[sf-lug] "RANSOM VIRUS" ATACHED TO WEB SITE?

Thu Jun 8 10:19:31 PDT 2017

Quoting Rick Moen <rick at linuxmafia.com>:
> So, I'm guessing you have been adding at least this if not also
> other software from who-knows-where that was not packaged by your
> Linux distribution (Ubuntu).

While maybe not _directly_ related to Mikki's Startpage FF/IW Add-on 
"Ransom Virus", I'm wondering whether the similar advice for Debian Linux 
at 'DontBreakDebian' wiki.debian.org/DontBreakDebian applies here as 
well??

>From what I've read related to this, I think there have been similar 
heightened concerns about using Personal Package Archives (PPA's) 
_specifically_ on Ubuntu and its derivatives.
E.g., see 
askubuntu.com/questions/35629/are-ppas-safe-to-add-to-my-system-and-what-are-some-red-flags-to-watch-out-for

Quoting Rick Moen <rick at linuxmafia.com>:
> I'm not going to mince words, here:  The real problem is the underlying 
> bad judgement shown by anyone ignoring the protection of Linux 
> distribution gatekeeping and installing software recklessly from 
> untrustworthy non-distro sources. Don't.  Do.  That.  (Not you, Michael, 
> but the upthread poster and reckless software users generally.)
> ...
> ...
> I'm going to close here with a cautionary footnote I published at the 
> bottom of an author's article in the late monthly magazine _Linux 
> Gazette_, because the author had blithely recommended ignoring one's 
> distribution package regime and installing 'upstream' software from 
> coders' Web sites:
> 
> http://linuxmafia.com/~rick/weatherwax.html#1

On "reckless" and "upstream" software installation vis a vis _Ubuntu's_ 
PPA's, I see that the webpage caution at 'Avoid 10 fatal mistakes in Linux 
Mint and Ubuntu' at 
sites.google.com/site/easylinuxtipsproject/fatalmistakes#TOC-Be-very-careful-with-external-repositories-like-PPA-s-an 
d-with-external-.deb-files even _specifically_ states:

~~ quoting ~~~

Be very careful with external repositories (like PPA's) and with external 
.deb files

1. Software from third-party repositories (like PPA's) and external .deb 
installers, is untested and unverified. Therefore it may damage the 
stability, the reliability and even the security of your system. It might 
even contain malware....

Furthermore, you make yourself dependent on the owner of the external 
repository, often only one person, who isn't being checked at all. By 
adding a PPA to your sources list, you give the owner of that PPA in 
principle full power over your system!

Therefore only use a PPA when you really (really!) have no acceptable 
alternative. Or when you're a tester for a particular piece of software 
(which you should only be doing on a non-essential test computer).

PPA's are a mixed blessing, to say the least. If used wisely and very 
restrictively, PPA's can occasionally be of great help. But used 
carelessly, they're for Linux what the bubonic plague was for the Middle 
Ages....

~~~~~~~~~~~~~~

AFAICT, this 'Avoid 10 fatal mistakes in Linux Mint and Ubuntu' caution 
follows the same track as Rick M's cautionary footnote in _Linux Gazette_.

-A

acohen36 at sdf.org
SDF Public Access UNIX System - http://sdf.org