Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday February 05 2021, @03:23AM   Printer-friendly
from the we-don't-trust-m$ dept.

Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.

$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"

How to know if you're affected/infected already:

$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main

Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday February 05 2021, @03:51PM (2 children)

    by Anonymous Coward on Friday February 05 2021, @03:51PM (#1109327)

    If you give third party root access to hardware that you do not own without consent from the owner, that is the very definition of computer intrusion. Criminal charges should be filed.

    I recognize that there is a possibility that they were not even aware of this, and that the push came from Debian. Name them in the complaint. They have deep pockets after all.

    The correct way for raspbian to respond to this is to roll back the update their corporate charter to prohibit future collusion without corporate dissolution. Then stop basing your disto on Debian. That was just dumb to begin with. If it snuck through from Debian, those guys have always been reckless opportunists on the jock of whoever was willing to pay them.

  • (Score: 0) by Anonymous Coward on Friday February 05 2021, @04:10PM

    by Anonymous Coward on Friday February 05 2021, @04:10PM (#1109335)

    The thing is, all of the astroturfing out there is being logged by the site hosts. If any of those astroturfers can be shown to have been paid, then that is evidence of premeditation. This is actually a hell of a lawsuit, and it is going to make some attorneys very rich.

  • (Score: 0) by Anonymous Coward on Sunday February 07 2021, @02:03AM

    by Anonymous Coward on Sunday February 07 2021, @02:03AM (#1109842)

    Anonymous Australian here.
    Just wanted to point out that if you want a jurisdiction where computer crimes carry overblown sentences, you might want to ensure charges are filed in Australia.

    Unauthorised access to a computer system with alteration of files carries something like a 10 year mandatory minimum sentence.

    Some hacker back in the '60's managed to get into a bank's computer - by dialing up a random phone number - which then spat out all valid credit card details (including expiry dates and current limits).
    Judge thought that the sky might fall because of computer crimes perpetrated on banks, and so made an extreme precedent specifically to act as a deterrent.

    Would love to see the fallout effects from having some MSFT manager thrown into a cell for such a crime. MSFT's corporate culture is already all about arse-covering, so I imagine it would have quite a salutory effect.