[linux-elitists] Comprehensive list of Linux malware

Mike MacCana mmaccana@redhat.com
Sat Nov 20 15:39:14 PST 2004


Etienne Goyer wrote:

> Mike MacCana wrote:
>
>> - Executable files not used to package software
>> Legitamite software is supplied as a package file that  only needs to 
>> be read by an existing, trusted executable installation app (ie, 
>> up2date, apt-get).
>
>
> Considering package install script can do pretty much anything, and 
> are usually runned as root

What you've said is true, but the point I'm getting at there is a 
different one (I probably could have worded it better). That point: not 
only do you explicitly have to make a random file executable to run it, 
people aren't in the habit of making files executable.

We've mentioned why "Download this file and run it (won't work, because 
its won't be saved as executable)" won't work.
This one's about "Download this file, make it executable, and run it" 
(seems odd, none of my other software is installed that way).

So we're up to: "Install my GPG key, install my package". Indeed, 
package signing isn't a panacea - people you trust  might do bad things, 
or bad people might convince you to install their key - but in the 
latter situation, it makes it more obvious that package that says it 
comes from your vendor might not be.

"hrm, I've already installed a key for Red Hat / Dag Wierrs/ Webmin / 
Proprietary Vendor before - seems a little dodgy their asking me to 
install a new one..."

Mike



More information about the linux-elitists mailing list