[ale] malicious make scripts

Michael H. Warfield mhw at wittsend.com
Tue Dec 3 00:48:38 EST 2002


On Mon, Dec 02, 2002 at 11:37:21PM -0500, John Wells wrote:
> Has there ever been a case of someone being bitten by a malicious make
> script?

	Yeah...

	Just look at the trojan attempts at sendmail, openssh, tcpdump,
and libpcap.  Their primary attack was against the developers through
modifications to the configure and build.

> I'm usually careful to examine what something I've downloaded will do, but
> have lately found myself becoming a bit lazy.  It occurs to me that there
> are many out in the big, bright world who never check make scripts.  It
> would seem the ideal place to put malicious code, as you often have to run
> make install or the like as root.  It would seemingly be easy to insert a
> rm -fR / in the script...or am I missing something?

	You're not...  Other than missing the fact that you should be
checking the PGP sigs...  Several of us are trying to get major packages
anchored in the "strong set" of the PGP web of trust.  My key is in the
path for Apache and Samba.  Keys with no signatures should not be trusted.
Keys anchored in the web of trust are much tougher to forge.  If a
package has a PGP signature, check it.  If not, ask why not.

	BTW...  This Thursday, I'm giving a talk on PGP and GPG at ALE
at Emory University...  Hope to see a good attendance...  :-/

> Just interested ;-).

> Thanks,
> 
> John
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

 PGP signature




More information about the Ale mailing list