Puppy '.pet' Packages

For discussions about security.
Message
Author
User avatar
sszindian
Posts: 807
Joined: Sun 25 Apr 2010, 02:14
Location: Pennsylvania U.S.

Puppy '.pet' Packages

#1 Post by sszindian »

The Linux operating system has certainly come a long ways in the past year and many government,state and business agencies and departments are switching over from other operating systems at a very very fast pace.

Concerning Puppy... Yes, we have an anti-virus program that can be installed to basically catch any virus, malware or spyware that might attach itself to a linux program while one is surfing the web, and, as we know, most of the 'bugs' that attach are an '.exe' extension program that doesn't affect Linux.

Now... I have a weather-widget on my Puppy that every-so-often automatically calls out to a computer somewhere in the world to get the weather update for my system.

It appears that if this simple weather program can do that, it would be very easy for someone to write a similar snipit of code... make it part of a '.pet' package, upload it into our forum somewhere in a must-have Puppy-Useful-Package and what would happen from there??? That code would have complete control of your system sending 'Your Personal, Financial, Medical or whatever information you store OR write OR email' to someone who gathers this information to 'Sell, or simply Store for future needs or reference.' and you would Never Even Know You Have A Virus on your system and to boot, your Anti-Virus program would be totally worthless.

My Question... Is anyone in the development or package-care of Puppy checking for this?

If not... Is there a way something can be implemented to handle this in the future? As an example: All '.pet' packages have to be checked by someone, or a team of someone's before they are made available to Puppy users?

Or simply... Doesn't anyone care until it's to late?

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#2 Post by Lobster »

Image

I am doing my best to invoke paranoia to inspire
some concern . . .
http://www.murga-linux.com/puppy/viewto ... 158#398158

So far no one is too worried. 8)

You best bet is to find a piece of compromised flash or javascript
that would work on a variety of computers and possibly Puppy
. . . and then not go to that site :shock:

Other than that I for one will continue to install pets with wanton abandon
and no checking

At the moment with Lucid pets are created from Debian and Ubuntu binaries (no idea what security measures they employ) and also compiled from source code.

Doing all suggested here might make you feel safer . . .
http://puppylinux.org/wikka/Security
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
sszindian
Posts: 807
Joined: Sun 25 Apr 2010, 02:14
Location: Pennsylvania U.S.

Are '.pet' packages safe!

#3 Post by sszindian »

Lobster:

Thanks for your concern...

Maybe you don't understand what I said above in my tread!

‘Yes’ I agree that packages that are in the PPM (Pet Package Manager) are probably as safe as you will ever get, both Ubuntu and Debian are very reputable. I am not talking about these type packages, I’m referring to the ones scattered throughout the Puppy FORUM that are placed there by individuals that anyone can download and install on their Puppy system.

Let me give you a small example how 'easy' a '.pet' package could be compromised ...

Back around 1985-86 I was into programming with the Commodore C64. There were not any hard drives then, just 5-1/2“ floppy disks. Developers back then protected their programs by altering the ‘header-section’ on the floppy disk with a simple script... This prevented it from being copied and illegally redistributed.

Around that time, I developed a program that I wanted anyone to be able to view a few times then, naturally purchase from me. Not someone making copies and giving it to the whole world. The ‘header-thing’ would not do for this so I developed a small script and broke it into several sections with sometimes no more than ONE or TWO characters at a certain spot then a few more 500 lines of script later, then the same again and again on down through the program’s code.

I will not go into detail here exactly what I wrote or how I did it for obvious reasons, virus-junkies don’t need any more new information, they have enough of their own ideas!

Anyway, you could view and use my program for 10-sessions then... it dissipated ... Poof... Gone... from the entire disk... If hard drives, USB’s, CDROM’s were available back then, I could have accomplished the same thing.

The total amount of code used was less than this line shows.

If someone purchased my program, ‘One Character’ was altered and the program would run forever without a hitch.

For one minute don’t think this can’t be done in a ‘.pet’ package with the proper knowledge... ‘IT CAN.’

My concern is NOT to be paranoid (which believe me I AM NOT) but how we may be able to PREVENT this from happening in random .pet packages down the road!

If you have ever had a computer totally destroyed or even slightly-altered by a virus you may better understand... As for Puppy ‘So Far’ we are one fortunate bunch without any serious virus problems but like I said... As Linux Becomes More and More Popular... ‘Watch out!’

postfs1

#4 Post by postfs1 »

To reedit up to date.
Last edited by postfs1 on Sun 27 Mar 2016, 23:09, edited 1 time in total.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#5 Post by Lobster »

but how we may be able to PREVENT this from happening in random .pet packages down the road!
I don't know that we can. I will probably be using Saluki by the time anyone decides to or works out how to do it anyways . . .
http://puppylinux.org/wikka/Puppy6
Frankly I think they will find bigger fish to fry :shock:

We can worry about it if we wish, which is the option I was offering . . . :wink:

It takes me about 15 minutes to set Puppy up from scratch with my preferred programs and pets and so on.

If someone has been able to access my hard drive to download all my secrets
(they are in /mnr/nome/secrets_sardine_details/ - now everyone knows)
then I will not feel too shell shocked and jelly fish a-wobbled . . .

If anyone has a better solution or details on stockpiling sardine tins
I would be glad to hear it. :D

Puppy
Is a state of Mind
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
GustavoYz
Posts: 883
Joined: Wed 07 Jul 2010, 05:11
Location: .ar

A tip????

#6 Post by GustavoYz »

I like to rename some pets as tar.gz and extract it to see whats inside...
Not exactly as a security measure, just as a curiosity issue.
Anyway, like five times it prevent me for install bad pets and also from overwrite libs.
Maybe it helps to improve the general paranoid...
8)

Master_wrong
Posts: 452
Joined: Thu 20 Mar 2008, 01:48

#7 Post by Master_wrong »

Perhaps someone can create pet scanner that scan for dangerous skript or command inside pet ?

just a thought... :?
Cluster-Pup v.2-Puppy Beowulf Cluster
[url]http://www.murga-linux.com/puppy/viewtopic.php?p=499199#499199[/url]

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#8 Post by jamesbond »

sszindian's concern is a real concern, and I remember vaguely that this has been discussed before, right here, in this forum (can't recall the thread name) - and as far as I can recall, there were no obvious solution.

This is a a big problem - much bigger than the root/non-root issue that has spawned a dozen threads or so.

Let's break the problem down into a more manageable chunks:
Problem of trust
a) how do I know that a dotpet is trustable?
b) how do I know that the author of the dotpet is trustable?
c) how do I know that the chain of trust is not broken somewhere?
d) how do we build this chain of trust?

Problem of prevention
Regardless of whether I trust the dotpet (especially if I don't trust it)
d) how do I know the dotpet is not malicious?
e) even if it's not malicious, how do I know it won't wreck my system?

Problem of intervention
If somehow the malicious dotpet has made it into my computer,
f) how do I remove it?
g) how do I ensure that that pet has really, really be gone?
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

ICPUG
Posts: 1308
Joined: Mon 25 Jul 2005, 00:09
Location: UK

#9 Post by ICPUG »

There seems to be a craze in the world of 'apps' for locking down where you get your apps. Lots of different app stores are popping up, that lock you in, in some way or another.

The Google Android App store recently got criticised because a piece of malware got into it. There was loud criticism on the IT news sites that Google were not checking sufficiently before apps were put in the store.

It struck me that if we are encouraged to only go to an App store, where we get locked in, the internet becomes virtually useless for software distribution!

It is not just Puppy and its .pets. Its anywhere we download software.

I can see there is a problem but if we are to have our freedom curtailed to download our sotware only from 'approved' sources this is just as much a problem (for me anyway).

At the end of the day the user has to exercise some common sense. It is up to the user to decide who are trusted sources. Perhaps run a malware check on packages before installation.

With freedom comes responsibility.

Conversely, if you are not given responsibility to make the choice you have lost your freedom.

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#10 Post by amigo »

Trust only those packages you have compiled and packaged yourself -after having done a complete manual audit of the sources.... I'll see you in the after-life once you have finished with just the kernel...

postfs1

#11 Post by postfs1 »

To reedit up to date.
Last edited by postfs1 on Mon 28 Mar 2016, 00:23, edited 1 time in total.

User avatar
GustavoYz
Posts: 883
Joined: Wed 07 Jul 2010, 05:11
Location: .ar

#12 Post by GustavoYz »

Problem of trust
a) how do I know that a dotpet is trustable?
b) how do I know that the author of the dotpet is trustable?
c) how do I know that the chain of trust is not broken somewhere?
d) how do we build this chain of trust?

Problem of prevention
Regardless of whether I trust the dotpet (especially if I don't trust it)
d) how do I know the dotpet is not malicious?
e) even if it's not malicious, how do I know it won't wreck my system?

Problem of intervention
If somehow the malicious dotpet has made it into my computer,
f) how do I remove it?
g) how do I ensure that that pet has really, really be gone?
Malicious?
Could you point an example of a 'malicious' a pet file?
I've never see one... Can you define 'malicious?
The only place where could be, is on the 'pinstall' script if its present (same applies to puninstall).

The big problem is the misinformation about compatibility and what's inside the file. And this is a big issue if you're a newbie...
Why if he/she installs a wrong/older/newer X-important-thing and scrubs X?
A file could be overwritten with a new pet, and after the uninstall of this last package, more apps will possibly not run anymore. That's somthing to solve, at least according to my point of view...
Ok, maybe i'm too naif sometimes. :D

About 'trust', I don't think that forum members will share "malicious" pets intentionally... But if you want to make a 'pet-club of trust', good luck! Personally, i'm confortable with the idea of a forum where everybody can upload a package. By the way, nobody forces anybody to download and/or install anything
Trust only those packages you have compiled and packaged yourself -after having done a complete manual audit of the sources.... I'll see you in the after-life once you have finished with just the kernel...
+1!

User avatar
Bernie_by_the_Sea
Posts: 328
Joined: Wed 09 Feb 2011, 18:14

Re: Are '.pet' packages safe!

#13 Post by Bernie_by_the_Sea »

sszindian wrote: Let me give you a small example how 'easy' a '.pet' package could be compromised ...

Back around 1985-86 I was into programming with the Commodore C64. There were not any hard drives then, just 5-1/2“ floppy disks. Developers back then protected their programs by altering the ‘header-section’ on the floppy disk with a simple script... This prevented it from being copied and illegally redistributed.

Around that time, I developed a program that I wanted anyone to be able to view a few times then, naturally purchase from me. Not someone making copies and giving it to the whole world. The ‘header-thing’ would not do for this so I developed a small script and broke it into several sections with sometimes no more than ONE or TWO characters at a certain spot then a few more 500 lines of script later, then the same again and again on down through the program’s code.

I will not go into detail here exactly what I wrote or how I did it for obvious reasons, virus-junkies don’t need any more new information, they have enough of their own ideas!

Anyway, you could view and use my program for 10-sessions then... it dissipated ... Poof... Gone... from the entire disk... If hard drives, USB’s, CDROM’s were available back then, I could have accomplished the same thing.
I owned several models of home computers before the C64 came out. I bought one of the first C64's on the market and within weeks a friend and I starting developing and selling C64 software. Eventually we formed a Software of the Month Club where a subscriber received two disks per month with both games and utilities. None of our software was ever protected. We had a pretty good idea of what our income would be before we ever wrote it thanks to our subscriber base. We knew our software would be copied. Both of us were retired and this was just a hobby with little profit. Floppies were a big improvement over the programs on cassette tapes we were selling earlier for other machines but it was a pain switching from 8080 assembler to 6510.

Some people in a neighboring town formed a C64 computer club that met once a month in a church basement. I saw as many as 60 C64's set up on tables from 6 to 10 PM with over a hundred people copying software as fast as they could stick floppies in the drive. The minister there encouraged piracy calling it "sharing the wealth" and "giving to the poor." He said it was a good example of "Christian fellowship." There were teenagers there as well as persons on social security.

Piracy wasn't at all disreputable then. I met the head of the state IT department there madly trading software with all the rest. Some were just there to trade but a few were quite capable self-taught programmer/cracker/hacker/pirates. The 'header-thing' was simple to work around as was your system of interspersed code. I can use some of the same methods developed back then to copy today's protected programs on USB's, CD/DVD's, etc. and in fact I've used it on a few Treo, BlackBerry and Android apps just to see how their protection works.

After the net developed I kept in touch with some of these early pirates. (Before the web we had a snail mail mimeographed newsletter.) I know ones who went on to such positions as the head of the IT section of a major defense contractor, the head of the IT department of one of the big three auto makers, programmers in federal law enforcement and computer science professors. Most are long since retired or dead now.

The only thing that slowed us crackers down were encoded hardware dongles. Our informal group wasn't malicious never writing any harmful software. We just found fun in breaking protection schemes. Many of us never looked at the software after we broke it. The game wasn’t to steal software but rather to show how foolish protection schemes really were. It was like solving a chess ending or a crossword puzzle.
[color=green]Frugal[/color]: Knoppix 6.4.4 DVD
[color=blue]USB[/color]: DSL 4.4.10
[color=red]Full[/color]: WinXP Pro
Puppy (Feb. 4 - May 12, 2011) led me back to Linux.

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

Hypothetical Situation Paranoia

#14 Post by yorkiesnorkie »

Hi sszindian,

Following this thread, one of the reasons I walked away from Windows was to get away from the "paranoia" which is part of the mental mind set accompanying that OS.

I've been using Puppy for several years now and never found a virus on my Puppy Linux frugal install. I've found that a big relief. I have used clamav to scan numerous family members Windows partitions and always found virus with it even when they had anti-virus installed.

So having withstood the test of time Puppy Linux seems pretty bullet proof to me, even though we run as root.

I'm not really sure what to make of your suggestion about someone deliberately crafting "linux malware".

Yorkie
[url]http://www.busygamemaster.com[/url]

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#15 Post by 01micko »

Time for my 2c

There would not be any hysteria if everybody backed up.

I know all my important data is backed up.. is yours?

Nobody gives you a warranty that will protect your data. read the infamous EULA.

Your computer could fry at any second, could be faulty hardware, software, house wiring, natural disaster.. you get my drift.

I'm sure if a malicious pet were to destroy all data then the culprit could be traced, caught and tried by a kangaroo court.

However, [quote]15. Disclaimer of Warranty.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS
Puppy Linux Blog - contact me for access

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

#16 Post by yorkiesnorkie »

This thread prompted me to go and do some reading. There seems to be no little resentment from a certain blogging segment regarding the vulnerabilities that Windows has, and wishing Linux shared them so that they could say "aha, told you so!"

I agree, backup is important, so is awareness when surfing, what features are turned on in browsers such as flash and javascript. I have these turned off for the most part myself. I've been using Opera and turn them on only when I need them. I ran the firewall, and checked to see how stealthy puppy is. I've been impressed and happy with Puppy myself.

The truly paranoid should run from the live CD if they want a pristine OS. :)

Yorkie
:-)
[url]http://www.busygamemaster.com[/url]

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

#17 Post by yorkiesnorkie »

I found this article on wikipedia:

http://en.wikipedia.org/wiki/Linux_malware

Actually, this article below from 2003 is kind of interesting as well because it sets out much of the differences between the Windows and Linux OS and why virus and trojans propagate easily on Windows but confront difficulty on a Linux OS. Kind of ancient history though...

http://www.securityfocus.com/columnists/188

What is interesting, (not that I want to start yet another run as root discussion, is that despite "Lindows" (which the author criticized for running as root) and we can include Puppy there, no crisis has manifested itself. Lindows is ancient history...

Yorkie
Last edited by yorkiesnorkie on Tue 22 Mar 2011, 15:54, edited 2 times in total.
[url]http://www.busygamemaster.com[/url]

postfs1

#18 Post by postfs1 »

To reedit up to date.
Last edited by postfs1 on Mon 28 Mar 2016, 00:18, edited 2 times in total.

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

#19 Post by yorkiesnorkie »

postfs1 wrote:
yorkiesnorkie wrote:... The truly paranoid should run from the live CD if they want a pristine OS. :) ...
I don't know who pays for the label.
:?: You lost me :)
[url]http://www.busygamemaster.com[/url]

User avatar
yorkiesnorkie
Posts: 504
Joined: Mon 04 Jun 2007, 13:11
Location: George's Island

#20 Post by yorkiesnorkie »

postfs1 wrote:
yorkiesnorkie wrote:... The truly paranoid should run from the live CD if they want a pristine OS. :) ...
I don't know who pays for the label.

:arrow: An article about rootkit:
Thanks for the link by the way, I use ClamAV, and I'll be interested to see what this turns up.

Yorkie
:-)
[url]http://www.busygamemaster.com[/url]

Post Reply