" into how software is managed on newer Ubuntu systems gives users the impression that the software that can be installed in this way has at least been curated to some extent by Canonical. I don't think an unexperienced user will be able to easily understand the difference between a Snap package a standard APT/dpkg package that is part of the underlying distribution. And because the softwar

Re:

[HiThere]

PPTs are actually quite reasonable. You have to decide to add each one, and take actions as a superuser. This is really no different than setting up an apt repository, which some applications have done.

The thing about Snaps appears to be that a repository of miscellaneous applications that are uncurated are allowed in. Not good. But when they run, they need to run in a sandbox. Good. If it's a good sandbox, this avoids most of the security problems. It doesn't, of course, avoid extra computation...wh

Stealing

[Fredde87]

Of course the publisher was doing something wrong, you are effectively stealing someones electricity to mine crypto for your benefit. For me this is plain theft and I would be surprised if a court would not come to the same conclusion. Actually I'll rephrase, it more like a trojan horse that is pushed to the victim without their knowledge which then steals electricity and processing power on behalf of the author.

Re:

[blackomegax]

It's not stealing if the user agrees to it in the TOS/eula. Hell. It's not even theft. Theft implies you take a thing and gain sole possession of it. All they're doing here is mildly increasing the electron usage of a cpu core or two. At full tilt, this might be a few pennies a day. And as electrons have no mass, there's nothing really there to steal.

Re:

[HiThere]

Sorry, they are stealing computation cycles...unless the user agreed to allow them to do so. As to whether this amounts to pennies a day...that depends on how aggressively they steal them, what the price of electricity is in the user location, whether it makes them think their computer is broken so they buy a new one, etc.

The evidence I've seen (i.e., the summary) doesn't provide me enough to decide whether this should be called theft, or how severe the impact was. But unless the TOS specifically stated t

Re:

[blackomegax]

When you download and run code, you don't sign an agreement with the maker that you will contribute $n compute cycles, no more, and no less. You download code, and it will use what it uses. This even varies per system depending on ram, arch, compiler versions, etc. It can not be specified, as doing so is flat out impossible. Additionally, there is a layer of informed consent on this matter where, you as the user, and owner of, of your power supply. It says (typically), on a label, through some fuzzy math w

Re:Stealing

[drinkypoo]

If the user is expecting the program to mostly do one thing and it mostly does some other thing, hiding that fact deep in the EULA doesn't excuse it. It's a deliberate attempt to deceive.

mining crypt -- as malware?...lets be realistic...

[lpq]

On the scale computer malware wrongs, mining crypto-currency has to be one of the lesser evils. Get serious. It's annoying?: yes. It should be stopped?: yes.

Things that cause you to lose your data and/or your computer have to be the worse.

Then things that leave your computer open to remote-control, to do whatever (botnets, etc).-- those have got to be next. Related to this area are those who maintain remote control via "forced" updates and forced online connections -- they can constant degrade or disabl

Re:

[BronsCon]

Things that cause you to lose your data and/or your computer have to be the worse.

And when your CPU or GPU overheats and shits out because it's being stressed beyond the limits of the cooling system you cheaped out on because you were only putting together a Facebook machine and didn't need it to be able to handle heavy loads? You don't think that qualifies?

I think it does.

Re:

[blackomegax]

This will only happen if you overclock. Plus, if you read the code in the snap, it's limited to 1 or 2 threads, which on modern cpu's, won't be more than a small handful of watts. Pennies a day, worst case. Modern CPU's, on stock heatsinks, with no overclock, have zero risk of crapping out due to heat. They'll thermal throttle *long* before then. Usually at 90 or 100'C. I run server CPU's pegged out at 100'C and let the thermal mgmt do its thing and they're fine for the life of the cpu warranty. As desig

Re:

[BronsCon]

Because CPU defects never happen. Certainly, no marginal CPU has ever been shipped, that was fine under moderate load but shit the bed when pushed to the point that it might thermal throttle. No, you're right, that's unheard of.

Re:

[BronsCon]

Computers crap out just outside of warranty all the time! It's especially prevalent with laptops and no, you can't get it replaced for free if it happens outside of warranty. Even in warranty, good luck fighting with the OEM.

Re:

[lpq]

Yeah, and lightning strikes and earthquakes happen. If something is just *running* on your cpu and that causes it to overheat -- you have alot more problems than crypto-mining. You really need a new computer.

Idle CPU, like 'free memory' is a waste of your computer. Used to be people would go donate cpu to things like distributed computing projects (https://en.wikipedia.org/wiki/List_of_distributed_computing_projects) like SETI (https://setiathome.berkeley.edu/) and run spare cycles 24/7. Computers that

Re:

[BronsCon]

Idle CPU, like 'free memory' is a waste of your computer.

And processing things like SETI@Home and Folding@Home on a general purpose CPU when there are much more efficient dedicated chips for those purposes is a waste of electricity. Hell, in the summer, it's even worse in warmer climates, as the extra heat means the air conditioning will run longer, wasting even more electricity. See, it's not so cut and dry when you consider other factors.

Computers that overheat when used are faulty (maybe dirty/dusty), but need maintenance or something fixed.

That doesn't mean they aren't out there. Trust me when I say plenty of them are out there.

Re:

[lpq]

I am sure. But if you have a limping computer that can't handle a cpu-load, there are steps you can take, like:
1) cleaning it
2) not overclocking
3) for multi-core, limit # cores in use using affinity
4) don't use hyperthreading
5) limit the cpu-clock -- most processors in the past 10 years have variable clock rates -- spinning down when idle, or to conserve power, ramping up under load. On Windows you can set the min and the max processor state (might need a patch on some OS's as MS enabled and later hid th

Re: mining crypt -- as malware?...lets be realisti

[BronsCon]

I never said I had a problem. That's a great write up, though, for the kind of people who pay Geek Squad and the like way too much money, if you can think of a place you can post it where someone with so little tech savvy might actually read it.

Otherwise, I'm sorry to say you wasted your time; even if I did have a PC that was just limping along, I wouldn't get hit with something like this in the first place, so it really wouldn't matter. Please, though, try not to hurt yourself too badly when you fall off

Re:

[Anonymous Coward]

Things that cause you to lose your data and/or your computer have to be the worse.

And when your CPU or GPU overheats and shits out because it's being stressed beyond the limits of the cooling system you cheaped out on because you were only putting together a Facebook machine and didn't need it to be able to handle heavy loads? You don't think that qualifies?

Yes ok in the very rare circumstance that you happen to be running one of these bits of software on a system that you designed for using facebook that has a cpu defect [slashdot.org] that causes it to fail when it hits the point of thermal throttling you would probably consider this a qualification for something worse than a script that is annoying and should be stopped and if, for you, that means it falls into the category of malicious software that deletes your data then ok. In that circumstance, ok.

Re:

[BronsCon]

If we're being honest, malware that deletes my data would be the best case, as I'd just restore from a recent backup and be on my merry way, with maybe 5 hours of downtime. Something co-opting my CPU to mine cryptocurrency, though, well... that has a real cost, not only in additional electricity used for the mining activity, but also additional electricity used to cool the room that is now getting hotter as a result of that activity. Now that has a real impact on me, and I'm sure I'm not the only one.

In f

Re:

[lpq]

It doesn't fit the definition of "malware". It was not evil intent. Under normal circumstances:
doesn't cause loss of data
doesn't cause harm to hardware
doesn't deny service or crash your sytem
doesn't steal your credentials, your money or your life.

It's only slightly worse than crapware and adware that get installed on new computers or with various free SW installs (like from Adobe, et al). Or Windows 10, which when it first came out saturated some user's network connections with MS's data-monitoring.

Now if

Current Miners Are Shit

[NicknameUnavailable]

But this is a legitimate possibility for people to fund apps and news articles and such that they publish - separate from the tried and true "sell all the data you can get out of the user" or the mostly failed "advertising" models. I'd like to see cryptocurrency miners like this more widespread in free-to-use stuff (websites especially,) but things which stress the end user's hardware aren't the way to go because they inherently add a cost to using anything (plus who wants their computer to be bogged down

Re:Current Miners Are Shit

[blackomegax]

Make the proof of work = number of pings. Call it DDOScoin and aim it to a small handful of bank IP's.

Re:

[NicknameUnavailable]

I was thinking more unique IPs validated across multiple node, but whatever works.

Riddled with?

[Galactic Dominator]

My understanding is that there was one app with one script containing the problematic issue.

While the whole repo thing seems to be another in a long line of Canonical great ideas, this one instance doesn't seem to fit "riddled with".

Example usage: Canonical is riddled with unqualified people making unjustified promises and changes to things they don't really seem to understand in the first place. Similar to Mars One or SystemD.

https://en.oxforddictionaries.... [oxforddictionaries.com]

Re:

[Galactic Dominator]

Then get back to me when addressed. Until then you cannot be 'riddled with' 1 bullet hole.

Re:

[HiThere]

Well, except that you should say "only detected one script containing the problematic". Given that they have stated that they don't curate the Snaps, there' little reason to believe that this is the only problem, or even the most serious one.

OTOH, the Snaps are supposed to execute within a sandbox. If it's a *good* sandbox, the probability of serious problems is small.

Re:

[Galactic Dominator]

That would have been acceptable among many other phrases like "may be riddled". Like the universe may riddled with life given the known occurrence of one instance and probabilities of scale.

Major browsers have executed things for years in a sandbox. Let that show a sandbox not really a sufficient mechanism in itself.

Re:

[HiThere]

A sandbox won't stop cryptocurrency mining, and it won't stop being a DDOS node (unless the sandbox quits periodically), but it should stop having your data encrypted by someone else, or published to the net, etc.

Cryptocurrency mining isn't the worst thing that happens, and a good sandbox will stop a lot of the problems, though not all.

I'd say it's the beginning of the end w/Canonical

[TheDarkener]

But that would be disregarding all of the other missteps they've taken over the years that leave their wider community high and dry. Don't get me wrong, I really like how Ubuntu has brought many people to Linux that may otherwise not have tried it..but the way Canonical runs things, IMHO of course, seems to ostracize their devs and users whenever they decide to go for the next new shiny thing.

2100 will be the year of Linux on the desktop

[Suren Enfiajyan]

Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store.

Canonical doesn't have resources even to properly QA Ubuntu alone and make it 100% stable and working.

they review, or everyone using it does?

[mcswell]

"Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them." What kind of nonsense is this? Every single user of one of their apps is supposed to "investigate" the developer of an app? If investigating the developer would succeed in preventing my downloading an app, then why doesn't Ubuntu do it?

Don't get me wrong, I don't really b

trusted vs time

[sad_]

"One of the most challenging aspects of running a modern software repository is just making sure that the published software is indeed only doing what it’s supposed to. In the classic Ubuntu repositories, we have the great privilege to work only with software built on trusted infrastructure, from source. That has obvious advantages but also requires a very long time for new bits to show up for millions of users."

who ever want to give up a trusted environment for less security? if you know what you are

Just say no to snaps

[HalAtWork]

They are a last resort for testing bleeding edge software, or a shim to get something more current on an outdated install, otherwise wait for it to hit your repository where each component is at least vetted by a group of maintainers and signed.

Unacceptable

[ilsaloving]

Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.

I'm sorry, but that just won't cut it. Google proved beyond a shadow of a doubt that if an app store isn't carefully curated, bad actors WILL in infest it as much as they can get away with.

If Canonical is worried about their reputation after this incident, they need to understand that this incident will be nothing compared to when they discover that there are hundreds of sketchy applications filled with genuine malware.

By comparison, Apple (ignoring their control-freakery for the moment) understands that d