New ZeroConf Spec

Dick Davies rasputnik at gmail.com
Mon Jul 17 08:24:52 BST 2006


On 17/07/06, Dan Kegel <dank at kegel.com> wrote:

> If malware manages to invade a secretary's machine,
> and advertise bogus services normally associated with developers' machines
> (say, distcc), that could result in confidential source code being
> exposed and/or malware being injected into the resulting .o files;
> if the resulting executables are run on the developers' workstations,
> the malware could subvert the developer's workstation.
>
> Now, anyone who uses zeroconf to configure a distcc server network
> is asking for it, security-wise.  But I think that's how Apple ships xcode.
>
> Or am I mistaken somehow?
> - Dan

Last time I looked, that's how they do it. And yes, it's broken.

But it's host-based authentication that's the risk here. All zeroconf has done
is simplify the step of finding all distcc services on the local subnet.


-- 
Rasputin :: Jack of All Trades - Master of Nuns
http://number9.hellooperator.net/



More information about the ubuntu-devel mailing list