Dangers of Trojan horse hacking attacks

[wiak]

I have very recently been criticized for finding a contributed file suspicious in nature (rather than finding it funny).

The incident and possibility leads me to ask how 'safe' forum members feel this very open to submitted scripts, other programs, and isos, and so on, forum is? Yes, I know our use of such resources is based on trust, which makes a lot of sense when the contributions are from long-term members. But, are members confident there is very little chance a so-called bad actor could suddenly cause havoc via malicious practice?

How safe, I wonder, do you feel we really are compared to more restrictive distro-related forums?

Bear in mind that some have been banned from this forum, or left in anger, and some of these may be disgruntled.

[LeithR]

Until it is shown that it has happened we can only proceed in the confidence that it hasn't happened. We all start by applying common sense as we have been doing for some years now. In a community of mutual trust we can't do any thing else.

[ally]

I had an ISO bumped from the archive a few years back for dodgy code, it's only happened the one

[ozsouth]

@wiak - is certainly worth keeping in mind. I'd like to think the banned, etc folks simply get on with their lives, but one can't be sure. Trying code from very new users is a possible risk. Another perhaps more common issue is skill deficiencies & puplet-specific or outdated software.
My kernels are now in the latter category, but I guess that after seeing a warning, folks are free to try stuff at their own risk.

[wiak]

...I'd like to think the banned, etc folks simply get on with their lives, but one can't be sure.

I expect most do or simply come back as new personas without threatening any chaos. But one old member seems to remain resentful to the point of delusion.

I don't believe any work published on this hobby forum uses digital signing so we would have a major problem is any major system components or complex build systems were compromised. Gentoo managed to get away with it because of their security practices, though I'd still hesitate to trust they found everything; can you imagine the damage that would be done to all distros represented by this forum if any became compromised - who would then trust using them thereafter?
https://nakedsecurity.sophos.com/2018/0 ... mpromised/

This breach is a reminder of the difficulty of keeping everything secure in a cloud-centric world, where you have multiple people who need the keys to the castle, multiple repositories to deal with traffic, and an apparently ever-increasing number of attackers with an enormous range of motivations for breaking into and messing with your digital stuff.

(We don’t yet know the motivation of the attackers in this case – a grudge against Linux? a grudge against Gentoo? a grudge against Microsoft for acquiring GitHub?

Recently I came across a piece of software I really wanted to use (unfortunately I can't remember what it was already!) but after going to its website I found the site had been hacked and source code compromised so the project closed. In fact it was a popular project so volunteers had checked everything best they could so they decided to re-open but with disclaimer that they though all was now well, at least to the best of their ability. If I remember the site, I'll post a link to it to illustrate the problem better. Such attacks on ordinary open source seems- extremely rare at present, but some people do strange things for a laugh, and I don't expect we will remain free from such pain forever (especially since Puppy itself basically boasts about being a 'secure' root desktop distro, which could be taken as a challenge).

That's one reason I keep FirstRib builds of my own separate now from any close to identical Kennel Linux FR-based releases. I want to be able to use my distros in business environment but want to rely as much as possible on secure upstream repo handling only, particularly without any contributed binaries that I haven't checked thoroughly or compiled myself. In hobby use on separate computer, I don't particularly care, though depends what I use the machine for. I look after my own build scripts, know them well, and they are quite simple to check for me - a simple diff is enough on a couple of files for me to check they are the ones I want!

My observation is that most crimes to individuals are not in fact done by strangers at all, but in the 'home'. Employees, disgruntled ex-employees, abuse statistics reveal generally family members, relatives or 'friends' and so on. I don't tend to myself fear internet-related hacking from far away so much (despite some websites pretty much being automatically 'dangerous') but rather feel the biggest danger here is generally more likely, if ever, to come from one of the many hundreds of forum members, most of whom are extremely pleasant individuals who wouldn't 'hurt a fly'.

[rockedge]

The points and reason we keep Kennel Linux as transparent as possible. A deterrent in having no dark corners to hide code.

[wiak]

The points and reason we keep Kennel Linux as transparent as possible. A deterrent in having no dark corners to hide code.

Absolutely. But it has to all be kept as 'simple' as possible. Complexity hides underlying operation to the extent that almost no-one can be left truly understanding how a system is built (in detail) or works. Certainly it important to put key build resources under the watchful eyes of selected, trusted individuals, but sometimes a system can become so complex or old that no-one really understands every detail about its operation.

[dimkr]

We are not safe, especially when running untrusted code downloaded from a forum as root.

IMO the best solution to this, at the infrastructure level, is to automate packaging. Some woof-CE build configurations use zero .pet packages and Puppy specific packages are built from source (https://github.com/puppylinux-woof-CE/w ... -petbuilds) instead of using prebuilt .pet packages with unknown origins. Who knows, .pet packages are not digitally signed and some Puppies even download them over HTTP - maybe they were not built from unmodified source code that's available publicly, maybe they're malicious, and maybe they were OK but got replaced with malicious packages at some point.

[Grey]

How safe, I wonder, do you feel we really are compared to more restrictive distro-related forums?

PupBI.png (27.05 KiB) Viewed 974 times

Calmly, FBI (Forum's Bureau of Investigation) enters the case. Since my dog and I have experience in such matters, then I will start.
So, what makes us different from other forums? Poverty. And poor people should trust each other, because they have nothing else to do.
The team is small, so who needs us besides each other? Everyone who came for the first time was probably afraid of the others at first.
Let's compare it with two other forums.

Linux Mint. Lots of sponsors, plus even more individual donations. In addition, recently Clem boasted (and quite deservedly) that Wil Wheaton uses the system. Yes, I didn't remember who it was on the first day, but on the second day, lightning flashed in my head and I remembered that it was Sheldon Cooper's friend (and enemy) from the Big Bang Theory.
They have funds for the maintenance of the website and forum, for food and so on. Accordingly, they must ensure the security of both the system itself and the entire infrastructure (well, for such decent funds).

PuppyRus Linux (the link to which is on the main page). Due to the sanctions, advertising on the pages has ceased to generate income (payment for hosting - according to him). What did the Main (and it seems the only) developer of the system and the forum site do? He went to Boosty. And now he offers some "services" to those interested. For example: access to kernels BEFORE ISO release, access to modules BEFORE release (2 times more expensive than kernels), accepts applications for the assembly of individual modules, VIP subscription with consultations.
If things get better, he promises to hire additional developers. And if it doesn't work out... he will stop making builds for everyone and will do it only for himself.

So, security costs money, sadly. And trust is a free thing that cannot be bought. Either it exists or it doesn't.

And now I'm giving the floor to my dog, formerly a detective. His name is Rex, in honor of Rex Stout (who, by a strange coincidence, died in Connecticut, not far from @rockedge ). Of course Rex is not Nero Wolfe, but he can do something.
----------\

Code: Select all

/\_/\
|- -|
| ^ |
\_~_/

Hey, Rex is on the air.
Consider the motives and possibilities of the suspects.

So, our first suspect. @Grey . A complicated geopolitical situation, plus a strange (almost "black") sense of humor. Who knows what his skull is hiding. Sometimes he posts stupid pictures. Remember how he changed the keyboard scanner in Geany so that the secret game would start when the "puppy" keys were pressed, not "geany". Of course, he warned everyone... But I would have bitten him, honestly... But he feeds me and I can't be objective.

The second suspect. @wiak . Who is the main suspect? Of course the butler! That is, the author of the topic. In addition, he is a separatist who no longer believes in the future of Puppy and considers it outdated and rusty at heart. At every opportunity, he reminds that his developments are NOT Puppy.

The third and no less suspicious. @rockedge . All power is in his hands and it can intoxicate, turn his head. Does everyone remember the outages and glitches of the forum? And if it was the Lord himself who arranged them. Not for the sake of wealth and fame - for he is already glorified and honored - but to raise the adrenaline of the forum participants and give an impulse to development.

Fourth. @dimkr . The main programmer at the moment. That is, he has access to the hidden insides of the system. He is also a philosopher and sociologist. BA in philosophy + MA in sociology. And what if we assume that he will conduct an experiment - philosophical or sociological - with Trojans and keyboard scanners.

Finally, @666philb , @peebee and @mikewalsh . Known in the cybercrime environment as the "English Trio" or KGB (KoolKingKongs of Great Britain). These are such dangerous and terrible guys that I am afraid to speak openly out of fear for my doggy, but nevertheless life.
Besides, I'm just tired of barking at everyone. Do you think it's easy to type text with a paw?!
----------/

Yes, against the background of this gang, Clem and Wil look like real angels
All coincidences with real characters and people are random and do not carry any semantic load

[mikewalsh]

@Grey :-

Y'know, flattered as I am to be included amongst such august company, I can't help feeling you've misplaced me here......even though the above is thoroughly "tongue-in-cheek"!

These guys are the "creme de la creme" of the Puppy community. Between them, they've contributed so much to the community over the years, and have truly helped to define what Puppy is. Me, I'm a "bumbler"; I mess about with the odd bit of packaging, the odd utility here and there.....but in no way, shape or form can I be said to have helped to shape Puppy development, even in the slightest.

Others are far more worthy of being mentioned above than I. Not that I don't appreciate it, but to be included amongst the "greats" makes me feel even more of a fraud than I already feel I am..!

Mike.

[Clarity]

If we do have a member doing the dastardly deed in targeting the community or certain users, I hope they see this and removes such before discovery.

Secondly, if some crafty forum member is discovered to be committing such, it will have MAJOR community impact in trust, I'm afraid.

Fingers crossed....