11-21-2015, 03:10 PM | #1 | |
Grand Sorcerer
Posts: 12,167
Karma: 73448616
Join Date: Nov 2007
Location: Toronto
Device: Nexus 7, Clara, Touch, Tolino EPOS
|
Article on 10 dumb security mistakes sys admins make
While this is not exactly a post on calibre development, it might be of interest to Kovid and might call for some cooments / action by him.
I came across 10 dumb security mistakes sys admins make and saw the following Quote:
|
|
11-21-2015, 06:55 PM | #2 |
creator of calibre
Posts: 43,858
Karma: 22666666
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
This stupid canard again. If you want to install software on your system, the installer has to be run as root. If you dont want to actually install calibre, then simply run the installer as a normal user and do an isolated install, which does not require root, instructions for which are further down the page, which this idiot seems to not have bothered to read.
Someone needs to write an article on 10 dumb mistakes security "experts" make when giving sysadmins advice. |
11-21-2015, 07:32 PM | #3 | |
creator of calibre
Posts: 43,858
Karma: 22666666
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
Oh and I forgot to address the idiocy in title of that post
Quote:
|
|
11-21-2015, 09:05 PM | #4 |
Ex-Helpdesk Junkie
Posts: 19,422
Karma: 85397180
Join Date: Nov 2012
Location: The Beaten Path, USA, Roundworld, This Side of Infinity
Device: Kindle Touch fw5.3.7 (Wifi only)
|
If calibre was malicious software, the malware could be hidden in the application itself, possibly in the post_install which is also run, immediately, as root.
And if the "dumb security mistake" involves a MITM attack on GitHub... well, I suppose it could happen, if the attackers crack the internet's HTTPS model first... But not very likely. The whole "mistake" is predicated on a lack of trust in the calibre website. Which is an easy thing to fix. Also, it is the prerogative of the potential user to establish a trust confidence in calibre. Point taken, peoples! Don't randomly run ANY command offered by someone you have never heard of and don't trust, and have no REASON to trust, until you understand and vet it. As such, don't install calibre until you have vetted the source code... because that is something you are running too. |
11-23-2015, 10:51 AM | #5 |
Generally Awesome Person
Posts: 1,061
Karma: 2178845
Join Date: Jan 2013
Location: /dev/kmem
Device: Kobo Clara HD, Kindle Oasis
|
In general, great advice. Sending a script from the Internet directly to your shell to be run, whether using sudo or not, is a bad idea. Sudo makes it worse. But, the threat model is slightly different using a relatively trustworthy site like GitHub, downloading the script using TLS, compared to going to some random site with no reputation and downloading their script with no encryption or secure checksumming. No, a checksum on the unencrypted page doesn't count.
In the general case, whether TLS-secured or not, I can go to the script, see what's there, and do some quick searching to see if anyone is saying "OMG, l33t hax0rs, don't download this!" or if the Internet is mostly silent. With TLS, I have some assurances that if the content is being modified before being sent it's happening on the server before data is transmitted. Which I've seen happen, different content is sent to different user agents, and you can guard against that by setting the user agent in your script to something a normal browser sends, and maybe even set a referrer URL so it looks like you came from another page on the site. For some of us, the threat model is still different. I can download the script, read it, evaluate what it's doing, decode any encoded strings, decide if I'm comfortable with it, and run it locally. And if I find that Kovid is pulling some hanky-panky and using the calibre setup script to run bitcoin miners on all our boxes, I can post about it, show the GitHub commit hash where that was added, outline how it was hidden, and basically make the Internet be "not silent" about the dangers of running this setup script. And if you're a sysadmin and you're blindly running scripts of unknown origin, hand in your sysadmin card. That's just not something a proper sysadmin does. |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Free Ebook - The Top 13.5 Mistakes Men Make On Dates | dcrosby | Self-Promotions by Authors and Publishers | 0 | 11-12-2012 10:50 AM |
9 Easily Preventable Mistakes Writers Make with Dialogue | VydorScope | Writers' Corner | 15 | 11-01-2012 12:57 PM |
Free (nook/Kindle) Common Mistakes Singles Make [Christian Dating Advice] | ATDrake | Deals and Resources (No Self-Promotion or Affiliate Links) | 1 | 04-07-2012 11:16 AM |
Books that make you dumb | Madam Broshkina | Lounge | 21 | 03-10-2009 02:28 PM |
Books That Make You Dumb | Nate the great | Deals and Resources (No Self-Promotion or Affiliate Links) | 11 | 01-28-2008 07:49 PM |