- This topic has 4 replies, 2 voices, and was last updated Feb 21-1:02 pm by Anonymous.
-
Posts
-
koolstofje
Someone confesses with apt-fast upgrade?
Download packages is much faster here ..sudo apt-get install curl git
sudo apt-get install aria2
sudo /bin/bash -c “$(curl -sL https://git.io/vokNn)”
Anonymous
No!
THAT IS A TERRIBLE “TIP”DOWNLOADING (OR CURL OR WGET) A SCRIPT FROM THE INTERNET
(OR A PACKAGE NOT KNOWN TO WORK WITH THE LINUX DISTRUBUTION INSTALLED ON YOUR SYSTEM)
AND BLINDLY EXECUTING IT, WITH ROOT PERMISSION,
IS A BAD (FOOLISH) PRACTICE !What are the security measures to protect a Linux machine from Ransomware?
”hardening” is only half a solution.
Here are a few “common sense” BestPractices:Be mindful when running ‘code found online’
and
Never copy/paste web-snipped code directly into terminal !
ref: https://nakedsecurity.sophos.com/2016/05/26/why-you-cant-trust-things-you-cut-and-paste-from-web-pages/
ref: http://thejh.net/misc/website-terminal-copy-paste
ref: https://news.ycombinator.com/item?id=5508225
ref: https://www.reddit.com/r/netsec/comments/1bv359/dont_copypaste_from_website_to_terminal_demo/Similarly, I would never paste a found-on-the-web commandline involving curl (or wget) …and sudo (and/or sh or `bash or other shell)
No!curl http:/gitmeuptodate/iwantapony ………. | sudo -h somescript.sh
No!sudo /bin/bash -c “$(curl -sL https://happysite.com/bestest_evah_fix0r_freestuff)”After downloading “codez” or “scripts” and before executing, inspect the content of the code to ensure it is safe.
If you can’t understand the program’s code, instead of blindly executing it, ask a trusted friend to inspect its content !Some folks will disagree with the cautionary tone expressed in my post, above.
Some folks, for the sake of “convenience” (instant gratification) will ignore the cautionary tone expressed in my post, above.Some “official” project sites and/or github repos
(operated by hipsters, targeting users seeking instant graBification)
will explicitly instruct “easy! To install, just paste this handy curl sudo bash and voilà…”NONETHELESS, DOING SO IS A BAD (FOOLISH) PRACTICE !
Sigh.
Those who didn’t learn from (too young to remember?) the decades-long plague of windoze malware
are destined to repeat it.koolstofje
Yes you are right
so far everything is ok here heheWell, thanks for providing opportunity for me to post here that cautionary “Public Service Announcement” (already posted to MX forum).
I’ve tried to present “both sides”; the practice of trading security for convenience is arguably not an issue of right vs wrong.Use of (installation of software from) PPAs merits the same caution
(accountability ~~ can you even determine the given name of person(s) uploading to a PPA repository?)
(trustworthiness ~~ is a given PPA hosted on secure infrastructure or, eeeeek!, a vulnerable shared-hosting webserver?)
yet across the linux ecosystem we can notice growing acceptance of their use.Sadly, across distros, this naïveté is often at play behind-the-scenes as well.
A “package maintainer” (or user of a distro employing source-pased pkg management) conveniently clicks/runs a pkgbuild script
which oh-so-conveniently downloads from github|ppa|wherever and compiles and installs, or crams into an installable package.
Even if downloaded “via https, from a trusted source”, doesn’t each package maintainer take pride in fulfilling the role entrusted to them
by AT LEAST inspecting the configurable default preferences within the downloaded source package?
No, too often they do not; they engage in “trading security for convenience” due to time constraints — much work, and too few (volunteer) packagers.
- You must be logged in to reply to this topic.
