tneff@bfmny0.BFM.COM (Tom Neff) (09/28/90)
It's true that freely exchanged executable binaries are a terrific virus/Trojan vector. This is a lesson people in the PC world (well, SOME people) learned a long time ago. The apparent convenience of pre-compilation is so alluring that it obscures the risks. That's one reason why distributing most binaries via Usenet news is a sucky idea. But nobody is acting very worried about the burgeoning trade in anon-FTP binaries. Personally I wouldn't touch anything UPLOADED to an FTP site by some other anonymous user. I wouldn't worry so much about using stuff which the original author, or his responsible representative, makes available at a primary distribution site -- because there is some implicit accountability. However, forgeries and FTP hacking are possible and people should exercise vigilance, even within their own sites. Suppose I uploaded a Trojan horse program (which masqueraded as graphic shuttle tracking software) to some NASA site and then forged a Usenet announcement telling everyone this wonderful new program was available for FTP. Almost nobody would question the bona fides of either the article or the program. The program could propagate widely and wreak havoc, and tracing me would be a fair piece of work. It'll probably take a couple of real nasty incidents (don't look at me!) to wise people up. It did in the PC world. -- To exit -- [__] Tom Neff press <Enter>. [__] tneff@bfmny0.BFM.COM
shields@yunexus.YorkU.CA (Paul Shields) (09/30/90)
scs@lokkur.dexter.mi.us (Steve Simmons) writes: >I wouldn't either, but to a great degree I'm depending on the collective >benefit of the net. Were there a trapdoor buried in elm or some other >commonly used code from the net, there's a good chance that *somebody* >will notice it fast. And woe to the person who got caught doing it! So how long did it take the net to discover that GNU Emacs installed itself as world writable? Yes, it seems it did this "out-of-the-box" back in 1988 when a colleague of mine stumbled across it. The biggest security hole he had ever seen, he said. P.