Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!zaphod.mps.ohio-state.edu!van-bc! From: lphillips@lpami.wimsey.bc.ca (Larry Phillips) Newsgroups: comp.sys.amiga Subject: Re: Self Extracting Archives Message-ID: <1219@lpami.wimsey.bc.ca> Date: 9 Mar 90 16:59:37 GMT Lines: 64 Return-Path: To: van-bc!rnews In <79.25f87ef0@uoft02.utoledo.edu>, grx1042@uoft02.utoledo.edu (Steve Snodgrass) writes: >In article <2675@leah.Albany.Edu>, wfh58@leah.Albany.Edu (William F. Hammond) writes: > >> The only way that I would execute a self-extracting archive is if >> 1) I could afford to have an unexpected crash; >> 2) All of my resources were write protected except for ram: >> 3) I personally knew the creator of the archive and knew about everyone >> with whom the archive creator had shared software. >> It's a dangerous world out there, and there is no point doing unnecessarily >> dangerous things. Self-extracting archives are a safe idea only in utopia >> or within a very secure office environment. They are never a good idea. >> -- Bill > >I'll try not to be insulting, but this is a very stupid attitude. Has it >occured to you that there is basically no difference between executing a self >extracting archive, and extracting some stuff from an archive then executing >that? Either way, you run the same risk that some jerk who is out to cause >trouble created the archive. The archive could even contain fake documentation >and such. In short, there is no secuirty advantage to non-self-extracting >archives. You are insulting. You make the assumption that just because an opinion differs from yours, that it is stupid. Not so. By its very nature, a self extracting archive will be compressed, and therefor encrypted. The only part that would not be encrypted would be the extraction code itself. This means that unless you have a means of checking the extraction part itself very thoroughly, you have no way of knowing if something untoward is going to happen when you run the archive. Since you are treating the archive as an executable by running it, you are immediately at the mercy of the program, which could easily decompress and run any part of the encrypted data. With 'normal' archivers, the archive is being treated as data, and has no control over your machine. A normal archive, having been extracted, may have executables that are suspect, certainly, but they are not executed until _you_ decide to execute them, after checking them to whatever degree you feel necessary _IN THE FORM IN WHICH THEY ARE MEANT TO RUN_. What makes them different from the executable self-extraction archive? Well, for one thing, if they are compressed and/or encrypted, a 'strings' will show a suspicious lack of ASCII text. If they have docs, the output from 'strings' can be compared against the supposed purpose of the program. There are quite a few steps I go through when checking files that are suspect (virtually every new package that comes my way, unless I know its full history). There have been many files that I have put onto a floppy and run from there, after first having disabled the access to the hard drives. I don't do it with every package, but I would feel the need to do it with every self extracting archive, because many of the techniques I use are useless on the archive. Do I want to have to do this with every single archived program that comes around, that I can't properly check? Not a chance bunky. You do whatever yuou want, but please stop calling people stupid because they disagree with you. -larry -- Entymology bugs me. +-----------------------------------------------------------------------+ | // Larry Phillips | | \X/ lphillips@lpami.wimsey.bc.ca -or- uunet!van-bc!lpami!lphillips | | COMPUSERVE: 76703,4322 -or- 76703.4322@compuserve.com | +-----------------------------------------------------------------------+