Re: Phix Linux 64 downloads
- Posted by ghaberek (admin) Oct 08, 2018
- 1639 views
If I manually copy the commands and run them, I'm still trusting the payload is safe and that nothing malicious lurks in the executables. Also, when I see a tool that recommends installing the latest and greatest via a curl -sSL http://some.resource | bash type of approach, I remain fully at liberty to inspect that script first of all.
Fun fact: I can feed you a different file from my web server based on the "User Agent" string coming in on the request. So if you're using a desktop browser I'll send you the "clean" script, but if you're using cURL I'll send you the "dirty" script, and you might not ever be suspicious because you "checked" the script in the browser first. Read through some of those articles I posted to see the various tricks attackers can use to trick you into using a seemingly-legitimate script.
With all this said, if there are grave concerns and I'm anyway the only one so far seeking this, I don't mind sticking to the existing approach one bit 
What I'm offering is generic advice: if you want or need to use an install script, download it first and inspect it, then run it manually with bash.
-Greg
