undefined | Better HN

0 pointslabster9y ago0 comments

Why not this?

    curl https://gist.githubusercontent.com/kaizensoze/ca96d039b295db220951d42ca7c83d89/raw/ | bash

0 comments

8 comments · 4 top-level

okket9y ago· 2 in thread

Your line downloads and executes the latest version of the gist, it could have changed from a file check to a virus installer by the author (unlikely, but I have to point it out). To be a bit more safe (while trusting that GitHub is not compromised) pin a known, verified version:

  curl https://gist.githubusercontent.com/kaizensoze/ca96d039b295db220951d42ca7c83d89/raw/a26e5a025ea21d3a0af536eeca49619272d0068f/quick-osx-keydnap-check | bash

(sorry for the overlong line)

heeen29y ago

this pattern is just as dangerous (maybe less for github if you trust them) because you can detect curl and deliver malicious code: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...

okket9y ago

> this pattern is just as dangerous

As a general pattern, please do not do this. In this specific case I think most people trust the service (GitHub) and their DNS recursor + SSL library. Attacking these is not on the level of "random drive-by phishing", more like "targeted high value state sponsored".

To avoid this discussion I did not include the curl version in my original posting.

theandrewbailey9y ago· 2 in thread

Yeah, let's download and blindly run stuff directly from the internet (that may have changed since we last saw it) without saving and trying to read what it does first.

If you can copy/paste the curl | bash, is it really more difficult to copy/paste the original snippet into a text editor[0], and from there, into bash?

[0] https://thejh.net/misc/website-terminal-copy-paste

andrepd9y ago

So you would run code by pasting it from the internet just fine, but doing so via a pastebin is a security risk?

JadeNB9y ago

If you C&P it, at least you see what's being C&P'd (although it's up to you to take the trouble to understand it). `| bash`ing it runs it automatically, without even giving you a chance to see it.

EDIT: This comment was based on the assumption that my parent hadn't read carefully. My facile point ignores both the specific vulnerability pointed out by [czinck](https://news.ycombinator.com/item?id=12406080) below, and the general vulnerability that you just can't trust anything pulled in from an external source. I think that re-directing to a file, and viewing the file with something like `:set list` set in `vim`, will work, at least in the sense of showing you the code that will actually be executed (although nothing can save you from not understanding the code), as long as you can trust your own stack. However, it is a near-certainty that this edit will prompt someone to explain how to exploit that. (That may sound like whingeing, but it's just a (happy) acknowledgement of the hacker mentality; unexpected exploitations, as PsoC rather than attacks, are pretty neat, too!)

1 more reply

ahoka9y ago

It would be kind of ironic to do this.

varcharlie9y ago

Let us execute random things from the internet directly on our machines without first checking their sanity.

j / k navigate · click thread line to collapse