Now let’s look at the application level what measures can be taken to decrease the risk in the application space.

Read the previous episodes if you have just tuned in:

• 1) Hardware Selection & Proper Usage 1
• 2) Hardware Selection & Proper Usage 2
• 3) Kernel Defense 1
• 4) Kernel Defense 2
• 5) Kernel Defense 3
• 6) User Space & Device Driver Security
• 7) Switching to Open Source Applications
• 8) Anti-Virus Philosophy

So we have now a theoretical safe kernel, we should use open-source applications and we should not rely on 3rd party tools to keep us safe like an anti-virus, but instead change our behavior to a more responsible one in order to avoid malware.

So these are the ways you should obtain applications:

1) [EASY] Download applications only from trusted source:

This means a trusted repository supplied with a GPG key. In most Linux Distro’s they either use the Ubuntu repository or the Debian repository. I don’t think using any other custom repository is a good idea. Just because the software is open source that doesn’t mean that the repository can’t be hacked and the software replaced with a malicious one. Furthermore there are plenty of closed source apps available in them as well, so there is no way to know which one is closed or open source unless you verify them each one by one, which might be boring but could improve security.

To add the Debian repository as a source of apps to your system, just add the following lines to the software sources:

deb  http://deb.debian.org/debian stretch main
deb-src  http://deb.debian.org/debian stretch main

deb  http://deb.debian.org/debian stretch-updates main
deb-src  http://deb.debian.org/debian stretch-updates main

deb http://security.debian.org/ stretch/updates main
deb-src http://security.debian.org/ stretch/updates main

Debian to my knowledge only has open source apps in it’s repository. The code above is for Debian 9 “stretch”, for future Debian versions replace the “stretch” with it’s future codename.

2) [MEDIUM] Download trusted applications from any source but verify them:

This means verifying their GPG signatures against the public key’s of their authors to make sure that the software is genuine and made by the author, and not hacked by a 3rd party hacker:

• https://steemit.com/howto/@profitgenerator/how-to-verify-software-integrity

3) [HARD] Build all applications from the source:

This is the most complicated way, not impossible, but I frequently run into problems when I compile apps so this is certainly for advanced Linux users only.

To compile an application in Linux you need the gcc compiler since most apps are written in C/C++. Of course python is the other popular programming language in Linux, but you don’t need to compile python, it runs from the source.

So make sure you install the following:

sudo apt-get install gcc
sudo apt-get install build-essential

These are compiler and the essential packages required for most applications. Optionally the software might have more dependencies so the following apps need to be installed as well:

sudo apt-get  install ncurses-devel
sudo apt-get  install qt-devel

To compile a software (especially if it’s from Github, in that format) enter:
./configure

This will execute the configuration file checking your system and tuning the application for it.

make check

This will test whether all dependencies are met, otherwise return some error, but it only works if the makefile is in the correct format.

make

This will compile the software into a binary executable file, that if all dependencies are met, and no errors come up, you can already use on the go, like a portable app.

Or if you want to install it, this will also require admin access, run:

sudo make install

Now if everything goes well, the app will be compiled and/or installed. But most of the time there is always some error that comes up, like the gcc configured incorrectly or it doesn’t find the pathway or things like that. It can be a pain in the ass to configure the compiler.

The other day I tried to compile a cryptocurrency software, but with not much luck, so really it’s very complicated even I struggle most of the time.

The other problem is that it doesn’t compile it deterministically.

So if you successfully compile the binary from the source, and you compare that to the binary that the developers published, most of the time it won’t match. Now don’t worry, there is no malware there, it’s just how the compiler system is setup.

In most cases it hardcodes the date and a few parameters into the binary, so even if the code matches bit-by-bit, it will never compile the same binary with the same SHA256 hash twice. Now this is a problem because you have no way of comparing whether your binary was compiled correctly, since every time you compile it, it gives a different file. It’s a pain in the ass, but the compiler can be configured to become static.

Furthermore there are special methods that build deterministic software from source, the way the Bitcoin software is built, take a look how complicated it’s building process is:

• https://github.com/bitcoin/bitcoin/blob/master/doc/build-unix.md

Conclusion

So the best way to get apps is to just download the source code, inspect it for bugs and built it yourself with a compiler downloaded from a trusted source. However this is painfully complicated, most people won’t do this.

So the next best thing is to just either download it from a trusted repository verified by a GPG key, or from the web and verify the software itself.

So read this tutorial for that:

• https://steemit.com/howto/@profitgenerator/how-to-verify-software-integrity

Also this GPG key list might be helpful as a reference:

• https://steemit.com/security/@profitgenerator/pgp-trusted-fingerprint-list

So you really need to verify every software against at least a SHA256/512 sum, but preferably against a GPG key.

If you only use a SHA256 digest, that is less secure since that proves the integrity of the file, but not the ownership, so if a hacker hacks the website you download your app from, he can easily just put a SHA256 digest there with his malicious file.

So it has to verify both the integrity and the identity of the uploaded file, which is why a GPG key is used. It signs the software with the key of the developer so it proves that the software was made by the developer, even if the website gets hacked.

Chicken and the Egg Problem

So you need to verify your applications on a clean OS, but in order to have a clean OS you need to verify that first before burning it to a DVD. So it’s a chicken and the egg problem.

How do you verify the integrity of your OS if you must have a trusted OS in order to verify any downloaded file?

It is a problem, and there is no easy solution for this, but it’s always best to assume the worst case scenario that your current OS is compromized.

So you either buy a new computer that you will use just for verification of softwares, or just go and borrow your friend’s spouse’s or neighbor’s computer for 15 minutes to verify your file on it.

Essentially you can burn the OS to a DVD on the potentially compromized machine, and then go over to your neighbor and verify the DVD’s integrity on his computer. Since the DVD can’t be overwritten after burning, if the integrity matches on both computers then it’s highly unlikely that the software was compromized during the burning.

Basically you can verify it on many machines as you need if you are paranoid. Especially if you are setting up like a cold-storage system to keep your cryptocurrencies safe, you really want to make sure that the software you will use is not malware.

My solution to this is described here:

• https://steemit.com/security/@profitgenerator/create-a-safe-operating-system

Other than verifying the software rigorously, there is nothing else to be done.

---

Sources:

• https://pixabay.com

---

Upvote, ReSteem &