Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 399999
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Bottom Line
by lemur2 on Wed 16th Dec 2009 22:30 UTC in reply to "Bottom Line"
lemur2
Member since:
2007-02-17

On any operating system, when you install 3rd-party applications, you can be compromised. On Windows, all those helpful little utilities, games, etc. you install - any of them has the potential to hose your system. Same goes for Linux, Mac, BSD, etc. That is why I like the packaging systems in Linux and BSD. I've never been hosed, I have thousands of applications available, and all of my applications stay up-to-date. Very rarely will I install a 3rd-party application. I just did for Chrome Beta for Linux. I trusted Google enough to trust their package. For me, that is the only exception. I would say this is probably the main security weakness in Windows. You have to install 3rd-party applications to get much useful done. You have to be very careful. It not just do you trust the company, but also have they been unknowingly compromised (by a virus at their company), or is there a backdoor built in for the government. It's very hard to tell.


Precisely. Spot on.

Package managers and associated repositories for Linux systems are a means of delivery of applications to users systems that has an impeccable record. AFAIK there has never been a recorded instance of an end user's system getting malware via the package manager/repository system.

OTOH, downloading applications and utilities from websites is one of the primary means of delivery of trojans to end user's systems, regardless of the OS.

If anything, this incident just underlines the points: that one simply cannot trust downloading from websites, no matter how seemingly reputable; and that one should always use the package manager, and ONLY the package manager, to install applications and utilities for Linux systems.

Fortunately, just about everything one would want for a Linux system is installable via its package manager and repository.

In contrast, downloading binary blobs from websites and putting them on one's system is a way of life for Windows users. Mac users are possibly part way between these two extremes.

Edited 2009-12-16 22:31 UTC

Reply Parent Score: 4

RE[2]: Bottom Line
by google_ninja on Wed 16th Dec 2009 22:56 in reply to "RE: Bottom Line"
google_ninja Member since:
2006-02-05

f anything, this incident just underlines the points: that one simply cannot trust downloading from websites, no matter how seemingly reputable; and that one should always use the package manager, and ONLY the package manager, to install applications and utilities for Linux systems.


Thats not really true.

As soon as you execute ANY executable code, you are putting full control of your computer into the hands of anyone who had the ability to modify that code before it got to you. I'm assuming you mean debian when you said package managers have an impeccable record, and I would totally agree with that. But that doesn't change that you are putting control of your computer into the hands of whoever has the ability to add or modify a package in a debian repo when you run it.

It is a matter of trust, and a question of degree.

In contrast, downloading binary blobs from websites and putting them on one's system is a way of life for Windows users. Mac users are possibly part way between these two extremes.


Mac users are in the same boat as windows users.

Reply Parent Score: 4

RE[3]: Bottom Line
by lemur2 on Thu 17th Dec 2009 00:57 in reply to "RE[2]: Bottom Line"
lemur2 Member since:
2007-02-17

As soon as you execute ANY executable code, you are putting full control of your computer into the hands of anyone who had the ability to modify that code before it got to you. I'm assuming you mean debian when you said package managers have an impeccable record, and I would totally agree with that. But that doesn't change that you are putting control of your computer into the hands of whoever has the ability to add or modify a package in a debian repo when you run it.

It is a matter of trust, and a question of degree.


No, I mean all distribution repositories. That is to say, those repositories of packages that are maintained by some distribution or another.

Debian has these, as does Fedora, Arch, Ubuntu, Mandriva, OpenSuse, Slackware ... almost any distribution. (Some smaller distributions leach off other repositories. For example, sidux uses the Debian sid repositories).

All of these have an impeccable record.

Debian and Ubuntu repositories include about 25,000 packages. "Smaller" distributions, such as Arch, will typically have only about 5,000 packages. This is largely a matter of the manpower available to maintain the repositories in each case.

As far as trust goes ... it is most decidely in the self-interest of the distribution to maintain the highest quality of its repositories. This is what the people involved themselves use for their own systems, and the quality of the distribution's repositories is what the entire reputation of the distribution hangs on.

As for whether or not you can trust the system ... well, having an impeccable record over many years for thousands of packages speaks a lot to that topic, wouldn't you say?

Edited 2009-12-17 01:00 UTC

Reply Parent Score: 2

RE[2]: Bottom Line
by WorknMan on Thu 17th Dec 2009 18:21 in reply to "RE: Bottom Line"
WorknMan Member since:
2005-11-13

If anything, this incident just underlines the points: that one simply cannot trust downloading from websites, no matter how seemingly reputable; and that one should always use the package manager, and ONLY the package manager, to install applications and utilities for Linux systems.


In other words, if you had source code available for every Windows application you ran, and had eyes on that code that would package it for you, then Windows would probably be just as secure as Linux is.

Unfortunately, telling people that the only way to secure their systems is not to run any app who's source code hasn't been reviewed by a committee is just not very practical for a lot of folks, because it severely limits the apps you would be allowed to run. Not everything that is useful to me out in the wild is open source. If that wasn't the case, then those of us who use proprietary software wouldn't have to take the risk of downloading binaries from 3rd party websites and running them.

Reply Parent Score: 2

RE[3]: Bottom Line
by lemur2 on Thu 17th Dec 2009 22:31 in reply to "RE[2]: Bottom Line"
lemur2 Member since:
2007-02-17

"If anything, this incident just underlines the points: that one simply cannot trust downloading from websites, no matter how seemingly reputable; and that one should always use the package manager, and ONLY the package manager, to install applications and utilities for Linux systems.
In other words, if you had source code available for every Windows application you ran, and had eyes on that code that would package it for you, then Windows would probably be just as secure as Linux is. "

Possibly. The system with Linux relies on a bit more than just eyes on. It relies, for example, on the fact that one set of people, with a whole raft of different responsiblities, ties, and allegiences, write the code, as a collaboration, and that an entirely different set of groups of people package it in full and plain sight of what went in to it.

Duplicate that on Windows distribution channels and you may then one day approach the same level of trustworthiness.

Unfortunately, telling people that the only way to secure their systems is not to run any app who's source code hasn't been reviewed by a committee is just not very practical for a lot of folks, because it severely limits the apps you would be allowed to run. Not everything that is useful to me out in the wild is open source. If that wasn't the case, then those of us who use proprietary software wouldn't have to take the risk of downloading binaries from 3rd party websites and running them.


Actually, you would be very surprised at what you can do, and what power is available to you, even if you limit yourself to run ONLY Free Software.

However, it should be admitted that there are some critical application areas that are simply not covered well enough by Free Software. OK, so here is an approach: limit yourself to just the one or two critical commercial professional applications, and do the rest with open source, on an open source OS.

For example, if you are a CAD professional:

http://www.varicad.com/en/home/

... then run it on a secure Linux system (Kubuntu and OpenSuse are recommended).

This way, you limit your exposure to getting a trojan to the installation of just that one or two critical-but-non-free commercial applications.

Reply Parent Score: 2