Ubuntu Software (store/app) - always safe?
I am an Ubuntu newb. Just got my first laptop running Ubuntu. Absolutely love it, but I have a question, when I start the app - Ubuntu Software - where I can browse by Categories or see the Editor's Picks, is all of the software in here vetted? Would I ever need to be concerned about potential malicious software being listed here?
TIA!
Solution 1:
is all of the software in here vetted?
Yes, but is also an automated process that looks for specific kind of code. At the bottom an example of a backdoor and also the reason why it is hard to find.
And a large part of the check is done by the users (or at least a user) of that software. There have been a few incidents. Here are 3 ranging from 2003 to 2013:
- http://freedom-to-tinker.com/2013/10/09/the-linux-backdoor-attempt-of-2003/
- https://freedom-to-tinker.com/2013/09/20/software-transparency-debian-openssl-bug/
- http://www.omgubuntu.co.uk/2013/11/nsa-ask-linus-torvalds-include-backdoors-linux-father-says-yes
Generally you can expect uproar when a user finds a problem with software. That is also why we use open source: you can code a backdoor, you can get it into software but you can not completely hide a backdoor. At some point someone will notice that backdoor. Either by examining code or by seeing something happen on their system.
Mind that this is also the reason why a large group of users using Linux refuse to install closed source drivers. You never know what is inside the code of closed source. It could have backdoors, it could have "phone home" malware.
Would I ever need to be concerned about potential malicious software being listed here?
-
At some point we all need to start trusting someone and Canonicals track record is a lot better than Microsoft or Apple.
-
Not running servers on your own machine mitigates almost all your problems.
You can never be 100% sure but it might be better to focus on other issues. Your ISP recording everything you do on-line for instance. That is far more likely. Or someone hacking into your machine using your password.
===
From the 1st link: a person called Larry McVoy noticed a change to software called bitkeeper. The issue is a single =
. So that is pretty difficult to find unless you see something odd as he did: he found it due to irregularities to the change log. The alteration was ...
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
No user admitted to making this change and since it was logged in a weird manner it is assumed someone tried to insert this deliberately as a backdoor. And it also has an explanation:
A casual reading by an expert would interpret this as innocuous error-checking code to make wait4 return an error code when wait4 was called in a certain way that was forbidden by the documentation. But a really careful expert reader would notice that, near the end of the first line, it said “= 0” rather than “== 0”. The normal thing to write in code like this is “== 0”, which tests whether the user ID of the currently running code (current->uid) is equal to zero, without modifying the user ID. But what actually appears is “= 0”, which has the effect of setting the user ID to zero.
Basically this adds options WCLONE and WALL that change the userid to root. That is what you can call a backdoor :)