Not the first time this has happened, but recently the Snap store from Canonical hosted a scam bitcoin app that claimed to be "Exodus wallet" that caused a user to lose money.
Posting on the Snapcraft forum an unfortunate user noted their wallet has been emptied after using it, and a day later a Canonical staffer mentioned it had now been removed and they were investigating the incident.
Mark Shuttleworth, CEO of Canonical, has now jumped into the discussion in another forum post to note that while "cryptocurrency is largely a cesspit of ignoble intentions even if the mathematics are interesting", Shuttleworth doesn't think that "banning cryptocurrency apps helps" as "If anything, it would make using Linux much worse.".
Additionally, Shuttleworth also opened an additional forum post to discuss requiring "more comprehensive proof of publisher identity for every publisher" for Snaps. So if you have good ideas for them to implement, to make Snap publishing more secure - drop a reply in the linked post.
Hopefully Canonical come up with a good solution, because repeating issues like this reflect pretty poorly on Snap, Canonical and Ubuntu.
Alan Pope (formerly of Canonical, now Axiom) wrote up two blog posts on it "Exodus Bitcoin Wallet: $490K Swindle" and the follow-up "Exodus Bitcoin Wallet: Follow up 2.0" that you may want to read for a little more background.
Article taken from GamingOnLinux.com.
1. mark any snap that has been uploaded by any one that is not part of the project team or Canonical as unofficial
2. all unofficial apps need to be checked to make shore the snap dose not contain malicious code
3. all snaps need to be randomly checked to make shore the snap dose not contain malicious code
Quoting: MadWolfi know a way that can fix this problem but it may be easier said than done
1. mark any snap that has been uploaded by any one that is not part of the project team or Canonical as unofficial
2. all unofficial apps need to be checked to make shore the snap dose not contain malicious code
3. all snaps need to be randomly checked to make shore the snap dose not contain malicious code
Well it is how to perform #2 and #3 that is the question, not that it should be done, but how. AFAIK they are closed source.
Trustworthy international financial services.
I only see 3 real solutions to this issue they could try.
1. Find 1+ less scammy open source projects providing crypto wallets and just make theirs the only ones on your store.
2. one build the wallet yourself and make it the only one on your store.
3. obtain the cd containing the program personally at the producer's house and inspect their id-cart.
3 is basically how it is done for every individual intra european banking customer, which also shows its weakness. This is the level the EU checks consumers not banks. Snap simply doesn't have the recources to do that for proprietary apps.
Last edited by LoudTechie on 23 February 2024 at 8:41 pm UTC
pleasereadthemanual Feb 24
Quoting: Purple Library GuyI'm not sure I understand the problem. Was this not the behaviour he was expecting? Is the problem that the crypto app stole his money instead of the exchange doing it?I'm reading Tracers in the Dark at the moment. I'm up to the part where Mt. Gox lost 500,000 bitcoins (every single Bitcoin they were entrusted with), managed to find 200,000 from an old wallet, and the rest remains lost.
Cryptocurrency exchanges (huge ones) have fallen again and again over the years.
If you're going to hold a lot of cryptocurrency, you want to hold that in a private wallet... ironically, you might be better at protecting it yourself than these exchanges with so many resources.
And I wouldn't trust just any store. Get the wallet software directly from the developer.
This is something AppImage is best suited for, actually...
Quoting: GuestYep, this ^^^^!Quoting: SzkodnixOh no!
Anyway speaking of Flatpak...
I use mostly snaps and very few flatpaks because Snapcraft is way ahead of Flathub in terms of verified (mainstream-ish) apps. Unverified apps should always have a big fat warning sign.
Quoting: TuxeeQuoting: ShabbyXHappy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.
Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...
I don't know nothing about using crypto currencies, but I found these apps e.g.:
https://packages.debian.org/bookworm-backports/electrum
https://packages.debian.org/bookworm/monero
https://packages.debian.org/sid/dogecoin
Quoting: EikeAh yes, Dogecoin. The most sensible of the crypto IMO. After all, it's perfectly reasonable for the ruler of Venice to be issuing coinage.Quoting: TuxeeQuoting: ShabbyXHappy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.
Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...
I don't know nothing about using crypto currencies, but I found these apps e.g.:
https://packages.debian.org/bookworm-backports/electrum
https://packages.debian.org/bookworm/monero
https://packages.debian.org/sid/dogecoin
Spoiler, click me
Last edited by Purple Library Guy on 24 February 2024 at 6:26 pm UTC
soulsource Feb 26
Quoteif you have good ideas for them to implementThey could have a dedicated maintainer for each package, who is responsible for building the package from source, and who is accountable in case the package contains malware. They could set up a system like this: https://wiki.debian.org/Maintainers
Oh, wait...
Patreon
PayPal
See more from me