New ZeroConf Spec
Dan Kegel
dank at kegel.com
Mon Jul 17 00:15:46 BST 2006
On 7/16/06, Jerry Haltom <wasabi at larvalstage.net> wrote:
> Any result can sneak in. There is no security involved. Anybody on the
> local broadcast subnet can introduce fake or invalid results into
> *.local.
>
> The question is simply "is this a problem"?
I can think of a few scenarios where it might be.
If malware manages to invade a secretary's machine,
and advertise bogus services normally associated with developers' machines
(say, distcc), that could result in confidential source code being
exposed and/or malware being injected into the resulting .o files;
if the resulting executables are run on the developers' workstations,
the malware could subvert the developer's workstation.
Now, anyone who uses zeroconf to configure a distcc server network
is asking for it, security-wise. But I think that's how Apple ships xcode.
Or am I mistaken somehow?
- Dan
More information about the ubuntu-devel
mailing list