Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Permalink for comment 400173
To read all comments associated with this story, please click here.
RE: Sooner or later
by elsewhere on Thu 17th Dec 2009 20:48 UTC in reply to "Sooner or later"
elsewhere
Member since:
2005-07-13

Personally, I think they should ban the upload of binary packages to such sites, they just cannot be trusted.


Don't necessarily disagree, but it's worth pointing out that the malware wasn't a binary package, it was a collection of scripts. Should have been easily vetted if someone was approving uploads, and it's probably why it was so quickly discovered.

If someone had created a functioning screensaver with an embedded trojan in the binary, even if the source was provided, I doubt it would have been discovered as quickly. The users with the savvy to lockdown and monitor their network traffic or processes probably aren't downloading and installing anonymous packages from public sites.

This should be a bit of a wakeup call, particularly for newer or naive users, and the community should be doing more to educate and inform less knowledgeable users on this point. Linux is no more immune to damage from user-installed packages than any other platform, yet all the cheerleading about how the unix-heritage somehow makes the platform more secure than Windows can lead to a false sense of security.

Users can become just as conditioned to clicking through a sudo authentication window as they can a UAC window.

Both platforms need better and more granular separation of privileges for applications, rather than focusing on users. If a user chooses to install a screen saver, they should be giving the application explicit permission to only access the display, and the platform should not be permitting it to touch network, file or system resources, regardless of the user permission level. AppArmor, selinux etc. are a step in the right direction, but need to be better integrated into the application installation framework, and that's not likely to happen any time soon.

As it stands, this problem will never go away, and can only get worse as a popularity increases.

Reply Parent Score: 2