Serious disclosure of hacks built into distros

For discussions about security.
Post Reply
Message
Author
gcmartin

Serious disclosure of hacks built into distros

#1 Post by gcmartin »

This is an appropriate Security concern for anyone of this community.

This zooms to one reason you MUST question who/which distro developer you TRUST!

This is far too easy to do, both in Puppyland's distros and across the distrowatch community releases. There are just 2 many ways a distro could be presented to target anyone OR to have your system release unwanted information.

Even I, have found one developer whose work I would never use in production.

Share any ideas YOU might have: As your ideas could be useful on this subject.

User avatar
Moat
Posts: 955
Joined: Tue 16 Jul 2013, 06:04
Location: Mid-mitten

#2 Post by Moat »


gcmartin

How would you know, as a user of a distro? unless ....

#3 Post by gcmartin »

Thanks. Just saw that thread moments before your post. Thanks, again.

This THREAD intends to focus on whether we have reasonable approaches to safety from these kinds of exploits.

This and the ability of any distro builder to do such, will raise an alarm across the Linux industry.

Back in the day, a RH developer and, separately, a Microsoft developer did such until he was discovered and fired in each case. Further, the companies instituted internal measures to insure any other attempt would be discovered in their unit/component/system test processes in efforts to insure individuals backdoor efforts would never get to the field for public use.

In corporations that have the resources, their internal procedures have the ability in discovery, thwarting, and recovery of such an act.

But, other than those corporations, nothing on this order exist. So the ability to do such, in Linux distros, is reasonably easy. And, without some existing means of testing for such it could go undetected for a long time before disclosed or discovered.

So, what is important is that we know WHO we are TRUSTING to provide stable and safe distro free of the backdoors that could/would compromise your system and the information within.

Hope this helpful

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#4 Post by musher0 »

Hi gc.

How did Lefebvre get wind of the breach?

I wouldn't say it's impossible to stop these things.

There already is a simple way that could help -- described elsewhere by Ted Dog :
1) not just one general checkum for the iso, but checksums for each component;
2) and these checksums are downloadable from another site.

I would add:
3) a file un-zippable only with a password but without which the distro can't run;
4) using lsof or other to scan for any backdoor and "shut it".

We should revisit the use of this German (?) "turn-the-tables" application -- named
"portspoof", I think. Once it spots a backdoor or a breach, it plugs it -- and it sends
copies of the "Little Red Riding Hood" tale, translated in many languages, at the
address the breach points to.

Actually we should send an entire encyclopedia or all of humanity's un-copyrighted
literature at this point in time to teach a lesson to the uncultured cretin who
breached the security of your machine in the 1st place.

It should keep him busy for a while. If the a..h.... doesn't read a specified number
of chapters every day, we send corresponding voltage through his spine.

My 2¢. BFN.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#5 Post by s243a »

People can audit the code of linux but not windows. Windows is alledgdly backdoored by design since as the claim goes microsoft can remotly execute code on your system. The example given is the upgrade to windows 10 nag that was pushed to peoples system who had autoupgrade turned off. If you believe that this type of corporate oversite can give you protection then maybe try redhat or unix. Otherwise trust in what is done in the light.

gcmartin

#6 Post by gcmartin »

I agree with each.

On Audit

Do NOT expect developers or users to do such. In the RH case, he got away with it over couple releases before discovery. In MS case, I believe the same.

Propietary or NOT is of little consequence without checks and balances existing for discovery in some common and accepted industry practice when we talk open-source. That is one of the problems with Open Source. Anyone can contribute, and sometimes it will be undiscovered. Since it is free (or considered so) the diligence for discovery is different than software where a "Brand's Name" is at risk.

99% of this world does NOT look at code...free or otherwise. That is an IT industry approach for those who speak the appropriate language the code is generated from.

Further, casual users who do code inspections could mistakenly suspect use of some codeset application as being somehow a security backdoor, when in fact it is not. In Puppyland, a firestorm erupted about a past approach in PUPs to determine if there is a path to the internet. Even though there were NO known exploits, some members felt there was. So, in cases like that, developers will take other measures, but even those could be exploited, though no known cases have occurred as yet. Hopefully, we wont have too many crying "wolf", but I think most get the point I bring up.

On Checksums
This is a great feature, but has an inherent flaw. The checksums are generated by the distro builder. If he is the one who has manufactured the backdoor, he will be smart enough (I think) to insure the checksum you receive matches his distro(s) with the backdoor.

On Backdoor's in General
These approaches have been around since almost the beginning of time. I remember one of the first which is a system exploit to shut the system down if your allowed test period has expired and one did NOT pay for a real license. That is one example of what I consider a backdoor. You dont see it, and you are not aware of it until it surfaces/fails/stops or alerts you (one may not call it that, but in essence, it is one type even though this is thought to be acceptable).

In Summary
This exposure has now given me cause to suspect much much more that I have taken for granted, even in this community. Its a sad fact that we have to deal with.

TRUST is my only weapon. At least until some other approaches can surface to provide a new level of backdoor discovery.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#7 Post by 8Geee »

I think it even reaches into 'permissions' in Puppy. I would check a few files to see if group and world have executable permissions. I could make the case that only user should have any permissions. Of course globally setting permissions in / to user-only rwx would help. If spot is invoked then it has to allow read priviledges to files.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

Daleb
Posts: 22
Joined: Thu 21 Jan 2016, 08:25

#8 Post by Daleb »

http://murga-linux.com/puppy/viewtopic. ... 7&start=75
Daleb wrote:are all these Contributed Packages being checked that they are not infected with a RAT Image
jamesbond wrote:Use other distro that you trust with, and get out of here, Bindee the troll.
Daleb wrote:i will ask the nice people in the security section as i don't understand if that is a yes or a no
Semme wrote:Hey, no ones pull'in yer leg to run contributed pkgs. You don't like the setup -- Move On DA!
Daleb wrote:another strange reply ?? what setup ??

How can anyone determine the setup without a yes or no reply if the files are checked ??
Semme wrote:I'm reasonably confident JB was insinuating a NO -- They're NOT scanned.

On the other side of the coin, there's nothing stop'in you from handling that task.

Anyway you slice it, the simple act of being online assumes some level of risk.
Daleb wrote:What does that have to do with the question of are forum users contributed Packages checked for malicious files???

1...... Yes - they are checked for malicious content and code before being made public for others to use.

2...... No - forum users are free to infect other forum users until someone notices.

anything other than a yes or no based answer is illogical that anyone could make a decision from , you can't make an informed decision without being informed.
Semme wrote:Dbl removed.
Daleb wrote:you still can't make an informed decision on something that is maybe or maybe not be being insinuated and the strange cryptic reply and avoidance or a simple yes or no answer looks dishonest as if something is purposely being hidden.

Post Reply