Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday February 05 2021, @03:23AM   Printer-friendly
from the we-don't-trust-m$ dept.

Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.

$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"

How to know if you're affected/infected already:

$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main

Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by sjames on Friday February 05 2021, @06:06AM (3 children)

    by sjames (2882) on Friday February 05 2021, @06:06AM (#1109208) Journal

    Once you get your repo slipped in by any means, you are on the honor system not to add a package that grants you root access to everything. That's why some bristle at the repo being added so quietly.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 4, Insightful) by Arik on Friday February 05 2021, @06:51AM (2 children)

    by Arik (4543) on Friday February 05 2021, @06:51AM (#1109216) Journal
    "Once you get your repo slipped in by any means, you are on the honor system not to add a package that grants you root access to everything. That's why some bristle at the repo being added so quietly."

    And this is also why you should never accept automatic updates, period.

    Once you do, then all someone has to do is either takeover, or impersonate, your upstream and you are pwned.

    It's far too insecure a design to be used for anything but a plush toy, and a good argument can be made against even that exception.
    --
    If laughter is the best medicine, who are the best doctors?
    • (Score: 0) by Anonymous Coward on Friday February 05 2021, @09:05AM (1 child)

      by Anonymous Coward on Friday February 05 2021, @09:05AM (#1109244)

      All packages are signed to protect against impersonation attacks. This of course does not protect you when your actual upstream has been subverted, as happened here.

      • (Score: 2) by Arik on Saturday February 06 2021, @08:41AM

        by Arik (4543) on Saturday February 06 2021, @08:41AM (#1109575) Journal
        "All packages are signed to protect against impersonation attacks."

        Translation: it's not easy to impersonate.

        Yep, didn't say it was.

        I said:

        If the attacker can either (a) compromise upstream or (b) impersonate the upstream, AND you've got automatic updates, THEN you are completely pwned.

        That's it, you're not even disagreeing.

        Given time, upstream will eventually be compromised.

        Given time, upstream will eventually be impersonated.

        Automatic updates are therefore utter insanity. QED.

        If they aren't signed by Thorvalds or Volkerding, I ain't taking them. Even if they are, I'm asking questions first. Nothing installs automagically. If anything does, then you've failed as an admin, you need to fdisk and reïnstall and learn from your mistakes.

        --
        If laughter is the best medicine, who are the best doctors?