
Backdoored images downloaded 5M times finally removed from Docker Hub - rexbee
https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/
======
jacquesm
I would treat _every_ image on Docker Hub as though it is backdoored, mines
crypto and sends each and every bit that goes through it to the NSA. Call me
paranoid but unless the image was created by a trusted party (a party that
_you_ trust, not that someone else trusts) then there is no reason to assume
that it friendly.

~~~
logicallee
Are you a kernel developer? If not then you have to trust whoever wrote your
kernel and how are you supposed to determine whether to do that or not?

All we have are some general heuristics here. "Trust" is too strong a word for
the relationship we have with the people writing and manufacturing our
software and hardware and for the chain of custody between them and us.

~~~
jacquesm
There is a large difference between trusting the developers of a kernel who
have earned that trust over many years versus trusting someone who threw
together a random binary and distributes it through a poorly curated service.

That's akin to installing randomly downloaded software from warezRus.com and
running it as root.

~~~
logicallee
>That's akin to installing randomly downloaded software from warezRus.com

All right, then say that. Say that you view Docker Hub like warezRus.com or a
site that opens in Chrome like this
[https://www.google.com/search?q=chrome+red+warning&tbm=isch](https://www.google.com/search?q=chrome+red+warning&tbm=isch)

Don't say that "unless the image was created by a trusted party (a party that
_you_ trust, not that someone else trusts) then there is no reason to assume
that it friendly." That is going too far.

It's a continuum, but the "Okay, I'll run it" end of the continuum shouldn't
be something you "trust". It should be something you're willing to run. Like
everyone else, I'm typing this on a device that I shouldn't "trust". You
should replace your idea of parties you should "trust" with parties you are
willing to run something from. If Docker Images isn't one such party, then say
that.

~~~
jacquesm
You are conflating 'Docker Images' as one party and Joe Random user who
uploads his image to 'Docker Images'. They are not the same entity at all.

Assuming Docker Images has reasonable security and that someone who I trust
would upload a (signed by them) docker image to Docker Images then you could
download that image and use it _if_ you trust the uploader and their
signature.

~~~
logicallee
you're saying something useful, but I just think the word "trust" at the end
is too strong.

How about instead of:

* you could download that image and use it _if_ you trust the uploader and their signature.

(your phrasing), what if instead you wrote:

* you could download that image and use it _if_ the developer seems technically competent and benevolent, or seems like they wouldn't be playing shenanigans, and you're sure that the developer is who they it is (their reputations aren't being coopted by someone else with a similar or fake name).

(perhaps what you mean). or:

* you could download that image and use it _if_ it is put up by some huge development team with a big brand to protect.

(if that's what you mean).

Basically there must be some more precise way to say what you mean. I just
don't think you're expressing the concept very precisely.

------
justinsaccount
At least the first image they talk about that references
[https://github.com/docker/hub-
feedback/issues/1121](https://github.com/docker/hub-feedback/issues/1121) is
not "backdoored". As the title even says, it's a malicious image that mines a
cryptocurrency.

A backdoored image would be something like a 'nginx' or 'minecraft' image that
starts the server but also mines in the background.

It seems ars added the "backdoor" bit when they should have kept it as just
"malicious"

------
LinuxBender
Also discussed here [1]

[1] -
[https://news.ycombinator.com/item?id=17303570](https://news.ycombinator.com/item?id=17303570)

------
everdev
> Last July and August one or more people used the Docker Hub account
> docker123321 to upload three publicly available images that contained
> surreptitious code for mining cryptocurrencies

> By the time Docker Hub removed the images, they had received 5 million
> “pulls.” A wallet address included in many of the submissions showed it had
> mined almost 545 Monero digital coins, worth almost $90,000

Not ethical, but I'm not sure it reaches the "malicious" level as I'm sure in
most cases the image was just using unused resources. It doesn't look like
there was a virus or any "backdoor", just a separate thread mining Monero.

~~~
jacquesm
Theft of resources is malicious.

~~~
pandasun
It's wrong, and possibly other things, but not malicious.

Malice: desire to inflict injury, harm, or suffering on another, either
because of a hostile impulse or out of deep-seated meanness.

[http://www.dictionary.com/browse/malice](http://www.dictionary.com/browse/malice)

