Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 399983
To read all comments associated with this story, please click here.
Sooner or later
by SlackerJack on Wed 16th Dec 2009 21:48 UTC
Member since:

This was bound to happen at some point and I'm surprised it hasn't been in the past.

Personally, I think they should ban the upload of binary packages to such sites, they just cannot be trusted.

Reply Score: 6

RE: Sooner or later
by irbis on Thu 17th Dec 2009 17:05 in reply to "Sooner or later"
irbis Member since:

Personally, I think they should ban the upload of binary packages to such sites, they just cannot be trusted.

Maybe in theory, yes. But in real life many people would find compiling programs too difficult. On the other hand, it is true that on a theme site like Gnome-look, many themes don't even need packaging, but could be installed as non-binaries.

Other than that, cases like this should be good reminders for ordinary desktop Linux users not to install unknown third party packages so easily. But probably many Linux users already knew this quite well. I just hope that MS Windows users could see the light too, because many of them seem to install relatively unknown binaries from the net all the time. A case like this is rather big news in the Linux world, but all too often Windows users don't seem to care, and may install odd and maybe trojan-infected binaries like pirated software from who knows where, and may simply expect their antivirus and antispyware etc. programs to protect them even if they themselves do stupid things.

Edited 2009-12-17 17:23 UTC

Reply Parent Score: 2

RE: Sooner or later
by elsewhere on Thu 17th Dec 2009 20:48 in reply to "Sooner or later"
elsewhere Member since:

Personally, I think they should ban the upload of binary packages to such sites, they just cannot be trusted.

Don't necessarily disagree, but it's worth pointing out that the malware wasn't a binary package, it was a collection of scripts. Should have been easily vetted if someone was approving uploads, and it's probably why it was so quickly discovered.

If someone had created a functioning screensaver with an embedded trojan in the binary, even if the source was provided, I doubt it would have been discovered as quickly. The users with the savvy to lockdown and monitor their network traffic or processes probably aren't downloading and installing anonymous packages from public sites.

This should be a bit of a wakeup call, particularly for newer or naive users, and the community should be doing more to educate and inform less knowledgeable users on this point. Linux is no more immune to damage from user-installed packages than any other platform, yet all the cheerleading about how the unix-heritage somehow makes the platform more secure than Windows can lead to a false sense of security.

Users can become just as conditioned to clicking through a sudo authentication window as they can a UAC window.

Both platforms need better and more granular separation of privileges for applications, rather than focusing on users. If a user chooses to install a screen saver, they should be giving the application explicit permission to only access the display, and the platform should not be permitting it to touch network, file or system resources, regardless of the user permission level. AppArmor, selinux etc. are a step in the right direction, but need to be better integrated into the application installation framework, and that's not likely to happen any time soon.

As it stands, this problem will never go away, and can only get worse as a popularity increases.

Reply Parent Score: 2