Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 16 Apr 2014, 00:46
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Puppy '.pet' Packages
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 4 [53 Posts]   Goto page: 1, 2, 3, 4 Next
Author Message
sszindian


Joined: 24 Apr 2010
Posts: 578
Location: Pennsylvania U.S.

PostPosted: Tue 04 Jan 2011, 11:06    Post subject:  Puppy '.pet' Packages
Subject description: Are they safe?
 

The Linux operating system has certainly come a long ways in the past year and many government,state and business agencies and departments are switching over from other operating systems at a very very fast pace.

Concerning Puppy... Yes, we have an anti-virus program that can be installed to basically catch any virus, malware or spyware that might attach itself to a linux program while one is surfing the web, and, as we know, most of the 'bugs' that attach are an '.exe' extension program that doesn't affect Linux.

Now... I have a weather-widget on my Puppy that every-so-often automatically calls out to a computer somewhere in the world to get the weather update for my system.

It appears that if this simple weather program can do that, it would be very easy for someone to write a similar snipit of code... make it part of a '.pet' package, upload it into our forum somewhere in a must-have Puppy-Useful-Package and what would happen from there??? That code would have complete control of your system sending 'Your Personal, Financial, Medical or whatever information you store OR write OR email' to someone who gathers this information to 'Sell, or simply Store for future needs or reference.' and you would Never Even Know You Have A Virus on your system and to boot, your Anti-Virus program would be totally worthless.

My Question... Is anyone in the development or package-care of Puppy checking for this?

If not... Is there a way something can be implemented to handle this in the future? As an example: All '.pet' packages have to be checked by someone, or a team of someone's before they are made available to Puppy users?

Or simply... Doesn't anyone care until it's to late?
Back to top
View user's profile Send private message 
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15117
Location: Paradox Realm

PostPosted: Tue 04 Jan 2011, 12:43    Post subject:  



I am doing my best to invoke paranoia to inspire
some concern . . .
http://www.murga-linux.com/puppy/viewtopic.php?p=398158#398158

So far no one is too worried. Cool

You best bet is to find a piece of compromised flash or javascript
that would work on a variety of computers and possibly Puppy
. . . and then not go to that site Shocked

Other than that I for one will continue to install pets with wanton abandon
and no checking

At the moment with Lucid pets are created from Debian and Ubuntu binaries (no idea what security measures they employ) and also compiled from source code.

Doing all suggested here might make you feel safer . . .
http://puppylinux.org/wikka/Security

_________________
Puppy WIKI
Back to top
View user's profile Send private message Visit poster's website 
sszindian


Joined: 24 Apr 2010
Posts: 578
Location: Pennsylvania U.S.

PostPosted: Tue 04 Jan 2011, 18:42    Post subject: Are '.pet' packages safe!  

Lobster:

Thanks for your concern...

Maybe you don't understand what I said above in my tread!

‘Yes’ I agree that packages that are in the PPM (Pet Package Manager) are probably as safe as you will ever get, both Ubuntu and Debian are very reputable. I am not talking about these type packages, I’m referring to the ones scattered throughout the Puppy FORUM that are placed there by individuals that anyone can download and install on their Puppy system.

Let me give you a small example how 'easy' a '.pet' package could be compromised ...

Back around 1985-86 I was into programming with the Commodore C64. There were not any hard drives then, just 5-1/2“ floppy disks. Developers back then protected their programs by altering the ‘header-section’ on the floppy disk with a simple script... This prevented it from being copied and illegally redistributed.

Around that time, I developed a program that I wanted anyone to be able to view a few times then, naturally purchase from me. Not someone making copies and giving it to the whole world. The ‘header-thing’ would not do for this so I developed a small script and broke it into several sections with sometimes no more than ONE or TWO characters at a certain spot then a few more 500 lines of script later, then the same again and again on down through the program’s code.

I will not go into detail here exactly what I wrote or how I did it for obvious reasons, virus-junkies don’t need any more new information, they have enough of their own ideas!

Anyway, you could view and use my program for 10-sessions then... it dissipated ... Poof... Gone... from the entire disk... If hard drives, USB’s, CDROM’s were available back then, I could have accomplished the same thing.

The total amount of code used was less than this line shows.

If someone purchased my program, ‘One Character’ was altered and the program would run forever without a hitch.

For one minute don’t think this can’t be done in a ‘.pet’ package with the proper knowledge... ‘IT CAN.’

My concern is NOT to be paranoid (which believe me I AM NOT) but how we may be able to PREVENT this from happening in random .pet packages down the road!

If you have ever had a computer totally destroyed or even slightly-altered by a virus you may better understand... As for Puppy ‘So Far’ we are one fortunate bunch without any serious virus problems but like I said... As Linux Becomes More and More Popular... ‘Watch out!’
Back to top
View user's profile Send private message 
postfs1


Joined: 27 Mar 2010
Posts: 831

PostPosted: Tue 04 Jan 2011, 19:33    Post subject: Re: Are '.pet' packages safe!  

sszindian wrote:
... As Linux Becomes More and More Popular ...

Not my words: "free software—software which respects your freedom."

_________________
  • I don't know why laboratories are named a hospitals.
  • The alive personage is like a tea bag with granules of unknown density inside, at that one the packet was made of organic material and was placed in the evaporated liquid or liquid.

Back to top
View user's profile Send private message 
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15117
Location: Paradox Realm

PostPosted: Tue 04 Jan 2011, 23:05    Post subject:  

Quote:
but how we may be able to PREVENT this from happening in random .pet packages down the road!


I don't know that we can. I will probably be using Saluki by the time anyone decides to or works out how to do it anyways . . .
http://puppylinux.org/wikka/Puppy6
Frankly I think they will find bigger fish to fry Shocked

We can worry about it if we wish, which is the option I was offering . . . Wink

It takes me about 15 minutes to set Puppy up from scratch with my preferred programs and pets and so on.

If someone has been able to access my hard drive to download all my secrets
(they are in /mnr/nome/secrets_sardine_details/ - now everyone knows)
then I will not feel too shell shocked and jelly fish a-wobbled . . .

If anyone has a better solution or details on stockpiling sardine tins
I would be glad to hear it. Very Happy

Puppy
Is a state of Mind

_________________
Puppy WIKI
Back to top
View user's profile Send private message Visit poster's website 
GustavoYz


Joined: 07 Jul 2010
Posts: 886
Location: .ar

PostPosted: Mon 21 Mar 2011, 00:10    Post subject:  A tip????  

I like to rename some pets as tar.gz and extract it to see whats inside...
Not exactly as a security measure, just as a curiosity issue.
Anyway, like five times it prevent me for install bad pets and also from overwrite libs.
Maybe it helps to improve the general paranoid...
Cool

_________________

Back to top
View user's profile Send private message 
Master_wrong

Joined: 19 Mar 2008
Posts: 456

PostPosted: Mon 21 Mar 2011, 06:16    Post subject:
Subject description: trojan pet scanner ?
 

Perhaps someone can create pet scanner that scan for dangerous skript or command inside pet ?

just a thought... Confused

_________________
Cluster-Pup v.2-Puppy Beowulf Cluster
http://www.murga-linux.com/puppy/viewtopic.php?p=499199#499199
Back to top
View user's profile Send private message 
jamesbond

Joined: 26 Feb 2007
Posts: 1871
Location: The Blue Marble

PostPosted: Mon 21 Mar 2011, 08:56    Post subject:  

sszindian's concern is a real concern, and I remember vaguely that this has been discussed before, right here, in this forum (can't recall the thread name) - and as far as I can recall, there were no obvious solution.

This is a a big problem - much bigger than the root/non-root issue that has spawned a dozen threads or so.

Let's break the problem down into a more manageable chunks:
Problem of trust
a) how do I know that a dotpet is trustable?
b) how do I know that the author of the dotpet is trustable?
c) how do I know that the chain of trust is not broken somewhere?
d) how do we build this chain of trust?

Problem of prevention
Regardless of whether I trust the dotpet (especially if I don't trust it)
d) how do I know the dotpet is not malicious?
e) even if it's not malicious, how do I know it won't wreck my system?

Problem of intervention
If somehow the malicious dotpet has made it into my computer,
f) how do I remove it?
g) how do I ensure that that pet has really, really be gone?

_________________
Fatdog64, Slacko and Puppeee user. Puppy user since 2.13
Back to top
View user's profile Send private message 
ICPUG

Joined: 24 Jul 2005
Posts: 1288
Location: UK

PostPosted: Mon 21 Mar 2011, 09:38    Post subject:  

There seems to be a craze in the world of 'apps' for locking down where you get your apps. Lots of different app stores are popping up, that lock you in, in some way or another.

The Google Android App store recently got criticised because a piece of malware got into it. There was loud criticism on the IT news sites that Google were not checking sufficiently before apps were put in the store.

It struck me that if we are encouraged to only go to an App store, where we get locked in, the internet becomes virtually useless for software distribution!

It is not just Puppy and its .pets. Its anywhere we download software.

I can see there is a problem but if we are to have our freedom curtailed to download our sotware only from 'approved' sources this is just as much a problem (for me anyway).

At the end of the day the user has to exercise some common sense. It is up to the user to decide who are trusted sources. Perhaps run a malware check on packages before installation.

With freedom comes responsibility.

Conversely, if you are not given responsibility to make the choice you have lost your freedom.
Back to top
View user's profile Send private message 
amigo

Joined: 02 Apr 2007
Posts: 2165

PostPosted: Mon 21 Mar 2011, 15:16    Post subject:  

Trust only those packages you have compiled and packaged yourself -after having done a complete manual audit of the sources.... I'll see you in the after-life once you have finished with just the kernel...
Back to top
View user's profile Send private message 
postfs1


Joined: 27 Mar 2010
Posts: 831

PostPosted: Mon 21 Mar 2011, 16:04    Post subject:  

Maybe http://www.chkrootkit.org/
_________________
  • I don't know why laboratories are named a hospitals.
  • The alive personage is like a tea bag with granules of unknown density inside, at that one the packet was made of organic material and was placed in the evaporated liquid or liquid.

Back to top
View user's profile Send private message 
GustavoYz


Joined: 07 Jul 2010
Posts: 886
Location: .ar

PostPosted: Tue 22 Mar 2011, 02:13    Post subject:  

Quote:
Problem of trust
a) how do I know that a dotpet is trustable?
b) how do I know that the author of the dotpet is trustable?
c) how do I know that the chain of trust is not broken somewhere?
d) how do we build this chain of trust?

Problem of prevention
Regardless of whether I trust the dotpet (especially if I don't trust it)
d) how do I know the dotpet is not malicious?
e) even if it's not malicious, how do I know it won't wreck my system?

Problem of intervention
If somehow the malicious dotpet has made it into my computer,
f) how do I remove it?
g) how do I ensure that that pet has really, really be gone?


Malicious?
Could you point an example of a 'malicious' a pet file?
I've never see one... Can you define 'malicious?
The only place where could be, is on the 'pinstall' script if its present (same applies to puninstall).

The big problem is the misinformation about compatibility and what's inside the file. And this is a big issue if you're a newbie...
Why if he/she installs a wrong/older/newer X-important-thing and scrubs X?
A file could be overwritten with a new pet, and after the uninstall of this last package, more apps will possibly not run anymore. That's somthing to solve, at least according to my point of view...
Ok, maybe i'm too naif sometimes. Very Happy

About 'trust', I don't think that forum members will share "malicious" pets intentionally... But if you want to make a 'pet-club of trust', good luck! Personally, i'm confortable with the idea of a forum where everybody can upload a package. By the way, nobody forces anybody to download and/or install anything

Quote:
Trust only those packages you have compiled and packaged yourself -after having done a complete manual audit of the sources.... I'll see you in the after-life once you have finished with just the kernel...

+1!

_________________

Back to top
View user's profile Send private message 
Bernie_by_the_Sea


Joined: 09 Feb 2011
Posts: 329

PostPosted: Tue 22 Mar 2011, 06:12    Post subject: Re: Are '.pet' packages safe!  

sszindian wrote:

Let me give you a small example how 'easy' a '.pet' package could be compromised ...

Back around 1985-86 I was into programming with the Commodore C64. There were not any hard drives then, just 5-1/2“ floppy disks. Developers back then protected their programs by altering the ‘header-section’ on the floppy disk with a simple script... This prevented it from being copied and illegally redistributed.

Around that time, I developed a program that I wanted anyone to be able to view a few times then, naturally purchase from me. Not someone making copies and giving it to the whole world. The ‘header-thing’ would not do for this so I developed a small script and broke it into several sections with sometimes no more than ONE or TWO characters at a certain spot then a few more 500 lines of script later, then the same again and again on down through the program’s code.

I will not go into detail here exactly what I wrote or how I did it for obvious reasons, virus-junkies don’t need any more new information, they have enough of their own ideas!

Anyway, you could view and use my program for 10-sessions then... it dissipated ... Poof... Gone... from the entire disk... If hard drives, USB’s, CDROM’s were available back then, I could have accomplished the same thing.

I owned several models of home computers before the C64 came out. I bought one of the first C64's on the market and within weeks a friend and I starting developing and selling C64 software. Eventually we formed a Software of the Month Club where a subscriber received two disks per month with both games and utilities. None of our software was ever protected. We had a pretty good idea of what our income would be before we ever wrote it thanks to our subscriber base. We knew our software would be copied. Both of us were retired and this was just a hobby with little profit. Floppies were a big improvement over the programs on cassette tapes we were selling earlier for other machines but it was a pain switching from 8080 assembler to 6510.

Some people in a neighboring town formed a C64 computer club that met once a month in a church basement. I saw as many as 60 C64's set up on tables from 6 to 10 PM with over a hundred people copying software as fast as they could stick floppies in the drive. The minister there encouraged piracy calling it "sharing the wealth" and "giving to the poor." He said it was a good example of "Christian fellowship." There were teenagers there as well as persons on social security.

Piracy wasn't at all disreputable then. I met the head of the state IT department there madly trading software with all the rest. Some were just there to trade but a few were quite capable self-taught programmer/cracker/hacker/pirates. The 'header-thing' was simple to work around as was your system of interspersed code. I can use some of the same methods developed back then to copy today's protected programs on USB's, CD/DVD's, etc. and in fact I've used it on a few Treo, BlackBerry and Android apps just to see how their protection works.

After the net developed I kept in touch with some of these early pirates. (Before the web we had a snail mail mimeographed newsletter.) I know ones who went on to such positions as the head of the IT section of a major defense contractor, the head of the IT department of one of the big three auto makers, programmers in federal law enforcement and computer science professors. Most are long since retired or dead now.

The only thing that slowed us crackers down were encoded hardware dongles. Our informal group wasn't malicious never writing any harmful software. We just found fun in breaking protection schemes. Many of us never looked at the software after we broke it. The game wasn’t to steal software but rather to show how foolish protection schemes really were. It was like solving a chess ending or a crossword puzzle.

_________________
Frugal: Knoppix 6.4.4 DVD
USB: DSL 4.4.10
Full: WinXP Pro
Puppy (Feb. 4 - May 12, 2011) led me back to Linux.
Back to top
View user's profile Send private message 
yorkiesnorkie


Joined: 04 Jun 2007
Posts: 505
Location: George's Island

PostPosted: Tue 22 Mar 2011, 07:51    Post subject: Hypothetical Situation Paranoia  

Hi sszindian,

Following this thread, one of the reasons I walked away from Windows was to get away from the "paranoia" which is part of the mental mind set accompanying that OS.

I've been using Puppy for several years now and never found a virus on my Puppy Linux frugal install. I've found that a big relief. I have used clamav to scan numerous family members Windows partitions and always found virus with it even when they had anti-virus installed.

So having withstood the test of time Puppy Linux seems pretty bullet proof to me, even though we run as root.

I'm not really sure what to make of your suggestion about someone deliberately crafting "linux malware".

Yorkie

_________________
www.busygamemaster.com
Back to top
View user's profile Send private message 
01micko


Joined: 11 Oct 2008
Posts: 7546
Location: qld

PostPosted: Tue 22 Mar 2011, 08:56    Post subject:  

Time for my 2c

There would not be any hysteria if everybody backed up.

I know all my important data is backed up.. is yours?

Nobody gives you a warranty that will protect your data. read the infamous EULA.

Your computer could fry at any second, could be faulty hardware, software, house wiring, natural disaster.. you get my drift.

I'm sure if a malicious pet were to destroy all data then the culprit could be traced, caught and tried by a kangaroo court.

However,
Quote:
15. Disclaimer of Warranty.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.


That is clause 15 in the GPL3, see /usr/share/doc/legal.

So... our "culprit" may well be protected by this very licence. Therefore only a kangaroo court would do!

All crap aside, we all, well I reckon I speak for just about anyone who has posted a .pet, here or anywhere, believe in open source. No crackers needed! It's all there. You may not understand it, but sure enough if you ask the right question in the right place you will get the correct answer.

Cheers!

_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 4 [53 Posts]   Goto page: 1, 2, 3, 4 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0997s ][ Queries: 12 (0.0049s) ][ GZIP on ]