Not the first time this has happened, but recently the Snap store from Canonical hosted a scam bitcoin app that claimed to be "Exodus wallet" that caused a user to lose money.
Posting on the Snapcraft forum an unfortunate user noted their wallet has been emptied after using it, and a day later a Canonical staffer mentioned it had now been removed and they were investigating the incident.
Mark Shuttleworth, CEO of Canonical, has now jumped into the discussion in another forum post to note that while "cryptocurrency is largely a cesspit of ignoble intentions even if the mathematics are interesting", Shuttleworth doesn't think that "banning cryptocurrency apps helps" as "If anything, it would make using Linux much worse.".
Additionally, Shuttleworth also opened an additional forum post to discuss requiring "more comprehensive proof of publisher identity for every publisher" for Snaps. So if you have good ideas for them to implement, to make Snap publishing more secure - drop a reply in the linked post.
Hopefully Canonical come up with a good solution, because repeating issues like this reflect pretty poorly on Snap, Canonical and Ubuntu.
Alan Pope (formerly of Canonical, now Axiom) wrote up two blog posts on it "Exodus Bitcoin Wallet: $490K Swindle" and the follow-up "Exodus Bitcoin Wallet: Follow up 2.0" that you may want to read for a little more background.
Anyway speaking of Flatpak...
Additionally, Shuttleworth also opened an additional forum post to discuss requiring "more comprehensive proof of publisher identity for every publisher" for Snaps. So if you have good ideas for them to implement, to make Snap publishing more secure - drop a reply in the linked post.... Shouldn't they have thought of this before letting randoms publish to a store?
"I don’t however think that banning cryptocurrency apps helps. If anything, it would make using Linux much worse.
At least snaps have good, and over time increasingly good, mechanisms for technical confinement. Projects like Ubuntu and Debian and RHEL have relatively rigorous know-your-contributor processes, but apps can’t all be in the distro archives. The other Linux app distribution mechanisms (such as PPAs, Github builds and releases, OBS, or even the containerised ones like Flatpak) don’t have nearly the same technical measures for confinement that snaps do. If we ban cryptocurrency apps from the snap store then those users will simply get apps from those unconfined sources - and then the attacks will be even worse because the apps can go trawling all over the system, or do things like keylogging."
https://forum.snapcraft.io/t/should-unverified-cryptocurrency-apps-be-banned/38919/4
They are adding a high risk category to the store for starters. AI, crypto, fediverse... These newer are here to stay with their challenges and should nor could not be hidden away from. This has very little to do with snaps particularly but i'm sure many want to make it look like that. Things would have been the same with flatpak too.
Happy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.
Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...
Last edited by Purple Library Guy on 23 February 2024 at 4:56 pm UTC
1. mark any snap that has been uploaded by any one that is not part of the project team or Canonical as unofficial
2. all unofficial apps need to be checked to make shore the snap dose not contain malicious code
3. all snaps need to be randomly checked to make shore the snap dose not contain malicious code
i know a way that can fix this problem but it may be easier said than done
1. mark any snap that has been uploaded by any one that is not part of the project team or Canonical as unofficial
2. all unofficial apps need to be checked to make shore the snap dose not contain malicious code
3. all snaps need to be randomly checked to make shore the snap dose not contain malicious code
Well it is how to perform #2 and #3 that is the question, not that it should be done, but how. AFAIK they are closed source.
Trustworthy international financial services.
I only see 3 real solutions to this issue they could try.
1. Find 1+ less scammy open source projects providing crypto wallets and just make theirs the only ones on your store.
2. one build the wallet yourself and make it the only one on your store.
3. obtain the cd containing the program personally at the producer's house and inspect their id-cart.
3 is basically how it is done for every individual intra european banking customer, which also shows its weakness. This is the level the EU checks consumers not banks. Snap simply doesn't have the recources to do that for proprietary apps.
Last edited by LoudTechie on 23 February 2024 at 8:41 pm UTC
I'm not sure I understand the problem. Was this not the behaviour he was expecting? Is the problem that the crypto app stole his money instead of the exchange doing it?I'm reading Tracers in the Dark at the moment. I'm up to the part where Mt. Gox lost 500,000 bitcoins (every single Bitcoin they were entrusted with), managed to find 200,000 from an old wallet, and the rest remains lost.
Cryptocurrency exchanges (huge ones) have fallen again and again over the years.
If you're going to hold a lot of cryptocurrency, you want to hold that in a private wallet... ironically, you might be better at protecting it yourself than these exchanges with so many resources.
And I wouldn't trust just any store. Get the wallet software directly from the developer.
This is something AppImage is best suited for, actually...
Yep, this ^^^^!Oh no!
Anyway speaking of Flatpak...
I use mostly snaps and very few flatpaks because Snapcraft is way ahead of Flathub in terms of verified (mainstream-ish) apps. Unverified apps should always have a big fat warning sign.
Happy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.
Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...
I don't know nothing about using crypto currencies, but I found these apps e.g.:
https://packages.debian.org/bookworm-backports/electrum
https://packages.debian.org/bookworm/monero
https://packages.debian.org/sid/dogecoin
Ah yes, Dogecoin. The most sensible of the crypto IMO. After all, it's perfectly reasonable for the ruler of Venice to be issuing coinage.Happy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.
Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...
I don't know nothing about using crypto currencies, but I found these apps e.g.:
https://packages.debian.org/bookworm-backports/electrum
https://packages.debian.org/bookworm/monero
https://packages.debian.org/sid/dogecoin
Spoiler, click me
Last edited by Purple Library Guy on 24 February 2024 at 6:26 pm UTC
if you have good ideas for them to implementThey could have a dedicated maintainer for each package, who is responsible for building the package from source, and who is accountable in case the package contains malware. They could set up a system like this: https://wiki.debian.org/Maintainers
Oh, wait...
See more from me