Thursday, February 14, 2013
Um... Security risk much?

While cruising through the Internet a few minute ago, I wandered across Meteor, which looks like a really cool tool/system/platform/whatever for building modern web applications. JavaScript on the front, JavaScript on the back, Mongo backing, it's definitely something worth looking into, IMHO.

Thus emboldened, I decide to look at how to start playing with it, and lo and behold I discover that the instructions for installation are:

curl | sh
Um.... Wat?

Now, I'm sure the Meteor folks are all nice people, and they're making sure (via the use of the https URL) that whatever is piped into my shell is, in fact, coming from their servers, but I don't know these people from Adam or Eve, and that's taking an awfully big risk on my part, just letting them pipe whatever-the-hell-they-want into a shell Terminal. Hell, you don't even need root access to fill my hard drive with whatever random bits of goo you wanted.

I looked at the shell script, and it's all OK, mind you--the Meteor people definitely look trustworthy, I want to reassure anyone of that. But I'm really, really hoping that this is NOT their preferred mechanism for delivery... nor is it anyone's preferred mechanism for delivery... because that's got a gaping security hole in it about twelve miles wide. It's just begging for some random evil hacker to post a website saying, "Hey, all, I've got his really cool framework y'all should try..." and bury the malware inside the code somewhere.

Which leads to today's Random Thought Experiment of the Day: How long would it take the open source community to discover malware buried inside of an open-source package, particularly one that's in widespread use, a la Apache or Tomcat or JBoss? (Assume all the core committers were in on it--how many people, aside from the core committers, actually look at the source of the packages we download and install, sometimes under root permissions?)

Not saying we should abandon open source; just saying we should be responsible citizens about who we let in our front door.

UPDATE: Having done the install, I realize that it's a two-step download... the shell script just figures out which OS you're on, which tool (curl or wget) to use, and asks you for root access to download and install the actual distribution. Which, honestly, I didn't look at. So, here's hoping the Meteor folks are as good as I'm assuming them to be....

Still highlights that this is a huge security risk.

Friday, February 15, 2013 12:45:51 AM (Pacific Standard Time, UTC-08:00)
Have you never installed rvm?

This approach comes from the rails community.
Friday, February 15, 2013 1:10:36 AM (Pacific Standard Time, UTC-08:00)
How is this different from most other software you download and install from the internet? I would argue that this way is more secure because it made you aware of the fact that you are running code that can do whatever it wants as the user it's running as. At least with open source software you have the opportunity to read the source code. This is just one installer format among many. In the end you are always left with trusting the people providing the software for you unless you have the resources to audit everything going to your machine. If the random evil hacker can get people to download untrusted and compromised software through a website, it's not a problem with the install mechanism. Operating system software delivery mechanisms have the edge that with them you can be reasonably sure you are at least getting the software that upstream intended you to get (https certificate authority system is just plain broken for example).
Petteri Räty
Friday, February 15, 2013 9:07:38 AM (Pacific Standard Time, UTC-08:00)
Geez, first "craftsmanship" and now "responsible citizenship"?

Friday, February 15, 2013 4:57:47 PM (Pacific Standard Time, UTC-08:00)
@Barry: No, I've never installed RVM, but regardless of where it comes from, it's still a gaping-wide attack vector. Not that anyone would install malware into the Ruby community, to be delivered via something like gems... Oh, right.

@Petteri: I don't think it is any different--in fact, I think those of us in the software development sphere are far, far more trusting than even the average consumer is when it comes to installing something from the Internet, particularly if it has the words "open source" somewhere on the website. Frankly, I think malware-via-open-source is a real risk waiting to be exploited, and if the open source community doesn't start thinking about it, it will hurt the trust we have in open source for generations to come. I don't have an answer here--just pointing out that the emperor has no clothes.
Ted Neward
Comments are closed.