Xref: utzoo alt.security:1635 alt.sources.d:920 comp.sources.d:5839 Path: utzoo!utgpu!cs.utexas.edu!know!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!uunet!bfmny0!tneff From: tneff@bfmny0.BFM.COM (Tom Neff) Newsgroups: alt.security,alt.sources.d,comp.sources.d Subject: Re: GENERAL WARNING Message-ID: <15891@bfmny0.BFM.COM> Date: 28 Sep 90 05:50:05 GMT References: <1990Sep26.234214.338@ibmpcug.co.uk> <1990Sep27.235630.12945@lokkur.dexter.mi.us> Reply-To: tneff@bfmny0.BFM.COM (Tom Neff) Followup-To: alt.security Lines: 28 It's true that freely exchanged executable binaries are a terrific virus/Trojan vector. This is a lesson people in the PC world (well, SOME people) learned a long time ago. The apparent convenience of pre-compilation is so alluring that it obscures the risks. That's one reason why distributing most binaries via Usenet news is a sucky idea. But nobody is acting very worried about the burgeoning trade in anon-FTP binaries. Personally I wouldn't touch anything UPLOADED to an FTP site by some other anonymous user. I wouldn't worry so much about using stuff which the original author, or his responsible representative, makes available at a primary distribution site -- because there is some implicit accountability. However, forgeries and FTP hacking are possible and people should exercise vigilance, even within their own sites. Suppose I uploaded a Trojan horse program (which masqueraded as graphic shuttle tracking software) to some NASA site and then forged a Usenet announcement telling everyone this wonderful new program was available for FTP. Almost nobody would question the bona fides of either the article or the program. The program could propagate widely and wreak havoc, and tracing me would be a fair piece of work. It'll probably take a couple of real nasty incidents (don't look at me!) to wise people up. It did in the PC world. -- To exit -- [__] Tom Neff press . [__] tneff@bfmny0.BFM.COM