Beware the Rise of the Appliances!

To test out different wikis, I got the obvious idea of downloading VMWare appliances preinstalled with one or the other of those wiki systems. Very easy to get running and easy to test. Once you have them, that is, since most of them are distributed using BitTorrent and many have few, if any, seeds. But then it struck me…

Say there’s malware in any of those appliances? I mean, you’re downloading not only an app or a few apps, you’re downloading an entire operating system, which you then proceed to run in a VM on one of your desktops. Probably inside your private or corporate network. Now, how smart is that?

Assume you try to protect yourself by not allowing the appliance access to your internal net, but give it its own NIC witch hooks up to your DMZ segment. Even then, that appliance may run an exploit that can burrow itself into your host OS, and there’s no way you can detect that. Until it’s too late.

So, what is to be done? Use only a machine that’s not used for anything else? What’s the point of virtualization, then? Or not download any VM appliances at all? That’s tough. Or only download appliances from people you trust? I don’t know anyone that produces appliances like that, yet, so who would that be?