Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: Malware on CPAN

by zentara (Archbishop)
on Jun 20, 2012 at 10:15 UTC ( #977282=note: print w/ replies, xml ) Need Help??


in reply to Malware on CPAN

I've never heard of any malware, but I do worry, especially when running cpan as root. The most noticed unfounded worry for me, is seeing in some modules, written on Windows I presume, files that unpack on Linux in mode 777, executable by anyone. Many of these files are just text files, but they could be sprinkled with bash commands. Nothing has ever happened though, so I don't worry much, but I shudder every time I see them in an unpacked module.

Another worry I have, although may be unfounded, is that the network security engineers could setup a system where they switch a good download, with one loaded with some malware, thru some temporary DNS chicanery. This would not be CPAN's fault. In this new age of cyber-warfare, I wouldn't put it past the various agencies to try it.

Of course, I always download and build all modules as an underpriviledged user, then after inspection, install as root, or even better install to the user's home directory with local::lib

If you want my honest opinion, the biggest source of network related insecurity comes from downloading the numerous precompiled binary libraries and executables, which the various distributions provide. I always compile myself. You should also compile your own kernel and possibly use something like SELinux.

I went through alot of worrying about this 10 years ago, but then I realized that it was a waste of time. What is your computer used for? If it's just a personal computer, not involved in any secret activity, the risk of invasion is so small, that the time it takes to run REAL security is too high related to the risk. If some evil agency wants to get access to your computer, they have easier ways than using CPAN or RPM's. 99% percent of all security comprimises come from within your own circle of trust. A co-worker, a girlfriend, etc. who you allow to use the computer are almost always the culprit. You have to watch out for people with USB-Memory-Sticks. :-) They can boot your computer with an on-key OS, and do whatever they want.


I'm not really a human, but I play one on earth.
Old Perl Programmer Haiku ................... flash japh


Comment on Re: Malware on CPAN
Re^2: Malware on CPAN
by marto (Chancellor) on Jun 20, 2012 at 10:25 UTC

    "Another worry I have, although may be unfounded, is that the network security engineers could setup a system where they switch a good download, with one loaded with some malware, thru some temporary DNS chicanery. This would not be CPAN's fault. In this new age of cyber-warfare, I wouldn't put it past the various agencies to try it."

    It seems more complicated slight of hand tactics are already in use ;)

      For me, the StuxNet and Flame exploits contain one lesson; one which is conveniently overlooked by almost all reporters, probably on the orders of their higher-up owners and editors. It only attacks MS Windows, so anyone still using Windows must be crazy. Especially if you live in the Arab world :-)

      Back in the day, when every geek who thought Bill Gates and Windows was in cahoots with the NSA was labeled a kook, we were more vigilant. I always suspected that Windows gained such prominance in the OS market, not because Gates was a genius and Windows was so good, but because it gave big governemnt backdoors into everyone's computers. ( I now don my flame proof suit) :-)


      I'm not really a human, but I play one on earth.
      Old Perl Programmer Haiku ................... flash japh
        You may be overlooking Hanlon's Razor.

        Back in the day there were a number of companies creating personal computers and as many operating systems. Most didn't last long.

        The Apple II had a decent mix if graphics and functionality and got lucky enough to capture the education market. Unfortunately, Apple sued into non-existence any company that dared make hardware compatible with their OS.

        IBM made the PC and hired MS to write the operating system. Every major corporation on the planet was already their customer so they had an advantage in business. IBM chose not to protect their hardware design so everyone and their brother started to make PC Compatible computers. Competition drove prices down making the platform even more desirable.

        As there is much more money in business than in primary education, Software companies generally wrote software for PC Compatible computers first and wrote ports to Apple's OS when they saw a profit in it. Low hardware prices and a larger selection of Software drove much of the market to buy hardware from MS' customers.

        So MS wins because it was hired to write an OS for the company that didn't go out of it's way to crush it's competition.

        So if there's any collusion w/ NSA types, I'd guess that It's a result of MS' dominance & not the cause.

        TJD

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://977282]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (5)
As of 2014-08-23 00:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (168 votes), past polls