[clug] How you know your Free or Open Source Software Project is doomed to FAIL
grail at goldweb.com.au
Thu Jul 30 06:23:52 UTC 2015
On 30 Jul 2015, at 16:05, James Ring <sjr at jdns.org> wrote:
> The possibility that somebody out there is going to somehow
> modify the encrypted shell script response in-flight is just not a
> concern to me. Also I'd think Google has more to lose by publishing
> bad scripts than I do running them.
It won’t be Google that publishes the bad script. By definition the actor in the “Man in the Middle” attack is neither end of a presumably two-way conversation.
You *think* you’ve connected to Google, but the attacker poisoned your DNS so you’re actually connected to g00gle, and the script you’re piping into shell sets up a rootkit rather than an Internet cat picture archive.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 481 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the linux