Path: utzoo!attcan!uunet!lll-winken!lll-lcc!mordor!joyce!ames!ucsd!nosc!helios.ee.lbl.gov!pasteur!agate!garnet!weemba
From: weemba@garnet.berkeley.edu (Obnoxious Math Grad Student)
Newsgroups: news.admin
Subject: Re: Malicious posting worries (was re: A counter-example...)
Message-ID: <11518@agate.BERKELEY.EDU>
Date: 30 Jun 88 19:04:58 GMT
References: <266@octopus.UUCP>
Sender: usenet@agate.BERKELEY.EDU
Reply-To: weemba@garnet.berkeley.edu (Obnoxious Math Grad Student)
Organization: Brahms Gang Posting Central
Lines: 63
In-reply-to: pete@octopus.UUCP (Pete Holzmann)

In article <266@octopus.UUCP>, pete@octopus (Pete Holzmann) writes:
>	1) Booby traps are extremely rare. As far as I know, no posting
>		in ANY binary or source group has ever been booby trapped.

Not quite.

There was one April Fools' posting of an "unrm" that allegedly did all
sorts of miracles to recover your rm-ed files.  It actually moved your
.login to some other place and substituted a "hahaha, you twit!" .login.

>		Not even a simple killer rm in a shar!

Perhaps the following qualifies:  The age-old "how do I remove a file
with funny characters in its name?" question came up.  Someone listed
several standard answers, and then said, "if you *really* want to get
rid of that file, `rm -rf ~' will do the trick :-)".  This attempt at
UNIX humor, smiley face and all, went right over one, uh, naive, user,
and the sysadmin who had to deal with the mess was rather unhappy with
the original joker.

>	2) Nobody has the time or willingness to truly analyze every
>		program (binary OR source) posted to the net for booby
>               traps.

One can, however, scan source code for inordinately complicated monkey-
shines, comments that don't appear to match code, etc.

I know I give a lookover to the short little sources I get.  When some-
one posts a 10K ELisp package that looks promising, I will give it a
semiread, trying to understand what is happening.  I recently grabbed
two 10K Mandelbrot generators for X-windows.  Again, I gave them both
a semiread.  "Ah yes, I know this algorithm well--hmm here's some more
X nonsense, looks like other X nonsense, although to hell if I know
what it means, etc."

I cannot do this with *any* "short little" binaries.

>			      Suppose that a new smail version were well
>		boobied? News 3.0? A time-delay trap could be hidden in
>		the source code, and a LOT of people could get hurt.
>		BUT THAT'S JUST THEORETICAL. Practically speaking, I'm
>		not too worried.

Booby-trapped source code though refers almost certainly to someone on
the net, either the author or someone who messed with his FTP archives.
Booby-trapped binaries could come from anywhere, including someone to-
tally innocent whose program got infected by a virus on his PC.

I sometimes wonder if I should day be more paranoid or not about Gnews.
When I announce a release, should I mention the exact byte count of the
compressed tar file?  That would be difficult for someone to tinker with.
I could go further and write a simple public encryption checksum scheme
that would then be nearly impossible to get past.

That is, we already have tar, compress/uncompress, uuencode/uudecode,
and unfortunately numerous shar/unshar.  One more step would be to imple-
ment a standard "verify".  Perhaps the moderators of comp.sources.* will
eventually include a "Key:" header.  (Check out a recent comp.org.fidonet
posting for a description of what's involved.)

This could guarantee author's responsibility for source code funny busi-
ness, but it wouldn't mean beans for binaries.

ucbvax!garnet!weemba	Matthew P Wiener/Brahms Gang/Berkeley CA 94720