On Mon, 6 Feb 2017 09:26 am, Chris Angelico wrote: > On Mon, Feb 6, 2017 at 9:07 AM, Steve D'Aprano > <[email protected]> wrote: >> As far as "regular backups", well, you're just not thinking deviously >> enough. If I were to write a ransomware application, running as the >> regular user, I would have the application encrypt files and emails just >> a few at a time, over a period of many weeks, gradually increasing the >> rate. By the time the victim has realised that their files have been >> encrypted, their backups have been compromised too: you can restore from >> backup, but you'll be restoring the encrypted version. >> > > If you commit everything to git
git is not a synonym for "version control system". You're going to put the emails you send into subversion before hitting send? What about the emails you receive? How about graphic and video designers? Just how well does hg cope with gigabytes of video data? *Maybe* applications like LibreOffice could be integrated with VCS, and that's actually not a bad idea, but for binary files that can get costly. Yes, hard drives are big, but if every time you hit Ctrl-S on a 400K spreadsheet you end up with another copy, plus overhead, that adds up quickly. Not everyone is going to either want, or be able to, keep multiple years worth of versioning data for all their content. (Let's not forget that Android phones and tablets are Linux too. Some people use Android as their main, or only, computing platform, with relatively restricted resources. Not everyone has 10TB of storage on their computer.) > and keep an eye on your diffs before you push, Every time you push a file, you're going to check whether every other file in your home directory has changed? > the encryption would have to be _extremely_ sneaky. For > starters, it'd have to infect the 'git' command, so it has all the > same protections other people have been talking about. Not at all. All it would need to do is mess with the git database behind the scenes: when encrypting file X, delete all the diffs for X. Or simply corrupt the repository. If people did this, then there would be an arms race with others writing software to repair the damage to the repository, or changing their backup regimen to include backing up the repo history (if you're not already doing this) but then the same problem applies: if the repo is corrupted subtly enough, you may not notice until the backups are all corrupted too. And of course, sometimes backups don't work... https://www.theregister.co.uk/2017/02/01/gitlab_data_loss/ > It'd need to > somehow make the SHA1s match, or else simultaneously infect my system > and whereever I'm pushing to (which is sometimes GitHub and sometimes > my own server). So the first thing is to infect everyone's git so it > accepts the corrupted files as well as the correct ones... AND it has > to still be able to show diffs, or I'd notice it very quickly. How will you notice? You edit file "funny_video_about_a_cat.mp4" and push it into VCS. Meanwhile the malware encrypts "birthday_party_invites.doc", pushes it into the repo *as you*, and once the encrypted version is there, deletes all the past history for that file. Because the encrypted version is now in the repo, you won't notice the file has changed until you try to open it in the word processor. Which you might not do until your next birthday, a year from now. Unless you make a habit of studying *in detail* the complete history of everything in the repo, *and* have a good enough memory to say "wait a minute, I didn't edit that file on November 16th, something is suspicious", a sufficiently sneaky and clever ransomware app will be able to subvert your VCS. Of course, so long as there are millions of Windows users with no backups, there are easier fish to fry. But consider that not all malware is targeted at arbitrary people. "Advanced Persistent Threats" may be targeted at you specifically, for any value of "you". > Is that still frightening complacency? Talk is cheap -- do you actually push everything into VCS and regularly check it for corruption and unexpected changes, or are you just suggesting this is what you will do if and when such sneaky malware starts targeting Linux users? Personally I'm not losing any sleep over this -- but that's because I am complacent, secure in the knowledge that I'm not important enough to have the sort of enemies that will build an APT against me, and that ordinary ransomware criminals have got easier targets to go after. :-) -- Steve “Cheer up,” they said, “things could be worse.” So I cheered up, and sure enough, things got worse. -- https://mail.python.org/mailman/listinfo/python-list
