One of the more frustrating things about infosec is that more and more practices that were once considered bad or malicious later become mainstream.
Used to be, don't publish information about yourself that could be used to impersonate you. Then we got Facebook.
Installing random binaries used to be a bad thing, now it's outright encouraged. "Thanks for using our toilet. Download our app to unlock the door!"
Telemetry/analytics/arbitrary callbacks used to be shady/questionable and require user consent, now it's standard practice to exfiltrate whatever you want from user devices. You've got root/elevated privilege, encryption is easy and your traffic can easily blend into the haystack, so why not.
Opt-in billing used to be the domain of sleazy porn sites, but now you can't buy anything from Amazon without them trying to surreptitiously slip a Prime subscription into your cart during checkout.
Seeing traffic from anonymous VPNs logging into financial accounts used to be an obvious giveaway of something suspicious going on. Devices are now shipping with easy-to-enable "anonymous mode" apps that average users have no legitimate need for and route all of your device's traffic through god knows where, which has the effect of making your traffic indistinguishable from a fraudster's.
Popular email clients, budget analysis and social media platforms will solicit and cache third-party credentials for your employer, your bank, or your life if you provide them. This despite a decade of trying to beat "never give your password to anyone!" into the popular mindset.
Same with algorithmically-generated domains/subdomains, etc.
>Installing random binaries used to be a bad thing, now it's outright encouraged. "Thanks for using our toilet. Download our app to unlock the door!"
It's surprising to me how rarely even reputable companies provide hashes/signatures.
I just downloaded a Windows virtual machine that MS offers for free[1].
No sha256 sum, no pgp signature. I ended up deciding that since it it served over HTTPS from an MS controlled domain that I'd accept the risk, but I wish more vendors would allow advanced users to verify downloads.
(MS is not alone in this, many, many open source projects offer up pre-compiled binaries with zero checksum info, which especially sucks since so often they rely on an assortment of mirrors for the binaries rather than a central location)
I understand that telling users to fire up the CLI may be a pain point, but offering the information as an optional step for the experienced user should be a best practice IMHO.
It would be amazing if the desktop OS had a right-click option to validate checksums for you. Just something simple that when clicked allows the user to choose which type of hash to generate, then you still have to compare to the website. In 2019 with the amount of data downloaded, this is something the OS vendors need to do more for their users.
What you are looking for is HashTab[1]. It adds a tab to your file properties page that shows a variety of different hashes for the file, including MD5, SHA-1, and SHA-256. You can configure it to show a large number of different hashes. Also, if you have copied a hash from a website into your clipboard it will automatically compare it to the configured hashes and show you if there is a match.
That sounds cool. However, that's just another piece of software that needs to be downloaded and verified before installing. I want this to be part of the OS. It's a dangerous world out there, and the OS shouldn't make it so hard to stay safe.
Yeah, for example a right click option to show the hash of a file in macOS would be nice. Technically I can do it on the CLI, but most users are cli-shy
Is providing a pgp signature any safer than having signed apps to ensure that the app both comes from the source you think it comes from and ensuring it hasn’t been tampered with?
I’ve been around long enough to remember when people thought that sort of thing was a particular flaw of closed-source, but Ubuntu is failing in a similar way, as this unfixed bug from 2014 (confirmed and with multiple duplicates) demonstrates: https://bugs.launchpad.net/ubuntu/+bug/1359836
Call me cynical, but this is what I expect to see if a government had ordered them to allow certain forms of interference with the OS. I don’t know enough to eliminate any other possibility, but it certainly smells fishy.
Wait, am I reading this bug correctly: even if I have HTTPS everywhere installed to force the S in errant urls, it would still go over HTTP? Because... "we provide the signatures"? Yikes.
No you are not. the "bug" is that the download page has a link to an http mirror.
If there was a bug where the ubuntu website could force your browser to display https:// and serve content over http without a warning you would have most definitely heard about it before now.
I believe your link does not explain why Ubuntu’s .iso files are not on https, as one of its justifications is that APT uses other mechanisms for integrity checking, which doesn’t apply to OS installation disk images.
Interesting; the first two points you make sound wrong. It used to be that you got most software via "random binaries"; then, in the late 2000s, it became out of fashion and attention was called to dangers. It used to be, when Internet was new, that people didn't have trouble publishing personal information. Personal SEO was a thing; people optimized what prospective employers would find when googling their surname. Facebook came later, and even later still we got calls to stop publishing personal information.
> Devices are now shipping with easy-to-enable "anonymous mode" apps that average users have no legitimate need for...
I'd argue VPNs are increasingly tablestakes as consumer ISPs adopt darker patterns like tag injection. (Recently discovered this in the wild with my new residential ISP.)
It isn't the rise of fascism -- it's the rise of hyper-profiteering. There is too much money to be made from the ignorance of well-conditioned consumers for principle to prevail.
Reminds me of that one time when Microsoft in late 90s sent one web request back to Redmond for Windows installations and all hell broke loose! Microsoft is tracking/controlling everyone and could update things centrally - total world domination is the goal!
Then came Google and everyone just surrendered their stuff voluntarily anyway.
I think sometimes the player just changes, and then users and media accepts the new reality.
Used to be, don't publish information about yourself that could be used to impersonate you. Then we got Facebook.
With the number of data breaches by credit reporting agencies, Facebook is the least of your worries.
Installing random binaries used to be a bad thing, now it's outright encouraged. "Thanks for using our toilet. Download our app to unlock the door!"
With iOS, the amount of damage an untrusted binary can do is extremely limited.
Opt-in billing used to be the domain of sleazy porn sites, but now you can't buy anything from Amazon without them trying to surreptitiously slip a Prime subscription into your cart during checkout.
Sleazy billing has been a thing since Columbia House.
I reverse malware from time to time for fun and for work and I can guarantee you that many adware are malware in disguise. They often have the same functionalities and persistence mechanisms. We're far from the AskToolbar that was showing up in your Internet Explorer over a decade ago.
Two variants in particular, known as DealPly and DealAlpha use advanced persistence mechanisms that you'd find in APTs to make themselves nearly impossible to catch and remove.
The other risk is the advertising network itself that delivers the advertisement. Exploit kits have been using comprised advertising servers to deliver the exploit and compromise hosts since adware exists. These servers rarely have good security and the companies owning them generally don't care much. I even suspect that some willingly participate in the distribution for financial gain.
While doing forensics for a client a few weeks ago, I found what appeared to be a state-sponsored APT being delivered by a program bundled with adware.
I'm really upset with open source projects like FileZilla willingly serving bundled crap to its user downloading from the official website to finance itself. They're putting millions of computers at risk.
There is a malware family out there that managed to outwit a couple of security researchers. Multiple layers of VM/debugger detection layers were present in a malware sample. If a debugger or VM was detected it would drop a generic adware sample to disguise the true intent. Additionally, telemetry designed to look adwareish would sent to the CnC servers, blacklisting your IP so that you'd only ever receive the adware from that point on even if you managed to bypass the additional layers of protection that were previously missed.
I still see non-tech savvy friends have computers with "adware" installed in their browser. It's usually because they tried to "fix" something themselves, googled, and installed something that was purported to fix the problem.
There are a bunch of well SEO'd sites that will come up if you google nearly any computer issue that will appear to have a solution, but step 3 is usually to try installing some software.
No matter how many times I yell and scream at friends not to just blindly google for "Device Drivers" and install them, they do. Even sites that look a lot like a legit Epson or Canon site (for scanner or printer drivers, etc) are fake. (And they're searching for device drivers because they have a printer problem and they don't realize that the need to install a custom driver for a name-brand current printer on Windows or MacOS is very very rare)
Perhaps the disbelief that your piece of hardware is now useless is stronger than the disbelief in the honesty of the internet?
It is amusing to me that you mention Canon, since they're one of the worst offenders I've dealt with in this regard. During the change from W98 to Win7, they cut off support for whole product lines. My scanner, purchased just a few years ago, was now useless. My Linux box had better driver support than my shiny new Windows box.
It was unbelievable that my scanner was no longer functional, and I was willing to try some hacking to try to get it functional again...
So... I understand especially why people are looking for drivers. They're looking to extend the value of their purchases.
That's interesting. It starts talking about different ways to try to delete a file, and at the end it recommends that software and gives instructions to wipe partitions with it. Did I misunderstood that?
> No matter how many times I yell and scream at friends not to just blindly google for "Device Drivers" and install them, they do. Even sites that look a lot like a legit Epson or Canon site (for scanner or printer drivers, etc) are fake.
Does Windows still not have package repositories like Linux distros do? Installing software from anywhere other than official repos should be an obvious no-no if repos simply existed.
> Does Windows still not have package repositories like Linux distros do? Installing software from anywhere other than official repos should be an obvious no-no if repos simply existed.
Yes, of course. And If you must get the custom software (for example I like the value-added software for my Fujitsu document scanners with sheet-feeders) then the ONLY thing to do is to go to Fujitsu's official site--after making 100% certain it's really the site--and getting it from there.
I refuse to install even manufacturers printer drivers on my Windows computers because of all the crapware that comes with them. On the rare occasion that I need to print, I just do it from my iPhone/iPad to my AirPrint compatible printers.
Luckily, most of the time, you don’t need printer drivers for consumer printers for Macs. They mostly support AirPrint.
The thing is -- you don't install printer drivers at all for Macs if they support AirPrint. Most consumer level printers do. Macs and iOS devices find printers on the network automatically and you can just print to them.
You definitely don't have to worry about whether a new printer already has a driver distributed by Apple.
It's fascinating that someone knows what a device driver is but doesn't know what a malware site is. Is this someone whose computer knowledge is frozen in 1996?
Actually, it's news to me that Windows no longer requires looking for and installing device drivers for common printer brands. Also, what's a malware site? Is that an anti-virus official website or a forum where people just talk about their experiences with malware? I guess my Windows knowledge is stuck in the 90s/00s. Never really needed either on Linux.
They don't, but in the same time they also have no way of distinguishing between crapware and legitimate software. So they visit some site from a phishing email supposedly sent by one of their friends, which is easily guessed these days with the prevalence of social media, then the site prompts them to download this or that, they press "yes" and then all hell breaks loose.
So why no prosecutions under the Computer Fraud and Abuse Act for "exceeding authorized access"? Adware doesn't have consent. There's no contract of adhesion. Has anyone filed a criminal complaint?
One of the more frustrating things about infosec is that more and more practices that were once considered bad or malicious later become mainstream.
Used to be, don't publish information about yourself that could be used to impersonate you. Then we got Facebook.
Installing random binaries used to be a bad thing, now it's outright encouraged. "Thanks for using our toilet. Download our app to unlock the door!"
Telemetry/analytics/arbitrary callbacks used to be shady/questionable and require user consent, now it's standard practice to exfiltrate whatever you want from user devices. You've got root/elevated privilege, encryption is easy and your traffic can easily blend into the haystack, so why not.
Opt-in billing used to be the domain of sleazy porn sites, but now you can't buy anything from Amazon without them trying to surreptitiously slip a Prime subscription into your cart during checkout.
Seeing traffic from anonymous VPNs logging into financial accounts used to be an obvious giveaway of something suspicious going on. Devices are now shipping with easy-to-enable "anonymous mode" apps that average users have no legitimate need for and route all of your device's traffic through god knows where, which has the effect of making your traffic indistinguishable from a fraudster's.
Popular email clients, budget analysis and social media platforms will solicit and cache third-party credentials for your employer, your bank, or your life if you provide them. This despite a decade of trying to beat "never give your password to anyone!" into the popular mindset.
Same with algorithmically-generated domains/subdomains, etc.
>Installing random binaries used to be a bad thing, now it's outright encouraged. "Thanks for using our toilet. Download our app to unlock the door!"
It's surprising to me how rarely even reputable companies provide hashes/signatures.
I just downloaded a Windows virtual machine that MS offers for free[1].
No sha256 sum, no pgp signature. I ended up deciding that since it it served over HTTPS from an MS controlled domain that I'd accept the risk, but I wish more vendors would allow advanced users to verify downloads.
(MS is not alone in this, many, many open source projects offer up pre-compiled binaries with zero checksum info, which especially sucks since so often they rely on an assortment of mirrors for the binaries rather than a central location)
I understand that telling users to fire up the CLI may be a pain point, but offering the information as an optional step for the experienced user should be a best practice IMHO.
[1]For the interested, seems to last "only" 30 days but you can roll back to a snapshot if you're just testing compatibility of sites with Edge: https://developer.microsoft.com/en-us/microsoft-edge/tools/v...
It would be amazing if the desktop OS had a right-click option to validate checksums for you. Just something simple that when clicked allows the user to choose which type of hash to generate, then you still have to compare to the website. In 2019 with the amount of data downloaded, this is something the OS vendors need to do more for their users.
What you are looking for is HashTab[1]. It adds a tab to your file properties page that shows a variety of different hashes for the file, including MD5, SHA-1, and SHA-256. You can configure it to show a large number of different hashes. Also, if you have copied a hash from a website into your clipboard it will automatically compare it to the configured hashes and show you if there is a match.
[1] https://download.cnet.com/HashTab/3000-2094_4-84837.html
[edit: typo]
That sounds cool. However, that's just another piece of software that needs to be downloaded and verified before installing. I want this to be part of the OS. It's a dangerous world out there, and the OS shouldn't make it so hard to stay safe.
Yeah, for example a right click option to show the hash of a file in macOS would be nice. Technically I can do it on the CLI, but most users are cli-shy
Dolphin has this under file properties! That said, it should probably be made far more prominent, and even integrated into web browsers...
It's called metalink. It's great.
Is providing a pgp signature any safer than having signed apps to ensure that the app both comes from the source you think it comes from and ensuring it hasn’t been tampered with?
I’ve been around long enough to remember when people thought that sort of thing was a particular flaw of closed-source, but Ubuntu is failing in a similar way, as this unfixed bug from 2014 (confirmed and with multiple duplicates) demonstrates: https://bugs.launchpad.net/ubuntu/+bug/1359836
Call me cynical, but this is what I expect to see if a government had ordered them to allow certain forms of interference with the OS. I don’t know enough to eliminate any other possibility, but it certainly smells fishy.
Wait, am I reading this bug correctly: even if I have HTTPS everywhere installed to force the S in errant urls, it would still go over HTTP? Because... "we provide the signatures"? Yikes.
No you are not. the "bug" is that the download page has a link to an http mirror.
If there was a bug where the ubuntu website could force your browser to display https:// and serve content over http without a warning you would have most definitely heard about it before now.
As to why most mirrors serve over http, it's for the same reasons presented here: https://whydoesaptnotusehttps.com/
Is there any clear reason why the checksums are also only available on http domains? One of the duplicate bugs: https://bugs.launchpad.net/ubuntu-website-content/+bug/15349...
I believe your link does not explain why Ubuntu’s .iso files are not on https, as one of its justifications is that APT uses other mechanisms for integrity checking, which doesn’t apply to OS installation disk images.
I agree with parent, it doesn't make sense to host checksums on a plain HTTP site.
Also grandparent's link states
>HTTPS does not provide meaningful privacy for obtaining packages. As an eavesdropper can usually see which hosts you are contacting
Which is untrue. An attacker can't tell which specific packages are being downloaded, which could be important depending on your threat model.
(The argument can be made size of DL leaks info, but that's a lot of work, and multiple packages could have same size)
Interesting; the first two points you make sound wrong. It used to be that you got most software via "random binaries"; then, in the late 2000s, it became out of fashion and attention was called to dangers. It used to be, when Internet was new, that people didn't have trouble publishing personal information. Personal SEO was a thing; people optimized what prospective employers would find when googling their surname. Facebook came later, and even later still we got calls to stop publishing personal information.
> Devices are now shipping with easy-to-enable "anonymous mode" apps that average users have no legitimate need for...
I'd argue VPNs are increasingly tablestakes as consumer ISPs adopt darker patterns like tag injection. (Recently discovered this in the wild with my new residential ISP.)
> infosec
It isn't the rise of fascism -- it's the rise of hyper-profiteering. There is too much money to be made from the ignorance of well-conditioned consumers for principle to prevail.
Reminds me of that one time when Microsoft in late 90s sent one web request back to Redmond for Windows installations and all hell broke loose! Microsoft is tracking/controlling everyone and could update things centrally - total world domination is the goal!
Then came Google and everyone just surrendered their stuff voluntarily anyway.
I think sometimes the player just changes, and then users and media accepts the new reality.
Used to be, don't publish information about yourself that could be used to impersonate you. Then we got Facebook.
With the number of data breaches by credit reporting agencies, Facebook is the least of your worries.
Installing random binaries used to be a bad thing, now it's outright encouraged. "Thanks for using our toilet. Download our app to unlock the door!"
With iOS, the amount of damage an untrusted binary can do is extremely limited.
Opt-in billing used to be the domain of sleazy porn sites, but now you can't buy anything from Amazon without them trying to surreptitiously slip a Prime subscription into your cart during checkout.
Sleazy billing has been a thing since Columbia House.
I reverse malware from time to time for fun and for work and I can guarantee you that many adware are malware in disguise. They often have the same functionalities and persistence mechanisms. We're far from the AskToolbar that was showing up in your Internet Explorer over a decade ago.
Two variants in particular, known as DealPly and DealAlpha use advanced persistence mechanisms that you'd find in APTs to make themselves nearly impossible to catch and remove.
The other risk is the advertising network itself that delivers the advertisement. Exploit kits have been using comprised advertising servers to deliver the exploit and compromise hosts since adware exists. These servers rarely have good security and the companies owning them generally don't care much. I even suspect that some willingly participate in the distribution for financial gain.
While doing forensics for a client a few weeks ago, I found what appeared to be a state-sponsored APT being delivered by a program bundled with adware.
I'm really upset with open source projects like FileZilla willingly serving bundled crap to its user downloading from the official website to finance itself. They're putting millions of computers at risk.
There is a malware family out there that managed to outwit a couple of security researchers. Multiple layers of VM/debugger detection layers were present in a malware sample. If a debugger or VM was detected it would drop a generic adware sample to disguise the true intent. Additionally, telemetry designed to look adwareish would sent to the CnC servers, blacklisting your IP so that you'd only ever receive the adware from that point on even if you managed to bypass the additional layers of protection that were previously missed.
https://foxitsecurity.files.wordpress.com/2015/12/foxit-whit...
Remember back when everyone's computers were infected with this crap because everyone installed p2p crap like Kazaa?
Do non-tech savvy people still have a reason to install software? Don't most people just need a web browser?
I still see non-tech savvy friends have computers with "adware" installed in their browser. It's usually because they tried to "fix" something themselves, googled, and installed something that was purported to fix the problem.
There are a bunch of well SEO'd sites that will come up if you google nearly any computer issue that will appear to have a solution, but step 3 is usually to try installing some software.
(For example, if you google "can't delete file windows" this site will come up. I don't recommend installing the software https://www.easeus.com/partition-manager-software/delete-fil... ) Here's a discussion on MalwareBytes forum about it: https://forums.malwarebytes.com/topic/166526-easeus-partitio...
No matter how many times I yell and scream at friends not to just blindly google for "Device Drivers" and install them, they do. Even sites that look a lot like a legit Epson or Canon site (for scanner or printer drivers, etc) are fake. (And they're searching for device drivers because they have a printer problem and they don't realize that the need to install a custom driver for a name-brand current printer on Windows or MacOS is very very rare)
Perhaps the disbelief that your piece of hardware is now useless is stronger than the disbelief in the honesty of the internet?
It is amusing to me that you mention Canon, since they're one of the worst offenders I've dealt with in this regard. During the change from W98 to Win7, they cut off support for whole product lines. My scanner, purchased just a few years ago, was now useless. My Linux box had better driver support than my shiny new Windows box.
It was unbelievable that my scanner was no longer functional, and I was willing to try some hacking to try to get it functional again...
So... I understand especially why people are looking for drivers. They're looking to extend the value of their purchases.
> For example, if you google "can't delete file windows" this site will come up. I don't recommend installing the software https://www.easeus.com/partition-manager-software/delete-fil.... )
That's interesting. It starts talking about different ways to try to delete a file, and at the end it recommends that software and gives instructions to wipe partitions with it. Did I misunderstood that?
> No matter how many times I yell and scream at friends not to just blindly google for "Device Drivers" and install them, they do. Even sites that look a lot like a legit Epson or Canon site (for scanner or printer drivers, etc) are fake.
Does Windows still not have package repositories like Linux distros do? Installing software from anywhere other than official repos should be an obvious no-no if repos simply existed.
> Does Windows still not have package repositories like Linux distros do? Installing software from anywhere other than official repos should be an obvious no-no if repos simply existed.
Yes, of course. And If you must get the custom software (for example I like the value-added software for my Fujitsu document scanners with sheet-feeders) then the ONLY thing to do is to go to Fujitsu's official site--after making 100% certain it's really the site--and getting it from there.
I refuse to install even manufacturers printer drivers on my Windows computers because of all the crapware that comes with them. On the rare occasion that I need to print, I just do it from my iPhone/iPad to my AirPrint compatible printers.
Luckily, most of the time, you don’t need printer drivers for consumer printers for Macs. They mostly support AirPrint.
Adware is a huge problem on Mac, too.
See: https://www.cultofmac.com/415565/how-to-eliminate-the-adware...
And no, you don't generally need to install printer drivers on Windows from anyone other than Microsoft via the update or the new-hardware detection.
The thing is -- you don't install printer drivers at all for Macs if they support AirPrint. Most consumer level printers do. Macs and iOS devices find printers on the network automatically and you can just print to them.
You definitely don't have to worry about whether a new printer already has a driver distributed by Apple.
It's exactly the same situation on Windows today. It just works.
https://support.microsoft.com/en-us/help/4015386/windows-10-...
It's fascinating that someone knows what a device driver is but doesn't know what a malware site is. Is this someone whose computer knowledge is frozen in 1996?
Actually, it's news to me that Windows no longer requires looking for and installing device drivers for common printer brands. Also, what's a malware site? Is that an anti-virus official website or a forum where people just talk about their experiences with malware? I guess my Windows knowledge is stuck in the 90s/00s. Never really needed either on Linux.
Here's a typical example of a fake Windows Driver site:
https://www.drivereasy.com/knowledge/solved-printer-driver-i...
People will ignore the giant red warning Windows gives you and install it.
How many people trusted SourceForge and CNET’s download.com that added adware to third party software?
They don't, but in the same time they also have no way of distinguishing between crapware and legitimate software. So they visit some site from a phishing email supposedly sent by one of their friends, which is easily guessed these days with the prevalence of social media, then the site prompts them to download this or that, they press "yes" and then all hell breaks loose.
So why no prosecutions under the Computer Fraud and Abuse Act for "exceeding authorized access"? Adware doesn't have consent. There's no contract of adhesion. Has anyone filed a criminal complaint?
Paper here: https://madiba.encs.concordia.ca/~x_decarn/papers/vdm-tifs20...
Wrong paper linked. See: https://www.theregister.co.uk/2019/05/20/wajam_malware_claim... and https://arxiv.org/pdf/1905.05224.pdf
Why did I read that username as hero.us?