[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
MATTHEW BROWNING wrote: > > I get kernels and other bits here (really quickly) but I have often > been concerned about grabbing a whole distribution because it says in > this staff booklet I have that you are not allowed to download any > sort of executable. It's one of those security policies that is incomplete. I mean a kernel is an executable even if you build it from source. Source versions can still contain trojans, or viruses, and they don't even have to know your target platform to start with as configure will tell them. So if they ban executables, they should also ban other formats that could contain malicious code that gets executed. e.g. Source code, and Word and Microsoft Office documents, and many other formats. Indeed the list of executable content is dependant on the applications in use, so for example "rtf" or "postscript" may seem harmless on casual inspection, but viewed with the wrong application and zap the harddisk is gone, and the viruses running. I suspect a carefully crafted text file could be used to hack a computer if you could guarantee the environment it was to be used. Certainly some dumb terminals could (and can in some cases) be persuaded to do things with control characters, such that you could force (or con) a user into executing a specific command. It's only a small step from printing through dumb terminals, to printing through a terminal emulator (Been there, done that), to exploiting a buffer overflow in an print spooler with a text e-mail. The problem is alledgedly not distinguishing between application, and data. Thus a dumb terminal can use control characters to redraw the screen, but then it shouldn't allow them in the document to be displayed. But that is simplistic approach, application macro's raise a whole new raft of questions..... -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.