Security

tl;dr: There’s a relentless campaign by scammers to publish malware in the Canonical Snap Store. Some gets caught by automated filters, but plenty slips through. Recently, these miscreants have changed tactics - they’re now registering expired domains belonging to legitimate snap publishers, taking over their accounts, and pushing malicious updates to previously trustworthy applications. This is a significant escalation.

Context

Snaps are compressed, cryptographically signed, revertable software packages for Linux desktops, servers, and embedded devices. They use standard security primitives in the Linux kernel alongside technology developed by Canonical for Ubuntu.

I use a ton of services which either require or recommend 2fa as part of the authentication process. I used to use “Google Authenticator” then more recently “Authenticator Plus”. However Authenticator Plus seems to be no longer maintained. So while I have no problems with it, I think it is time to migrate to something else.

Step up, Aegis Authenticator, a free, open source authenticator app, available on the play store, and F-Droid.

Migration was a cinch! Aegis can import the password-protected zip file backup exports created by Authenticator Plus. What I did was open Authenticator Plus, go to Menu -> Settings -> Backup & Restore -> Export as Text and HTML. I entered a unique password, which is used to encrypt the zip file in which the backup is put. Once I clicked “Ok” I then found somewhere to stash the zip file.

At work people often come up to my desk and ask if they can get their password reset. I usually do this and tell them their new password. I’ve decided I’m missing a trick here. What I now do is this.

User: "Please reset my password"
Me: "Sure"
*tapety* *tap* *tap*
Me: "Right, your password is 'ubuntu'"
User: "Huh?"
Me: "Here, take this, it will help you"

I hand them an Ubuntu CD pack. They get to read the cover of the CD pack on the way back to their desk. Perfect.