Path: utzoo!utgpu!water!watmath!clyde!bellcore!faline!thumper!ulysses!andante!princeton!udel!gatech!ncar!ames!oliveb!pyramid!octopus!pete From: pete@octopus.UUCP Newsgroups: news.admin Subject: Re: Malicious posting worries (was re: A counter-example...) Message-ID: <271@octopus.UUCP> Date: 1 Jul 88 04:50:51 GMT References: <266@octopus.UUCP> <11518@agate.BERKELEY.EDU> Reply-To: pete@octopus.UUCP (Pete Holzmann) Organization: Octopus Enterprises, Cupertino CA Lines: 81 In article <11518@agate.BERKELEY.EDU> weemba@garnet.berkeley.edu writes: >[I wrote...] >> 1) Booby traps are extremely rare. As far as I know, no posting >> in ANY binary or source group has ever been booby trapped. >Not quite. [April Fools' example...] Hmmm. I guess I should have thought about April Fool's postings. You're right. Booby traps can easily show up then. Fortunately, they aren't particularly malicious! >> Not even a simple killer rm in a shar! >Perhaps the following qualifies: ['naive' user follows joke advice] I think the posting was fine. The user who goofed is the trapped booby in that case :-). Any body got a booby-remover handy? :-) :-) >> 2) Nobody has the time or willingness to truly analyze every >> program (binary OR source) posted to the net for booby >> traps. >One can, however, scan source code for inordinately complicated monkey- >shines, comments that don't appear to match code, etc. > >[Weemba quickly scans short sources he receives for any obvious > problems] > >I cannot do this with *any* "short little" binaries. I certainly can! The equivalent to quickly scanning a source program, is to try out a binary in a controlled environment. Your example illustrates my point perfectly: the best we (even experienced, careful people) do with source code, is to take a quick look, then trust. And if the code is too big to scan completely, we base our trust on the origins of the program. >Booby-trapped source code though refers almost certainly to someone on >the net, either the author or someone who messed with his FTP archives. >Booby-trapped binaries could come from anywhere, including someone to- >tally innocent whose program got infected by a virus on his PC. They *could* come from anywhere, but they shouldn't. Just as you would trust a source program tested and posted by one of the net's esteemed source code moderators, I would trust a binary validated by one of the binary moderators. It would be best to ensure that the creator of the binary is the one responsible for posting to the net, but that isn't always possible. Even so, when I see a binary posting in a moderated group, prefaced by a note from Chuck Forsberg saying "I personally grabbed this program from the author; there is no way anybody has had a chance to harm it"... I don't particularly worry about it! >I sometimes wonder if I should day be more paranoid or not about Gnews. >[suggests giving byte count of compressed tar file for major source > postings, perhaps in concert with public encryption. Maybe standardized > "Key:" headers on postings] >This could guarantee author's responsibility for source code funny busi- >ness, but it wouldn't mean beans for binaries. Why not? The exact same argument applies to binaries, and I like the concept in general: discouraging people from playing around with compressed tar files is *exactly* the same problem as discouraging people from playing with compressed binary files [except it is harder for people to modify a posted binary!]. And ensuring "author's responsibility" is entirely appropriate for binary postings, as it is with source code. This is a rule that makes sense for the net. [I don't mean responsibility in a legal sense. Just that we need trustworthy assurances that we are getting what the author intended we get, and we know where to find the author if something is wrong (or right!)] Pete PS: Weemba, I must congratulate you on posting a message completely lacking obnoxiousness in this group! [There, now I've done it. Sigh. :-)] -- OOO __| ___ Peter Holzmann, Octopus Enterprises OOOOOOO___/ _______ USPS: 19611 La Mar Court, Cupertino, CA 95014 OOOOO \___/ UUCP: {hpda,pyramid}!octopus!pete ___| \_____ Phone: 408/996-7746