scs@lokkur.dexter.mi.us (Steve Simmons) (09/28/90)
cedman@lynx.ps.uci.edu (Carl Edman) writes: > Now, really: It is very easy to change particularily a program like > a shell to f.e. put the name of a non-backtraceable account into the > .rhosts file and then send mail to it to inform the hacker that > he has just gotten a new account. Maybe even a su account ? demon@ibmpcug.co.uk (Cliff Stanford) replies: > You mean that if that were included in the source to a >large program (ELM, for instance) you'd notice it was there >before compiling it? I doubt I would. I wouldn't either, but to a great degree I'm depending on the collective benefit of the net. Were there a trapdoor buried in elm or some other commonly used code from the net, there's a good chance that *somebody* will notice it fast. And woe to the person who got caught doing it! Of course, this is another reason I'm more likely to blindly compile stuff from comp.sources.{misc,unix} than alt.sources.
tneff@bfmny0.BFM.COM (Tom Neff) (09/28/90)
It's true that freely exchanged executable binaries are a terrific
virus/Trojan vector. This is a lesson people in the PC world (well,
SOME people) learned a long time ago. The apparent convenience of
pre-compilation is so alluring that it obscures the risks.
That's one reason why distributing most binaries via Usenet news is a
sucky idea. But nobody is acting very worried about the burgeoning
trade in anon-FTP binaries. Personally I wouldn't touch anything
UPLOADED to an FTP site by some other anonymous user. I wouldn't worry
so much about using stuff which the original author, or his responsible
representative, makes available at a primary distribution site --
because there is some implicit accountability.
However, forgeries and FTP hacking are possible and people should
exercise vigilance, even within their own sites. Suppose I uploaded a
Trojan horse program (which masqueraded as graphic shuttle tracking
software) to some NASA site and then forged a Usenet announcement
telling everyone this wonderful new program was available for FTP.
Almost nobody would question the bona fides of either the article or the
program. The program could propagate widely and wreak havoc, and
tracing me would be a fair piece of work.
It'll probably take a couple of real nasty incidents (don't look at me!)
to wise people up. It did in the PC world.
--
To exit -- [__] Tom Neff
press <Enter>. [__] tneff@bfmny0.BFM.COMshields@yunexus.YorkU.CA (Paul Shields) (09/30/90)
scs@lokkur.dexter.mi.us (Steve Simmons) writes: >I wouldn't either, but to a great degree I'm depending on the collective >benefit of the net. Were there a trapdoor buried in elm or some other >commonly used code from the net, there's a good chance that *somebody* >will notice it fast. And woe to the person who got caught doing it! So how long did it take the net to discover that GNU Emacs installed itself as world writable? Yes, it seems it did this "out-of-the-box" back in 1988 when a colleague of mine stumbled across it. The biggest security hole he had ever seen, he said. P.