[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Alex Satrapa grail at goldweb.com.au
Thu Jul 30 06:23:52 UTC 2015


On 30 Jul 2015, at 16:05, James Ring <sjr at jdns.org> wrote:
> 
> The possibility that somebody out there is going to somehow
> modify the encrypted shell script response in-flight is just not a
> concern to me. Also I'd think Google has more to lose by publishing
> bad scripts than I do running them.

It won’t be Google that publishes the bad script. By definition the actor in the “Man in the Middle” attack is neither end of a presumably two-way conversation.

You *think* you’ve connected to Google, but the attacker poisoned your DNS so you’re actually connected to g00gle, and the script you’re piping into shell sets up a rootkit rather than an Internet cat picture archive.

Alex

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/linux/attachments/20150730/112424d2/signature.sig>


More information about the linux mailing list