Dangers of Trojan horse hacking attacks

For discussions about security.
Post Reply
User avatar
wiak
Posts: 4082
Joined: Tue Dec 03, 2019 6:10 am
Location: Packing - big job
Has thanked: 65 times
Been thanked: 1208 times
Contact:

Dangers of Trojan horse hacking attacks

Post by wiak »

I have very recently been criticized for finding a contributed file suspicious in nature (rather than finding it funny).

The incident and possibility leads me to ask how 'safe' forum members feel this very open to submitted scripts, other programs, and isos, and so on, forum is? Yes, I know our use of such resources is based on trust, which makes a lot of sense when the contributions are from long-term members. But, are members confident there is very little chance a so-called bad actor could suddenly cause havoc via malicious practice?

How safe, I wonder, do you feel we really are compared to more restrictive distro-related forums?

Bear in mind that some have been banned from this forum, or left in anger, and some of these may be disgruntled.

https://www.tinylinux.info/
DOWNLOAD wd_multi for hundreds of 'distros' at your fingertips: viewtopic.php?p=99154#p99154
Αξίζει να μεταφραστεί;

LeithR
Posts: 66
Joined: Sun Aug 09, 2020 11:36 am
Been thanked: 2 times

Re: Dangers of Trojan horseby hacking attacks

Post by LeithR »

Until it is shown that it has happened we can only proceed in the confidence that it hasn't happened. We all start by applying common sense as we have been doing for some years now. In a community of mutual trust we can't do any thing else.

User avatar
ally
Posts: 186
Joined: Tue Jul 07, 2020 5:14 am
Has thanked: 108 times
Been thanked: 81 times
Contact:

Re: Dangers of Trojan horse hacking attacks

Post by ally »

I had an ISO bumped from the archive a few years back for dodgy code, it's only happened the one

:)

ozsouth
Posts: 1569
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 241 times
Been thanked: 704 times

Re: Dangers of Trojan horse hacking attacks

Post by ozsouth »

@wiak - is certainly worth keeping in mind. I'd like to think the banned, etc folks simply get on with their lives, but one can't be sure. Trying code from very new users is a possible risk. Another perhaps more common issue is skill deficiencies & puplet-specific or outdated software.
My kernels are now in the latter category, but I guess that after seeing a warning, folks are free to try stuff at their own risk.

User avatar
wiak
Posts: 4082
Joined: Tue Dec 03, 2019 6:10 am
Location: Packing - big job
Has thanked: 65 times
Been thanked: 1208 times
Contact:

Re: Dangers of Trojan horse hacking attacks

Post by wiak »

ozsouth wrote: Sun Feb 05, 2023 10:38 pm

...I'd like to think the banned, etc folks simply get on with their lives, but one can't be sure.

I expect most do or simply come back as new personas without threatening any chaos. But one old member seems to remain resentful to the point of delusion.

I don't believe any work published on this hobby forum uses digital signing so we would have a major problem is any major system components or complex build systems were compromised. Gentoo managed to get away with it because of their security practices, though I'd still hesitate to trust they found everything; can you imagine the damage that would be done to all distros represented by this forum if any became compromised - who would then trust using them thereafter?
https://nakedsecurity.sophos.com/2018/0 ... mpromised/

This breach is a reminder of the difficulty of keeping everything secure in a cloud-centric world, where you have multiple people who need the keys to the castle, multiple repositories to deal with traffic, and an apparently ever-increasing number of attackers with an enormous range of motivations for breaking into and messing with your digital stuff.

(We don’t yet know the motivation of the attackers in this case – a grudge against Linux? a grudge against Gentoo? a grudge against Microsoft for acquiring GitHub?

Recently I came across a piece of software I really wanted to use (unfortunately I can't remember what it was already!) but after going to its website I found the site had been hacked and source code compromised so the project closed. In fact it was a popular project so volunteers had checked everything best they could so they decided to re-open but with disclaimer that they though all was now well, at least to the best of their ability. If I remember the site, I'll post a link to it to illustrate the problem better. Such attacks on ordinary open source seems- extremely rare at present, but some people do strange things for a laugh, and I don't expect we will remain free from such pain forever (especially since Puppy itself basically boasts about being a 'secure' root desktop distro, which could be taken as a challenge).

That's one reason I keep FirstRib builds of my own separate now from any close to identical Kennel Linux FR-based releases. I want to be able to use my distros in business environment but want to rely as much as possible on secure upstream repo handling only, particularly without any contributed binaries that I haven't checked thoroughly or compiled myself. In hobby use on separate computer, I don't particularly care, though depends what I use the machine for. I look after my own build scripts, know them well, and they are quite simple to check for me - a simple diff is enough on a couple of files for me to check they are the ones I want!

My observation is that most crimes to individuals are not in fact done by strangers at all, but in the 'home'. Employees, disgruntled ex-employees, abuse statistics reveal generally family members, relatives or 'friends' and so on. I don't tend to myself fear internet-related hacking from far away so much (despite some websites pretty much being automatically 'dangerous') but rather feel the biggest danger here is generally more likely, if ever, to come from one of the many hundreds of forum members, most of whom are extremely pleasant individuals who wouldn't 'hurt a fly'.

https://www.tinylinux.info/
DOWNLOAD wd_multi for hundreds of 'distros' at your fingertips: viewtopic.php?p=99154#p99154
Αξίζει να μεταφραστεί;

User avatar
rockedge
Site Admin
Posts: 6548
Joined: Mon Dec 02, 2019 1:38 am
Location: Connecticut,U.S.A.
Has thanked: 2750 times
Been thanked: 2627 times
Contact:

Re: Dangers of Trojan horse hacking attacks

Post by rockedge »

The points and reason we keep Kennel Linux as transparent as possible. A deterrent in having no dark corners to hide code.

User avatar
wiak
Posts: 4082
Joined: Tue Dec 03, 2019 6:10 am
Location: Packing - big job
Has thanked: 65 times
Been thanked: 1208 times
Contact:

Re: Dangers of Trojan horse hacking attacks

Post by wiak »

rockedge wrote: Sun Feb 05, 2023 11:46 pm

The points and reason we keep Kennel Linux as transparent as possible. A deterrent in having no dark corners to hide code.

Absolutely. But it has to all be kept as 'simple' as possible. Complexity hides underlying operation to the extent that almost no-one can be left truly understanding how a system is built (in detail) or works. Certainly it important to put key build resources under the watchful eyes of selected, trusted individuals, but sometimes a system can become so complex or old that no-one really understands every detail about its operation.

https://www.tinylinux.info/
DOWNLOAD wd_multi for hundreds of 'distros' at your fingertips: viewtopic.php?p=99154#p99154
Αξίζει να μεταφραστεί;

dimkr
Posts: 2423
Joined: Wed Dec 30, 2020 6:14 pm
Has thanked: 53 times
Been thanked: 1202 times

Re: Dangers of Trojan horse hacking attacks

Post by dimkr »

We are not safe, especially when running untrusted code downloaded from a forum as root.

IMO the best solution to this, at the infrastructure level, is to automate packaging. Some woof-CE build configurations use zero .pet packages and Puppy specific packages are built from source (https://github.com/puppylinux-woof-CE/w ... -petbuilds) instead of using prebuilt .pet packages with unknown origins. Who knows, .pet packages are not digitally signed and some Puppies even download them over HTTP - maybe they were not built from unmodified source code that's available publicly, maybe they're malicious, and maybe they were OK but got replaced with malicious packages at some point.

User avatar
Grey
Posts: 2024
Joined: Wed Jul 22, 2020 12:33 am
Location: Russia
Has thanked: 76 times
Been thanked: 376 times

Re: Dangers of Trojan horse hacking attacks

Post by Grey »

wiak wrote: Sun Feb 05, 2023 4:15 pm

How safe, I wonder, do you feel we really are compared to more restrictive distro-related forums?

PupBI.png
PupBI.png (27.05 KiB) Viewed 986 times

Calmly, FBI (Forum's Bureau of Investigation) enters the case. Since my dog and I have experience in such matters, then I will start.
So, what makes us different from other forums? Poverty. And poor people should trust each other, because they have nothing else to do.
The team is small, so who needs us besides each other? Everyone who came for the first time was probably afraid of the others at first.
Let's compare it with two other forums.

Linux Mint. Lots of sponsors, plus even more individual donations. In addition, recently Clem boasted (and quite deservedly) that Wil Wheaton uses the system. Yes, I didn't remember who it was on the first day, but on the second day, lightning flashed in my head and I remembered that it was Sheldon Cooper's friend (and enemy) from the Big Bang Theory.
They have funds for the maintenance of the website and forum, for food and so on. Accordingly, they must ensure the security of both the system itself and the entire infrastructure (well, for such decent funds).

PuppyRus Linux (the link to which is on the main page). Due to the sanctions, advertising on the pages has ceased to generate income (payment for hosting - according to him). What did the Main (and it seems the only) developer of the system and the forum site do? He went to Boosty. And now he offers some "services" to those interested. For example: access to kernels BEFORE ISO release, access to modules BEFORE release (2 times more expensive than kernels), accepts applications for the assembly of individual modules, VIP subscription with consultations.
If things get better, he promises to hire additional developers. And if it doesn't work out... he will stop making builds for everyone and will do it only for himself.

So, security costs money, sadly. And trust is a free thing that cannot be bought. Either it exists or it doesn't.

And now I'm giving the floor to my dog, formerly a detective. His name is Rex, in honor of Rex Stout (who, by a strange coincidence, died in Connecticut, not far from @rockedge ). Of course Rex is not Nero Wolfe, but he can do something.
----------\

Code: Select all

/\_/\
|- -|
| ^ |
\_~_/

Hey, Rex is on the air.
Consider the motives and possibilities of the suspects.

So, our first suspect. @Grey . A complicated geopolitical situation, plus a strange (almost "black") sense of humor. Who knows what his skull is hiding. Sometimes he posts stupid pictures. Remember how he changed the keyboard scanner in Geany so that the secret game would start when the "puppy" keys were pressed, not "geany". Of course, he warned everyone... But I would have bitten him, honestly... But he feeds me and I can't be objective.

The second suspect. @wiak . Who is the main suspect? Of course the butler! That is, the author of the topic. In addition, he is a separatist who no longer believes in the future of Puppy and considers it outdated and rusty at heart. At every opportunity, he reminds that his developments are NOT Puppy.

The third and no less suspicious. @rockedge . All power is in his hands and it can intoxicate, turn his head. Does everyone remember the outages and glitches of the forum? And if it was the Lord himself who arranged them. Not for the sake of wealth and fame - for he is already glorified and honored - but to raise the adrenaline of the forum participants and give an impulse to development.

Fourth. @dimkr . The main programmer at the moment. That is, he has access to the hidden insides of the system. He is also a philosopher and sociologist. BA in philosophy + MA in sociology. And what if we assume that he will conduct an experiment - philosophical or sociological - with Trojans and keyboard scanners.

Finally, @666philb , @peebee and @mikewalsh . Known in the cybercrime environment as the "English Trio" or KGB (KoolKingKongs of Great Britain). These are such dangerous and terrible guys that I am afraid to speak openly out of fear for my doggy, but nevertheless life.
Besides, I'm just tired of barking at everyone. Do you think it's easy to type text with a paw?!
----------/

Yes, against the background of this gang, Clem and Wil look like real angels ;)
All coincidences with real characters and people are random and do not carry any semantic load :idea:

Fossapup OS, Ryzen 5 3600 CPU, 64 GB RAM, GeForce GTX 1050 Ti 4 GB, Sound Blaster Audigy Rx with amplifier + Yamaha speakers for loud sound, USB Sound Blaster X-Fi Surround 5.1 Pro V3 + headphones for quiet sound.

User avatar
mikewalsh
Moderator
Posts: 6163
Joined: Tue Dec 03, 2019 1:40 pm
Location: King's Lynn, UK
Has thanked: 795 times
Been thanked: 1981 times

Re: Dangers of Trojan horse hacking attacks

Post by mikewalsh »

@Grey :-

Y'know, flattered as I am to be included amongst such august company, I can't help feeling you've misplaced me here......even though the above is thoroughly "tongue-in-cheek"!

These guys are the "creme de la creme" of the Puppy community. Between them, they've contributed so much to the community over the years, and have truly helped to define what Puppy is. Me, I'm a "bumbler"; I mess about with the odd bit of packaging, the odd utility here and there.....but in no way, shape or form can I be said to have helped to shape Puppy development, even in the slightest.

Others are far more worthy of being mentioned above than I. Not that I don't appreciate it, but to be included amongst the "greats" makes me feel even more of a fraud than I already feel I am..!

Mike. :o :oops:

Clarity
Posts: 3830
Joined: Fri Jul 24, 2020 10:59 pm
Has thanked: 1631 times
Been thanked: 524 times

Re: Dangers of Trojan horse hacking attacks

Post by Clarity »

If we do have a member doing the dastardly deed in targeting the community or certain users, I hope they see this and removes such before discovery.

Secondly, if some crafty forum member is discovered to be committing such, it will have MAJOR community impact in trust, I'm afraid.

Fingers crossed....

Post Reply

Return to “Security”