[clug] How you know your Free or Open Source Software Project is doomed to FAIL

James Ring sjr at jdns.org
Thu Jul 30 06:30:40 UTC 2015


On Wed, Jul 29, 2015 at 11:23 PM, Alex Satrapa <grail at goldweb.com.au> wrote:
> On 30 Jul 2015, at 16:05, James Ring <sjr at jdns.org> wrote:
>>
>> The possibility that somebody out there is going to somehow
>> modify the encrypted shell script response in-flight is just not a
>> concern to me. Also I'd think Google has more to lose by publishing
>> bad scripts than I do running them.
>
> It won’t be Google that publishes the bad script. By definition the actor in the “Man in the Middle” attack is neither end of a presumably two-way conversation.
>
> You *think* you’ve connected to Google, but the attacker poisoned your DNS so you’re actually connected to g00gle, and the script you’re piping into shell sets up a rootkit rather than an Internet cat picture archive.

Well, they'd have to poison the DNS and also convince one of the
certificate authorities trusted by wget to issue a SSL certificate
with Google's name on it to the attacker.

> Alex



More information about the linux mailing list