Monday, March 17th, 2008
For those who have never read the classic “Reflections on Trusting Trust”, you can find it here. Reflections is a easy read on the perils of running un-trusted code on your machine. It’s a concept that’s foreign to many users as we typically run “un-trusted” HTML and clientside scripts from web sites thousands of times a day, praying that he browser sandbox and same origin policy saves us… I mean.. can you really trust the underlying content from this blog?
Of course, downloading and running code on you machine is EVEN MORE DANGEROUS. It doesn’t matter what kind of browser protections you have, once you execute code from an untrusted source, you’re at the mercy of that developer. Do you really trust the publishers of all those plugins and add-ons you are running? A perfect example of this… is G-Archiver. G-Archiver is a program that can be used to backup your Gmail messages to an offline source. Apparently, after some tinkering with DotNet Reflector (great tool btw), Dustin Brooks discovered a HARD CODED Gmail username and password in the source. Upon further investigation, Dustin realized that users of G-Archiver were silently getting their Gmail Creds posted to a Gmail account belonging to the creator of the G-Archive tool (John Terry). Here’s a screen shot of what Dustin saw:
Luckly, I’ve been conditioned (mostly by the pranksters at the Advanced Security Center in Houston) not to trust anything…