MobileRead Forums - View Single Post - Article on 10 dumb security mistakes sys admins make

eschwartz · 11-21-2015, 09:05 PM

If calibre was malicious software, the malware could be hidden in the application itself, possibly in the post_install which is also run, immediately, as root.

And if the "dumb security mistake" involves a MITM attack on GitHub... well, I suppose it could happen, if the attackers crack the internet's HTTPS model first...
But not very likely.

The whole "mistake" is predicated on a lack of trust in the calibre website.

Which is an easy thing to fix.
Also, it is the prerogative of the potential user to establish a trust confidence in calibre.

Point taken, peoples! Don't randomly run ANY command offered by someone you have never heard of and don't trust, and have no REASON to trust, until you understand and vet it.

As such, don't install calibre until you have vetted the source code... because that is something you are running too.

11-21-2015, 09:05 PM	#4
eschwartz Ex-Helpdesk Junkie Posts: 19,421 Karma: 85400180 Join Date: Nov 2012 Location: The Beaten Path, USA, Roundworld, This Side of Infinity Device: Kindle Touch fw5.3.7 (Wifi only)	If calibre was malicious software, the malware could be hidden in the application itself, possibly in the post_install which is also run, immediately, as root. And if the "dumb security mistake" involves a MITM attack on GitHub... well, I suppose it could happen, if the attackers crack the internet's HTTPS model first... But not very likely. The whole "mistake" is predicated on a lack of trust in the calibre website. Which is an easy thing to fix. Also, it is the prerogative of the potential user to establish a trust confidence in calibre. Point taken, peoples! Don't randomly run ANY command offered by someone you have never heard of and don't trust, and have no REASON to trust, until you understand and vet it. As such, don't install calibre until you have vetted the source code... because that is something you are running too.