Why unauthenticated software download is dangerous and unethical.

Have you ever done svn checkout http://include-what-you-use.googlecode.com/svn/trunk/ include-what-you-use?

How about download; ./configure; make; make install when the connection is HTTP and you haven't checked your download against a cryptographic hash (e.g. SHA256) or public key (e.g. PGP) provided via an authenticated channel (e.g. HTTPS)?1

Have you ever done these while using coffee shop or train or cellular Internet without a VPN? Or even on home WiFi in a crowded area?2

It's not just you whose security is at risk by these deeds.

If I were evil3, I would hang out in coffee shops and trains in the Bay Area with a good laptop & such, spoof the wireless hotspots and MITM people. Actually, I would compromise unpatched Windows XP boxes and use them to MITM people; much more efficient.

I would write a script to pass through most traffic unchanged (like Upside-Down-Ternet does), but, say, to modify Python files. My proxy would know about the git and svn protocols and the .tar.{gz,xz,bz2} and .zip formats and peek inside them for code. If it spied a Python file, it would insert a line near the end import os; os.system("do evil things"). If I'm ambitious, I'd also spider a million tarballs and precompute their backdoored hashes, then replace all HTTP-served hashes of their contents.

What evil things would I do? So you're a developer or sysadmin. Do you release software? Perhaps I'll give myself the ability to lurk in your system until you're releasing a piece of software, then backdoor a few lines of it as you're releasing the next version. Or, do you have ssh keys to anywhere? If they're not strongly encrypted4, I'll use them to pwn your servers and add malice to the servers. Your peers, naturally, trust your server to be friendly. So, "hopefully", this malice will, in turn, pwn your peers.

And therein lies the ethical dilemma. If you don't care about being pwned yourself, because, after all, "only" multiple Linux kernel committers found out they were pwned when they checked after kernel.org was compromised by an automated virus, and because threats are "only" increasing faster every year, and because being pwned doesn't affect your skills and probably not your career: Still, you are responsible for everyone who relies on your software and your servers. And some of them care, or should care. The more of us are pwned, the harder it is for computers and honest engineering to dominate the world. Stop stalkers; stop terrorists; stop identity thieves; stop seedy government agents.

Sure, there's only a small chance you'll be compromised today. But think of how many times you do this in a year; then add all the engineers around you. How long until one of you is uploading compromised code?5

  1. Or checked it against a PGP key verified via web-of-trust, or a CA-certified X.509 cert. If you already do these, then you probably know everything I say in this post already.

    Software being signed by the developer on their own machine is best. OSes with more sandboxing are better. But trusting the intertubes is a madness that I can fight by getting people to add a single letter 's' to their URLs.

  2. Unless you know how a client can reliably verify that it's connecting to the desired WPA2 AP and not a MITM device. If you know that verifying this is possible and how to do it, please inform me. (There is still the difficulty of convincing one's OS [and habits] not to silently try other APs — but at least that problem is in principle solvable client-side.)

  3. Why do I care? Why am I describing a way to do evil? Because the evil will happen sooner or later anyway, and describing it is the most effective way to convince optimistic people that there's a problem so we can prevent it altogether.

    I won't be the one doing the pwning because (A) I know Linux better than Windows currently, and (B) it's not very useful to go around pwning people, except for pentesting or making people's computers do things against their will.

    I believe in an ethics where one doesn't do things to people, including their computers, unless they consent (aside from specific circumstances like perhaps violent fights or medicine for unconscious people). One reason I believe in this is that I feel more comfortable when hanging out with others who also believe this.

    Besides, regular technical work pays well.

  4. If they are encrypted with a strong password, I'll just replace the ssh binary with one that records your password, and wait. Or `ptrace` ssh or change your PATH or such, depending on your OS, its security mechanisms, and whether I have root. If I don't have root/administrator access, I can still do most anything I want because your stuff is mostly under your user; it's just easier for you to catch me if I don't have root. But I can get root by changing your PATH and waiting until you sudo... also local root vulnerabilities are common.

  5. Even as a security advocate, what's the chance that I'll be compromised something in my lifetime? Decades and decades? High.