Basically, as per everything these days, the entire software industry is based on "download and run any old shit off the Internet" with little to no fucks given about the source or trustworthyness or correctness. End users are no better because for most people, including a lot of novice Linux users, this isn't even considered as part of fixing or dealing with any particular problem. Cut / paste / job done.
Worst is I've seen CD/CI systems which just pull unsigned unverified binaries off the internet and build software from github, random APT and YUM repos, all sorts of shit. This is then all thrown together and pushed into production systems.
Other than reputation analysis by Snyk, I honestly don’t know how to objectively analyze one repo/package versus another.
Obviously I can make some basic heuristics, but I can’t reasonably evaluate all of the components of trust for every library, package, container, framework, repo even at a regular interval, let alone fast enough to just maintain patch levels (nevermind being reasonably productive).
I actually considered first steps in making a business out of this idea, but I’m convinced that every developer overestimates their ability to identify untrustworthy repos/packages and companies aren’t willing to pay the actual cost (with either subscription dollars or in the friction it would add to reject almost all 3rd party code because it doesn’t meet high standards of quality and security in a transparent and verifiable way).
>Obviously I can make some basic heuristics, but I can’t reasonably evaluate all of the components of trust for every library, package, container, framework, repo even at a regular interval, let alone fast enough to just maintain patch levels (nevermind being reasonably productive).
Related: have you tried throwing a file (or a hash) at VirusTotal lately? If it's executable, they'll run it in a sandbox and give you a forensic report of everything it touched and did.
I'm so suspicious of software I can't at least review the source code of that originates outside of trusted channels that I probably wouldn't run anything meeting that description that I couldn't compile myself if it weren't for that (and similar) tools.
Eg. How do I know with any certainty that a library passes all OWASP best practices?
Or is well documented?
Or is maintained?
Or is responsive to security reports?
[… and dozens of other similar properties]
It doesn't have to be. Corporations which are FedRAMP[1] compliant, have to build software reproducibly in a fully isolated environment, only from reviewed code.[2]
Ah, I remember when we all did that. It was just part of basic due diligence - pull all your dependencies into your own build system, review and check compatibility, then build completely locally.
Of course a lot of what we built wasn’t public facing or exposed to the internet at all, so addressing the latest vulnerabilities in record time wasn’t quite as important as known-good builds.
I’ve worked in one or two places recently (big bank) that are large enough to have their own internal repo systems and teams of security/compliance reviewers. Their versions of things can be a bit behind but are at least under control of the same org. Everywhere else, well, it feels a bit like cowboy country…
(edit - the other trade-off was of course that you wrote a lot more of everything yourself, rather than pulling in whatever you felt like. This slows down the development cycle significantly but it does mean people had a greater understanding of everything in their stack, and products were often more lean as a result.)
I personally believe this is going to be the biggest security nightmare of the next ten years. All those npm/gem/pip/deb packages that are imported by thousands of projects and Docker images, with maintainers who are retiring. So easy for a malicious actor to just slip in some code, and who has time to audit all those dependencies for every single update?
Oftentimes the installer needs greater system access than the code you're running, particularly on Windows
IME most of the randomly-downloaded software I've used does what it says on the tin. But there is a whole screening process: where did it come from? Does the originating site look legit? What are the possible motivations for the creator?
Besides there is no signing mechanism for your random install.sh. Maybe you check the SHA256 but if an attacker alters the script why not alter the website with the hashes too?
It's a supply-chain attack because the article has a section about how the official website for "Free Download Manager" was serving malware to a percentage of people.
> While checking videos on Free Download Manager that are hosted on YouTube, we identified several tutorials demonstrating how to install this software on Linux machines. We observed the following actions that happen in all these videos:
> - The video makers opened the legitimate website of Free Download Manager (freedownloadmanager[.]org) in the browser;
> - They afterwards clicked on the Download button for the Linux version of the software;
It's a supply-chain attack on Free Download Manager, rather than on linux itself. The truncated HN headline makes this seem like it's a general linux problem.
Greetings from the Free Download Manager team! Here is our latest update regarding the issue. We have created a bash script that you can use to check the presence of the malware in your system. Please review our instructions on our official page: https://www.freedownloadmanager.org/blog/?p=664
We once again sincerely apologize for any inconvenience that might have been caused.
Yes, they are signed, but not with the official key. If you add it through the UI, it will auto-accept the key from the repository. (I'm not sure how it exactly works, it might ask the user for the confirmation)
If you do it from the command line, by editing files, you will have to add the key manually.
But most inexperienced users will just copy/paste and run the "curl | sudo apt-key add" command from the shady repository website, because they want to run the software.
This is not much different from downloading an .exe from an untrusted website, and ignoring the warning from windows when running the .exe.
Until recently (when apt-key was deprecated), this has been a large security hole (and it will continue to be as long as apt-key is still used). Basically unless a repository in your sources.list includes a signed-by attribute referencing a specific key, then it can install packages signed by any public key you've added via apt-key. Also, sources.list defines an implicit priority order (IIRC it's top-to-bottom), so that when two repositories include a package with the same name, the package from the highest priority repository is installed. You can imagine the security issues that arise from a system dependent on the order of lines in a file that many people manually edit while frustrated and reading a tutorial online.
A Linux user that would install a Free Download Manager? We need to bring back complicated Linux installation processes. Vendors have dumb down the process to the point that idiots are getting cooties from downloading bullish!t.
A few years ago I asked a new hire to ssh to a certain machine from their new dev Linux laptop, and they said OK and began searching the web for PuTTY for Linux. Didn't work out with them.
Years ago, I asked data scientist (with a PhD) whether his jupyter notebooks were only on his laptop or whether they were backed up on a server. He said they were on a server.
I wanted to make sure whatever server that was had regular backups, so I asked for the server name.
He looked at the URL bar and gave me the server's IP address: 127.0.0.1
2 Years ago we hired an R developer to do some calculation on a CSV file input, he didn't understand the notion to save result on a CSV file, can only print it
The point here is it’s actually really hard to identify scammy software by name. It only seems that way with extensive domain knowledge. As adoption of Linux continues to grow more people will be duped.
Yes, if they’re unwilling to show a small detail like this due to sanctions that the Russian government supposedly would rain on them in retribution, one wonders what else they’re unwilling to disclose from their other investigations for the same reason.
Wow. Given that Kaspersky leaders are very non-neutral, it makes these comments even fishier, because they look like a clumsy attempt to implicate Ukrainians in an attack.
(Clumsy because, firstly, source code comments is a very strange place to write “Glory to Ukraine”, and secondly, because the whole section is written in Russian, except for the word “thanks”)
Free Download Manager had a long history of being compromised. For a long time, their auto-update ini file (kind of configuration file) was manipulated to point to a compromised version, thus people installed a clean version but will get a malware infested version once they updated. I believe they are the target all along.
I’m surprised that people installed them on Linux. Stop believing OSS is automatically clean and safe.
I'd request that the HN headline be changed - it doesn't match the article headline and sounds much more like an attack on linux itself, rather than a supply-chain attack on a particular piece of software -
"Free Download Manager backdoored – a possible supply chain attack on Linux machines"
I would just like to remind everyone to be cautious, in general. This bug was in the openssl package, and as a consequence was creating incredibly weak keys, for around 2 years before being discovered in what is arguably one of the most critical pieces of software for the OS.
Because the official repository has a strict vetting process. You cannot just show up and put your shaddy software in the official repository.
Debian packagers have a mutual trust process which you need to gain. Only trusted Debian packagers can approve packages to be included. Also some Debian maintainers will just randomly check packages from time to time. (e.g. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792580 )
But Debian packagers aren't always super careful. They generally don't audit the full changeset between each version they package and publish. They mostly trust that upstream has not been compromised and continues to be trustworthy.
I'm not trying to minimize all the hard work Debian (or any other distro) packagers do, but "only use official repositories" is not sufficient as a malware-avoidance strategy. Yes, it's better than installing random binaries from random websites, but let's not give ourselves a false sense of security.
The suggestion upthread to run everything in a sandbox is a good one. I wish that was more common and that there was a better UX when doing so.
Eh, don't expect too much from this. It's just the packager downloading a .tar.gz from the website or cloning the version control, maybe checking if it looks alright for a bit at most, maybe check signatures if they're available (or maybe not), and that's usually it. Especially for updates don't expect a "vetting process" of any meaning.
The main "defence" is time, not any vetting: usually people find out any problems before packagers have time to update the package or before a package becomes "known enough" to be added to Debian (or any other package repo): there will be GitHub issues, Reddit drama, HN threads, news articles, what-have-you.
Things like Chromium has a bunch of eyes, but that's the exception and very much not the rule.
No one does think it can not happen, because that is a silly thing to even say. "can not happen" does not exist anywhere, there is only likelihood of happening, based on both history and motivation.
How often HAS it happened in any reputable distros official repos? They have all got decades of history by now so a good sea of data to generate solid statistics on frequency and distribution.
but i was hinting more at the: there are so many packages, and so many that are used rarely, that there is no way we know.
i think just running weekly modified files report and running things in sandboxes also dont give internet to all apps is good enough for me, and of course be critical of the sources you install from, reputable repos are better than non reputable ones, but are not immune.
Should people reflexively refuse prompts to authenticate as admin and see if the underlying programs still work as expected? This comes up all the time for Macs and the keychain
Instead of "authenticate as admin" the prompt should contains specific privileges required by a program, for example:
- read .ssh directory
- write to .ssh directory
- read motherboard serial number
And so on. Accessing the keychain should require confirmation if one program wants to read other program's secrets. If it wants only its own secrets, then no prompt needed.
A download manager doesn't need to access your .ssh directory, your browser cookies, get your motherboard serial number, query a list of nearby WiFi points and so on. But in Linux all of these is accessible to any program by default.
Why would you use a "Free Download Manager" when wget is right there? Or a web browser, such as Firefox? Or torrent clients to deal with large Linux ISO downloads? Or the various storefronts, like Steam? Or your own distro's package manager?
This wasn't packaged on any distro, so this isn't even a meaningful attack: Users had to go out of their way to install it from a foreign source. This is no different than if you downloaded a random .exe and ran it on Windows with admin access.
Its not a supply chain attack, its a PEBKAC attack.
> FDM can boost all your downloads up to 10 times, process media files of various popular formats, drag&drop URLs right from a web browser as well as simultaneously download multiple files!
No, I still don't a clue what it actually does that the OS and existing tools can't. It sounds like those scam "RAM doubler" programs from the 90s. Run this executable to boost your system's chakras.
I used it 15 years ago, back when I had dial up. It was extremely handy, since it could continue a download if I paused it or got kicked off (without starting from the beginning).
Here is the second update regarding the issue:
We have prepared a bash script that you can use to check the presence of malware in your system.
Launch Instructions:
Download the linux_malware_check.sh script and give it execute permissions.
You can do this by running:
chmod +x linux_malware_check.sh.
Execute the script by running: ./linux_malware_check.sh.
Please note that this script only identifies whether the mentioned potential threats are present on your computer, it does not remove them. If malware is detected, it is highly recommended to reinstall the system.
We once again sincerely apologize for any inconvenience that might have been caused.
Happy FileZilla user here, on my FreeBSD laptop. I move tons of files from remote astronomical observatory routinely, sometimes need to define custom rules - what to download, upload, filter across folders, etc. Sometimes I need to push a file from very low data-rate link from somewhere in the middle of nowhere to the observatory, sometimes over a satellite link. Sometimes I want a throttled download of a large queue so I won't overload my connection and leave some bandwidth to other users. Also, I have a directory of different FTP servers I work with, it's easy to keep them in one place. So, there you have it.
And curl has --limit-rate and supports more protocols. But so what? If they are happy using FileZilla and it helps them getting stuff done, why berate them? It's not even like they're abusing a tool in an entirely unintended way, quite the opposite.
People who are still on dialup modems or very slow wireless ISPs with flaky connections. High Speed Internet is not universal even today, despite what web developers seem to think. Ever try to surf raw Facebook on a 128kbps wireless link? It's not fun. Cloud services are a joke for these people.
Hacker News is one of the last holdouts in the low bandwidth friendly website game.
A decade ago, I remember buying 500MB or 1GB of mobile internet credit and burning through that in an evening just reading news and stuff. Today, with uBlock Origin and NoScript, I can buy the same amount of mobile internet and it lasts me quite a while. I therefore concluded that, while website bloat does exist, what really consumes bandwidth is advertising, and that can be avoided. Moreover, a decade ago lazy loading of images was not common, but now the respective CSS tag exists, is supported by browsers, and widely implemented by CMSs like Wordpress.
I mean if I found something called free download manager on a technologically challenged family member's PC I would just assume its malware to start with.
Honestly, there were several download managers which were essentially forced by folks like Microsoft and Logitech. If I remember correctly, when I had an educational license with Microsoft Imagine, the most challenging bit was getting the mandatory download manager working. IIRC, I didn't actually have a Windows machine to put it on or something. So, I had to jump through some hoops. The software was plain inaccessible without going through the proprietary download manager.
Logitech did similar hijinks for a long time. I can't remember whether it was mandatory, but it sure was difficult to avoid.
- bypassing antiquated per connection throttles on otherwise fast servers by downloading chunks in parallel
- downloading files such as videos from sites that don't really want you to download the file
I have never heard of the program in the article, but this one still sees many active users on windows for the above reasons: https://jdownloader.org/
There's even a little community still making and maintaining plugins for extracting files from uncooperative websites. Really does feel like the kind of program you only ever want to be running in a sandbox though!
Similar software is used in some products. For example, synology DSM has a package called download station. Who knows if it’s based on some obscure .deb (or scripts such as youtube-dl).
I'm trying to imagine the kind of user that's both able to blindly install a random .deb downloaded from a website, while also being willing to do so. Linux geeks with no sense of danger on the internet?
One can google "install .deb fedora" and get a litany of web pages which will contain words explaining how to do this. Fedora (and other distributions) is easy enough to install that one doesn't really need to be a "Linux geek" in order to be on Linux and such a person is not quite so likely to wonder whether or not they trust the code they're running.
Couple that with the fact that it works out well Most Of The Time[0] and you've got a pretty likely scenario even if it affects a relatively small number of people.
[0] I mean in general when downloading software as well as in the context of this particular story[1].
[1] > Starting in 2020, the same domain at times redirected users to the domain deb.fdmpkg[.]org, which served a malicious version of the app.
If you have a web browser and Linux, you can often install a .deb just by opening it in Software Centre or other graphical utilities to install apps. The comparison might be someone on windows trusting a random .msi or installer .exe or someone on Mac installing a random .app package. It’s somewhat normal these days. Package managers are sometimes harder to understand and app stores often don’t have the app you want or the newest version. Sometimes the app directs you to the website to install an update - or updates itself from a compromised location.
This shocked me too. I kind of expect this to happen more on Arch because it gets marketed heavily to new users on Reddit but Debian seems geared more towards “olds” like me who just want a complete OS without a lot of effort. I couldn’t imagine using non-standard repos in a normal operating environment.
Yeah, sure, until you open your browser and start installing all the crap like crazy. Because even 'legitimate' software can give you nasty adware today in software installers. And lots of adware isn't tagged as malware.
Both Windows and macOS have binary whitelisting in place making it harder to run arbitrary binaries that aren't known good to the OS vendor. Pain in the ass sometimes because Windows Defender quarantines executables and DLLs I freshly compiled, and you have to do command line magic -- after every update -- to get unsigned stuff past Gatekeeper and Xprotect, but in terms of endpoint security for normies both Windows and macOS are way ahead of Linux.
I repeat: a lot of installers from good companies bundle adware which might not be malware but turns your i5 machine into a Pentium II, which in the end it's the same.
How is this a supply chain attack? My official debian repository have never been breached so far.
This is no different from downloading an .exe off a shady website and blindly running the .exe.
Also: https://packages.debian.org/search?keywords=download+manager... lists:
• uget: https://sourceforge.net/projects/urlget/
• kget: https://apps.kde.org/en-gb/kget/
• persepolis: https://persepolisdm.github.io/
why use "Free Download Manager" when high quality ones are already officially packaged by debian? Is this targeting new-comers from windows?