in Linux, Security

Proliferation of Poorly-Configured Linux Boxes

Someone in ;login: magazine a few issues back talked about the proliferation of poorly-configured Linux boxes, and how the volume of these will eventually outstrip the quantity of poorly-configured Windows boxes as Linux increases in popularity. The notion that Linux is more secure than Windows falls apart when you have clueless users who willfully follow directions like those listed on Ximian‘s website to install Ximian Desktop 2.0:

There is nothing to download first, just follow the instructions below.

<snip>

  1. Open a terminal window.
  2. Using the su command, become superuser (root).
  3. Type the following command or cut and paste it into your terminal: wget -q -O - http://go.ximian.com |sh

Great job, Ximian. Encourage people to download a shell script, as root, and blindly execute it — no MD5 sanity check, nothing. I mean, it makes me want to compromise go.ximian.com and replace the index page with a text file containing “rm -rf /”. It’s also fabulous that they advocate using the -q (quiet) switch with wget, so that I could now hack the httpd.conf to send a redirect to my own website, which could provide a text file containing “rm -rf /” — and the 302 Temporarily Moved code would NEVER be seen by the user.

What is wrong with these people? Isn’t it blazingly obvious that this is a stupid thing to do?