Malware made it into the Ubuntu App Center... again.

Vending Machine AI

So, did you hear about this? Vending machines are tracking you. It's true. According to a report by the University of Waterloo's MathNEWS, their on-campus vending M&M vending machines are apparently spying on their students and faculty.

In their investigation, mathNEWS reporter firstie found that the vending machine's owner Adaria Vending Services was not fully aware of the machine's capabilities in this regard. But the manufacturer of the machine, Invenda Solutions, said, quote:

The software conducts local processing of digital image maps derived from the USB optical sensor in real-time, without storing such data on permanent memory mediums or transmitting it over the Internet to the Cloud.

It is imperative to note that the Invenda Software does not possess the capability to recognize any individual’s identity or any other form of personal information.

So the owner of the vending machine says that they're not capable of "taking or storing image," yet it's clear that that's either uninformed or intentionally deceitful. I'd lean to the former as most people don't know how computers work, let alone the CEO of a vending machine business.

If we're to believe the manufacturer, the facial recognition is done locally and the quote "anonymized" reports are never sent over the web. But, give me a break. I mean, that just strains credulity.

This just goes to show that there are cameras everywhere and you can never be too cautious when it comes to preserving your privacy.

In my deep dive of this topic I stumbled across these glasses that are supposed to jam IR cameras. Pretty nifty. I want a pair of these. And, no, they're not a sponsor.

Google's embarrassing week

So Google has rolled out their new branding for their AI companion. And no, it's not Clippy, it's called Gemini. And, in Google's infinite wisdom, they've made their branding as confusing as possible.

CEO of Google Cloud Thomas Kurian said, quote:

We’re announcing Duet AI for Google Workspace will now be Gemini for Google Workspace. Consumers and organizations of all sizes can access Gemini across the Workspace apps they know and love.

To sum up the situation over at Google, here's a reply to that tweet:

Hey Thomas, can I pay for it with Google Pay in Google Wallet, which replaced Google Pay, which replaced Android Pay, formerly known as Google Wallet?

If not we can jump on a call and discuss billing. I'll send you an invite on Google Meet, the enterprise Google Chat, previously Duo, which replaced Allo, the replacement for Hangouts, the rebrand of +Hangouts, which replaced Talk and Voice.

Ohh. That hurts. And it's been yet another week of embarrassment for Google. Again, because of their AI nonsense.

Now, Google's Gemini did some pretty embarrassing stuff.

At the risk of appealing to the base urges of the ravenous teenage 4chaners who unironically use the term "woke mind virus," Google's AI exemplified how blindly applying ideology can backfire.

When asked to show pictures of the US Founding Fathers, Gemini showed a picture of a Native American. Which, hey, congrats on the lateral thinking. But then it appeared to show the off-Broadway cast of Hamilton. Which would be fine if that were the prompt. But it wasn't.

Yet it seemed that when asked to generate images of something like a Samurai or a Zulu warrior, it would generate the stereotypical ethnic figures.

So, naturally, some folks took to Xwitter to decry this as "woke gone too far," and some of them even turned it into a game.

Now, obviously, this is just wrongheaded. Like, yeah, it's worthwhile to have representation but not at the expense of historical accuracy. This is another example of Google not really being into trustworthiness anymore. They've got a modern track record of complying with foreign censorship regimes, intentionally undermining the usefulness of their search engine, and even shilling for malware.

However, this was enough of a publicity nightmare for them that they turned off image generation pretty quickly. And it's still not available.

US Energy Information Administration

So the US Energy Information Administration has initiated a survey of electrical consumption for Cryptocurrency mining operations within the US and I'm excited to see the results.

Beginning next week, the EIA will be sending out these surveys to commercial cryptocurrency miners and they will be required to respond with details of their energy usage.

About this survey, EIA Administrator Joe DeCarolis said, quote:

“We intend to continue to analyze and write about the energy implications of cryptocurrency mining activities in the United States,” “We will specifically focus on how the energy demand for cryptocurrency mining is evolving, identify geographic areas of high growth, and quantify the sources of electricity used to meet cryptocurrency mining demand.”

And I've gotta say, I think this is a great idea. I think we should collectively be trying to get a handle on this kind of digital counterfeiting technology and it's impact on our economy.

Snap's got Malware

Alright, our main story today... at least one Snapcraft.io user had over half a million dollars in crypto stolen by a malicious app distributed through Canonicals Snap channels.

An app called Exodus, posing as a local crypo wallet was published to the Snap store. It has a fresh look, the screenshots seem professional, it has a clean logo and even some well-written marketing copy. It was apparently a repackage of a reputable crypto wallet.

So when Snapcraft forum user castle asked

Can anyone tell if the Exodus wallet in Ubuntu’s software store is a scam? My wallet is empty after recovering and it shows a recent transaction of my entire balance sent to an address. I never made this transaction.

You can bet that it caught the attention of Alan Pope. Now, you may know Popey. He used to work for Canonical on the Snap team. But now, he's quote "Just a guy who wants... Snapcraft to be a success."

Notably, the Ubuntu "App Center" entry for this app showed a "Safe" badge with a "confirmed" subheading. One might reasonably mistake that to mean there was no risk to using this software. But that badge probably only indicates that there was no known malware signatures detected.

So Popey, being once a part of the Snap team, decided to dig into the malicious software and he found significant differences between the app distributed through the Snap store and the authentic app distributed through the official website.

First, the Snap version was created using flutter while the authentic was written in electron. After further investigation, it looks like this app had a few red flags that violated Exodus' opsec. The scam app asked for the user's 12-word phrase to unlock the wallet, which Exodus explicitly says they would never do.

But this isn't the first time malicious software has been published on the Snapcraft store. In 2018, a non-consensual cryptominer was found hidden in a game and was sending crypto to a user going by myfirstferarri@protonmail.com. And there are several other scams like this, too.

In 2023, a fake version of Ledger Live was published to the store and a user lost about $10,000 worth of crypto.

So there's a problem with the Snap store. People are losing fake money. This guy lost 9 bitcoin due to this scam app. So what can be done?

Well, Mark Shuttleworth, the CEO of Canonical has proposed a few ideas about how to address this issue.

One thing we could do is require a more comprehensive proof of publisher identity for every publisher. We could require a credit card, and we could integrate the sort of ‘know your client’ technology that app-based banks are using to verify some sort of ID such as a passport.

But I feel like that's over-engineering the problem.

How about snap packages need to provide proof of ownership. For example, Git repos must match the contents of the snap, they must add a DNS TXT record with a signature that proves they own their official domain, and some kind of hash on the download page for the Snap package.

Then, have real, human auditors research the app in question and check that these proofs are in place. It's not a perfect system.

I'd love to hear your thoughts on this. Use your Mastodon or Peertube account to comment.

-- Chapters --
00:15 - Vending Machines are spying on us all
02:21 - Google renames Bard to Gemini in, and it's embarrassing
03:32 - Google's AI misstep is yet another reputation ruiner
05:11 - US gov't issues mandatory survey for cryptocurrency miners
06:14 - Ubuntu's Snap repo featured malicious crypto wallet