SoylentNews is people
SoylentNews
Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
- TechRights. Raspberry Pi (at Least Raspbian GNU/Linux and/or Raspberry Pi Foundation) Appears to Have Been Infiltrated by Microsoft and There Are Severe Consequences
- TechRights. Raspberry Pi Foundation is Trying to Cover Up Its Deal With the Devil by Censoring Its Own Customers
- CyberCity. Heads up: Microsoft repo secretly installed on all Raspberry Pi's Linux OS
- Hot Hardware. Raspberry Pi Users Mortified As Microsoft Repository That Phones Home Is Added To Pi OS
- The Linux Gamer. Microsoft INFILTRATES Raspberry Pi OS
(Score: 5, Insightful) by dwilson on Friday February 05 2021, @04:09AM (31 children)
Yeah, that's shady as hell.
Um.. what? To use an apt repository, you generally add a public gpg key to the keyring, so the automated apt system can verify packages are untampered with. Anyone using a debian-based distro has done this hundreds of times. How is that granting anything root access?
Otherwise known as polling the upstream repository during 'apt-get update' to see if there are any changes to download? ie, working as intended, just like every other repo in the system?
Don't get me wrong, I hate microsoft more than the next guy, but based on the information provided in the summery this is mountain-out-of-molehill if ever I've seen it.
- D
(Score: 0) by Anonymous Coward on Friday February 05 2021, @04:16AM (6 children)
I concur with what you've said, but there is just this much animosity towards Microsoft from many people. There were a lot of new linux migrants due to how Win10 was pushed out.
(Score: 1, Insightful) by Anonymous Coward on Friday February 05 2021, @04:53AM
You also have to get away from systemd.
1.) Embrace
2.) systemd
3.) Extinguish
(Score: 1, Insightful) by Anonymous Coward on Friday February 05 2021, @11:28AM
I share your animosity, but let's face it: Windows 10 was first released +5 years ago. Most people can barely remember what meme they consumed 3 minutes ago, let alone remember how Win10 was shoved down throats.
(Score: 1, Disagree) by driverless on Friday February 05 2021, @11:44AM (2 children)
The Techrights article linked above is a particularly extreme example of this:
Yeah, that's definitely a rational, reasonable report on the situation. Excuse me one moment while I wipe the spittle from the person shouting that at me on a street corner off my face.
As a counterpoint, others like the Hothardware one are a lot more reasonable.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @04:05PM
Glad to here your so cool about it. Hey I've got some repo keys I'd like to install on your machine. Since your so non-chalant, what email address should I send them to?
(Score: 2) by Azuma Hazuki on Saturday February 06 2021, @01:34AM
They're not wrong though. The leopard, as Nanny Ogg says, does not change his shorts. MS has always been about emrbace/extend/extinguish. They "love" Linux the way a pimp "loves" little girls.
I am "that girl" your mother warned you about...
(Score: 4, Insightful) by r_a_trip on Friday February 05 2021, @12:40PM
Don't forget us veterans who lived under MS with monopoly power and an iron fist on the computing world. I trust these clowns as far as I can see them. This is a company founded by people who would probably sell their own mother for organ harvesting if it made them some bucks.
(Score: 5, Informative) by Anonymous Coward on Friday February 05 2021, @04:20AM (5 children)
Because Microsoft can force an update package that will be picked up automatically. For example, they can sign an updated kernel, advertise it on their repo and have the update be pushed automatically with a regular apt upgrade.
For once none of this is Microsoft's fault but rather it's a fundamental design failure in APT. Trust should never be an all-or-nothing matter as it is right now with Debian package system, updates from a different signer should require an explicit user permission to install.
(Score: 5, Informative) by Anonymous Coward on Friday February 05 2021, @06:49AM (4 children)
You can pin packages to particular repos, so you can prevent anything except that one MS malware package from being able to be installed from MS repos*. This feature has existed for decades.
It is rare that Debian systems use 3rd party repos except local repos controlled by the user (using 3rd party repos defeats the point of a distribution where the packages are curated by the maintainers and trustworthy). But, apt is quite capable, and can handle this use case.
No package will be installed / upgraded from malware.microsoft.com unless you manually force it except, the package microsoft-vscode will auto upgrade from malware.microsoft.com unless a package of the same name is available from the main repo. Change Pin-Priority to change the policy to your liking. See 'man apt_preferences'
/etc/apt/preferences.d/microsoft-malware:
Package: *
Pin: origin malware.microsoft.com
Pin-Priority: 1
Package: microsoft-vscode
Pin: origin malware.microsoft.com
Pin-Priority: 500
Apt is extremely capable. If you find yourself wishing that apt could do X, it is quite probable that reading the docs you will find that apt already can do X.
Unless rasbian included a preference file like above, then I think that the criticism is warranted. Even if you think MS is fantastic and great, least privilege is safer, and not restricting what MS repo can install only adds risk.
*Usually pinning is used to safely mix stable, backports, testing, unstable and/or experimental packages on the same system, but you have to use common sense when doing this e.g., anything that pulls in glibc from unstable on a stable base system is not something that you can safely mix into your stable system even with pinning.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @07:03AM (2 children)
Thank you for the calm and informative post.
Would mod you up if I could.
Though I would denylist Package: * from origin malware.microsoft.com, myself.
(Score: 1) by jurov on Friday February 05 2021, @01:44PM (1 child)
it says "you have 10 points" so I selected "Informative", clicked Moderate..and nothing happened.
How it is supposed to work?
(Score: 2) by maxwell demon on Friday February 05 2021, @01:55PM
If the post is already at the maximum moderation (+5), then you cannot add another moderation. I can't tell whether that is what happened to you (no way to tell what the post's moderation status was at the time you tried to moderate), but it would be my guess.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @11:22PM
Informative post but one quibble. It is common to have a couple of repos for the odd package. The Debian Multimedia repo was almost mandatory for years because of licensing and patent problems. Small repos with SAS / RAID controller proprietary tools. SOme guy's personal repo with a testing version of a package you need. Etc.
And yes this is a good wake up call that any repo can override any base package with the default configuration. Some bad actor seizes any minor repo and they can inject a tainted base package like glibc or libssl into every machine that uses the repo. It is time for the defaults to be made safe.
(Score: 3, Informative) by RedGreen on Friday February 05 2021, @04:24AM (6 children)
They are ignorant assholes with a piss poor attitude towards their users. I just got banned from their for saying it was my GD computer and it is none of their business doing anything to it without my permission. They cannot even bothered to do proper development, this below in Debian gets a package sent back to the maintainer, them being told, hey clown we do proper development here we need your changes listed.
root@raspberrypi:/home/seeder1# apt changelog raspberrypi-bootloader
E: Failed to fetch changelog:/raspberrypi-firmware.changelog Changelog unavailable for raspberrypi-firmware=1.20210201-1
Now you going to install that, slimy pieces of shit already upgraded it once with my knowledge or permission already.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by RedGreen on Friday February 05 2021, @04:27AM
without my knowledge. that should be
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2, Insightful) by Eratosthenes on Friday February 05 2021, @07:36AM (4 children)
The lack of a USB boot is a tell. This platform will not end well. Who the hell does only proprietary bootloaders?
(Score: 2) by RedGreen on Friday February 05 2021, @10:20AM (2 children)
It boots from usb the morons have upgraded the firmware to allow it, flaky as hell for some. Just like the rest of the effort by them clowns. I have managed to solve the morons doing whatever the hell they want with my machine with Ubuntu on my SSD. I use a chainload the sd card boots the machine and the OS runs from the SSD. Tomorrow I try a Debian install out with a debootstrap method I am just reading about now.
root@zeus-pi:~# uname -a
Linux zeus-pi 5.8.0-1013-raspi #16-Ubuntu SMP PREEMPT Thu Jan 14 06:28:38 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 0) by Anonymous Coward on Friday February 05 2021, @12:37PM (1 child)
Why don't you just go to a competitor? There are many with broad OS support and raspi-compatible GPIO.
(Score: 2) by RedGreen on Friday February 05 2021, @01:16PM
"Why don't you just go to a competitor? There are many with broad OS support and raspi-compatible GPIO."
Oh yeah if ever needing another little machine, it will be cold day in hell before they get my cash again.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 0) by Anonymous Coward on Friday February 05 2021, @07:44PM
How does this get an "insightful"?
usb boot is often used as an attack vector.
If you look through this thread, it makes SN look like slashdot did when SN forked it. At least half of the posts here are astroturfing.
(Score: 5, Informative) by canopic jug on Friday February 05 2021, @04:51AM (3 children)
The files are supposedly added by a post-installation script in one package, thus avoiding being listed in any of the package manifests. Give it a try:
Try to guess which package is responsible for those two added files? None are listed. Someone went out of their way to obfuscate the origins of the two files. So, yes, shady as hell.
Then there is the question of why the Visual Studio source code could not have been added upstream to the normal Debain repositories. That would have been the expected approach should they have had any good intentions with this move, especially given the past and current history of the company involved.
So, yes, again, shady as hell.
Also, normally radical licensing, behavior, or privacy changes require at least a click-through agreement to pretend to notify the end users. That didn't happen.
So, yes, yet again, shady as hell.
Money is not free speech. Elections should not be auctions.
(Score: 3, Interesting) by sjames on Friday February 05 2021, @06:34AM (2 children)
Possibly because it would have then been marked clearly as nonfree.
(Score: 2) by dwilson on Friday February 05 2021, @02:17PM (1 child)
Another reason could be that putting anything in a Debian managed, or even down-stream distro-managed ie by Raspbian, puts your software entirely at the mercy of whomever is elected as package maintainer. Best case, the in-repo package is one to many versions behind your current stable release. Worst case, the maintainer abandons the package and it hangs in limbo for many years, getting more and more out-dated and causing no end of headaches for the users. I've seen that happen many times.
Personally, I absolutely roll my own repositories for any software I maintain, for any distribution I care to maintain it on. That's generally Gentoo and Debian-based systems. If a distro wants to add it to their own managed repos, that's wonderful. ...but I'm still maintaining my own repos.
- D
(Score: 2) by sjames on Friday February 05 2021, @03:36PM
But I'll bet you don't then sneak your repo into people's configurations.
(Score: 5, Insightful) by sjames on Friday February 05 2021, @06:06AM (3 children)
Once you get your repo slipped in by any means, you are on the honor system not to add a package that grants you root access to everything. That's why some bristle at the repo being added so quietly.
(Score: 4, Insightful) by Arik on Friday February 05 2021, @06:51AM (2 children)
And this is also why you should never accept automatic updates, period.
Once you do, then all someone has to do is either takeover, or impersonate, your upstream and you are pwned.
It's far too insecure a design to be used for anything but a plush toy, and a good argument can be made against even that exception.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Friday February 05 2021, @09:05AM (1 child)
All packages are signed to protect against impersonation attacks. This of course does not protect you when your actual upstream has been subverted, as happened here.
(Score: 2) by Arik on Saturday February 06 2021, @08:41AM
Translation: it's not easy to impersonate.
Yep, didn't say it was.
I said:
If the attacker can either (a) compromise upstream or (b) impersonate the upstream, AND you've got automatic updates, THEN you are completely pwned.
That's it, you're not even disagreeing.
Given time, upstream will eventually be compromised.
Given time, upstream will eventually be impersonated.
Automatic updates are therefore utter insanity. QED.
If they aren't signed by Thorvalds or Volkerding, I ain't taking them. Even if they are, I'm asking questions first. Nothing installs automagically. If anything does, then you've failed as an admin, you need to fdisk and reïnstall and learn from your mistakes.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by aristarchus on Friday February 05 2021, @06:55AM
Based on the information provided, Winter is coming. Or, at least, autumn with an Eternal September. Why is Microsoft always presaged with typos and misspellings? Are they all illiterate coding bastards?
(Score: 0) by Anonymous Coward on Friday February 05 2021, @04:03PM
"Um.. what? To use an apt repository, you generally add a public gpg key to the keyring, so the automated apt system can verify packages are untampered with. Anyone using a debian-based distro has done this hundreds of times. How is that granting anything root access?"
suid root dumbass.
(Score: 2) by hendrikboom on Friday February 05 2021, @08:59PM
Last time I looked at Visual Studio, there was an installer instead of a deb.
I did not trust Microsoft then to run an installer on my system.
I still don't.
-- hendrik