[benttoothpaste]

I used to work for a financial company that used such extensive blocking. One day I had to download a particular version of boost libraries (the C++ ones). Of course all official sites to download from were blocked. So I searched for the specific file name (a tar.gz archive). And eventually I found something that was not blocked: a misconfigured server somewhere in Russia. Misconfigured because it served entire contents of its hard disk - and Google indexed it all. And there it was - my coveted boost archive which I promptly downloaded.

[gruez]

That seems super risky. How did you know the file was authentic? What if the archive contains backdoored code?

[benttoothpaste]

Yeah it was risky. It is quite common for excessive security practices to actually decrease security and that particular example was not nearly the most egregious one in that company.

[MattPalmer1086]

I don't really get why you did it though. You risked your job, and potentially regulatory issues for the company just to get a build done? I'd have just submitted a request to unblock the official download site. Then it's security's problem.

[GekkePrutser]

I've also come across this at a major international company. Came there to install an update. Too big to email so I had a clean USB stick. No way to use it in their workstations though, so the IT guy offered to just walk to the DC and plug it directly into the server.

Pretty sure that was not the intention of that policy. The problem is, that they didn't seem to have considered this usecase at all. More security theater than anything.

[donatj]

Seems like an odd proposition for an attack vector. Maybe, just maybe if I make this look like a misconfigured server, maybe, just maybe, someone will grab the boost files from the server and compile them? I can’t imagine.

[b3morales]

The open server does not have to be a deliberate attack setup. It could be compromised itself, or someone could have downloaded a bad artifact to it unknowingly. It could be someone's malware research storage (admittedly this is pretty unlikely). It's the simple fact that the provenance is unknown.

[vkk8]

I've heard of people doing similar things before. Maybe people working in high security environments downloading libraries from random websites is common enough that some attackers are actually targeting those people by backdooring common Python packages, C++ libraries, etc. and trying to get their server to bypass enterprise blocking somehow.