Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!iuvax!bsu-cs!dhesi From: dhesi@bsu-cs.UUCP (Rahul Dhesi) Newsgroups: comp.binaries.ibm.pc.d Subject: Re: Re: Sez, self-extracting zoo system 2.30 Message-ID: <3820@bsu-cs.UUCP> Date: 31 Aug 88 20:09:16 GMT References: <20948@tut.cis.ohio-state.edu> <17560004@hpsmtc1.HP.COM> Reply-To: dhesi@bsu-cs.UUCP (Rahul Dhesi) Organization: CS Dept, Ball St U, Muncie, Indiana Lines: 34 In article <17560004@hpsmtc1.HP.COM> swh@hpsmtc1.HP.COM (Steve Harrold) writes: >I have a major problem with self-extracting files: TROJANS. >How does one ensure that a file purporting to be a self-extracting >archive isn't really some type of vandalistic program? The problem is more general than that. Almost everything posted to comp.binaries.ibm.pc has contained one or more executable files that you were supposed to run. So if you distribute binaries as zoo or arc archives, and they contain files that are to be executed after extraction, you haven't eliminated the problem of Trojans at all. Only providing source can do that--or so it appears at first glance. In reality, it's not difficult to hide Trojan code in source too. A 30 K executable might come from 100 K of source code, and a malicious hacker (as opposed to the benign ones, like me) could easily hide dangerous code in that 100 K that you would not easily detect. In any case, self-extracting archives should only be distributed to your private customers. They are not a good mechanism for distributing free software through BBSs etc. Self-extracting code is machine- specific and so not easily extractable by all. And self-extracting files are much harder to manipulate than regular archives. The only reasonable exception is that if you are distributing an archiving/dearchiving program it doesn't make sense to require the user to have another one already in order to extract yours, so a self- extracting archive is appropriate. This is a bootstrap mechanism to avoid the "which comes first--chicken or egg" problem. P.S. Extract a self-extracting archive made with sez by following instructions about fiz in the fiz and zoo documentation. -- Rahul Dhesi UUCP: !{iuvax,pur-ee,uunet}!bsu-cs!dhesi