silly sad ironic

Forum Forums Kafeneio Chats In a Greek kafeneio silly sad ironic

  • This topic has 8 replies, 6 voices, and was last updated Apr 15-3:38 pm by PPC.
Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #57584
    Anonymous

      silly sad ironic:
      engaging in copypasting, into terminal, various maybehelpful commands “found on the web”
      while fussing about “making linux more secure”
      .

      .
      .
      .
      .
      .
      .
      .
      Never copy/paste web-snipped code directly into terminal !

      http://nakedsecurity.sophos.com/2016/05/26/why-you-cant-trust-things-you-cut-and-paste-from-web-pages/
      http://thejh.net/misc/website-terminal-copy-paste
      http://news.ycombinator.com/item?id=5508225
      http://www.reddit.com/r/netsec/comments/1bv359/dont_copypaste_from_website_to_terminal_demo/

      .
      same warning applies when feeding a commandstring into a gui “runbox, aka runner”…
      .
      .

      #57586
      Member
      oops

        ℕ???????????????? ????????????????/???????????????????? ????????????-???????????????????????????? ???????????????? ???????????????????????????????? ???????????????? ???????????????????????????????? !

        ʇɥƃı̣ɹ ǝɹɐ no⅄, it can ???????? ???????????????? ???????????????????????????????????? to ⓓⓞ ​ ⓣⓗⓐⓣ..

        #57589
        Member
        Robin

          You could boil it down to what oops has posted above:

          ℕ???????????????? ????????????????/???????????????????? ????????????-???????????????????????????? ???????????????? ???????????????????????????????? ???????????????? ???????????????????????????????? !

          ʇɥƃı̣ɹ ǝɹɐ no⅄, it can be ???????????????? ???????????????????????????????????? to ⓓⓞ ​ ⓣⓗⓐⓣ..

          First time I’ve learned about this danger from reading was (if I’m not mistaken) during second half of the 90s of last century. So this is not a recently formed curse.

          People need to understand WHAT is the danger. Even though it does seem to be obvious any code is copied exactly like you see it on a webpage, and like you see it after pasting into your commandline window, this presumption is wrong.

          Strings can be executed immediately on pasting them, rather than waiting for you pressing the enter button. And what you see is not always what you get (even in times of WYSIWYG). The strings can contain code to make its true content invisible immediately on their execution, letting you see just the harmless line you have seen on the webpage. So the user might have the impression everything has just worked as expected, wheras something else has happened actually.

          Webpages can hide the textstring which is actually copied when marking and copying a presented code string.
          (this was at least true back than, I’m not sure whether browsers protect people meanwhile reliably better from this kind of fraud.)

          I remember having seen a funny sample of demonstration from ccc in those days, pretending to only echo some textstring in terminal, but when pasted actually directly from webpage into terminal window it indeed opened the calculator program instead. This could have been any malicious command instead of the harmless calculator, damaging your system or stealing/hijacking your data. I can’t find again this catchy example, but the golden rule derived from it is simply what you can read in oops’ posting above, with stress on “DIRECTLY”. People might ask, “What else should I do when I need this command?” The answer is simple:

          Firstly: Copy & paste everything you want to use in commandline or runbox into a GUI texteditor (like geany or leafpad) instead.
          Look carefully whether the outcome is actually what you are expecting.

          Secondly: Understand what the code you find in your texteditor window now is actually doing when executed by reading it carefully. If you can’t understand, even with aid of consulting the internet (manpages or forums), you should abstain from pasting it forward to your commandline by all means.

          Another workaround may be to transfer the string manually by typing it character by character, given you understand its meaning.

          Especially when you see one of the words “sudo” or “su” within the string you should be alarmed, at least when you wouldn’t expect them. In case you miss to observe the precaution to work by default not in a root terminal you are beyond help anyway.
          Be aware it is not always necessary to (re-)enter your sudo password; for a defined period of time bash sudo will not bother you again after having entered it once. During this period any sudo commands will be executed without protection, in runbox as well as from commandline in terminal window, which is exceptionally dangerous when you think of pasting something therein not waiting for you pressing the enter button.

          As you can learn from the links in skidoos original posting, all this is not a joke (what it may appear to be when looking at oops’ lines) but a real threat not only on windows based computers (which many people tend to believe), but linux is affected also.

          Thanks, skidoo, for making newcomers aware of this serious threat again!

          Robin

          • This reply was modified 3 years ago by Robin.
          • This reply was modified 3 years ago by Robin. Reason: removed oversized "b" image from automatic quotation
          • This reply was modified 3 years ago by Robin. Reason: thanks skidoo, for more clear specification of components involved in sudo timeout

          Windows is like a submarine. Open a window and serious problems will start.

          #57598
          Anonymous

            >>> for a defined period of time bash will not bother you again
            This detail is governed by sudoers policy, not by bash.

            an excerpt from my 13 April 2021 post:

            https://www.antixforum.com/forums/topic/some-apps-dont-launch-from-antix-cc-gui/#post-57480

            man sudoers
            while viewing the manpage, press / (forward slash) to initiate a search
            search for: timeout
            and read to understand that “succeeded today because” is likely due to a timeout grace period initiated by having already used sudo for some other command wihtin the past 15 minutes.

            at the commandline, type:
            sudo visudo
            and skimread the contents of the sudo policy file. Refer to the manpage (man sudo) to learn about unfamiliar items. In case you don’t catch this detail, I’ll mention that sudo consults /etc/sudoers.d/* and loads rules found in any files pathed therein… and, on antiX, a rules file (/etc/sudoers.d/antixers) is pre-installed. Skimreading the antixers file will give a fuller picture of the rules that are in play.

            #57600
            Anonymous

              Webpages can hide the

              Further sneakiness:
              Do you remember the bruhaha related to “landing pages” and “SEO gaming (tricking) the search engine indexers”?
              If not, maybe through the years you’ve encountered “hotlinking is not allowed!” when attempting to embed the url of a web-hosted image.
              -=-
              Each web request (for a “page”, or an imagefile, or favicon, or stylesheet, or .js scriptfile or…), contains http-headers bearing metadata about the requestor, and the webserver often responds conditionally.

              Even if a seeker attempts to check “what is this thing” s/he is about to “curl” or “wget”
              by entering URL into browser addressbar…

              …when that same webserver recieves, via wget, seeker’s request for the identical URL
              it can (unless seeker is “slick” and spoofs user-agent and other expected http-header content)
              recognize the non-browser requestor context, and send a different (perhaps malicious) “thing” instead.

              So, the sensible approach is to inspect/audit any downloaded “thing” before “running” it.

              webserver often responds conditionally

              To be clear, this is an all-day-every-moment-of-the-day aspect of webserver behavior.
              Advertisers who are paying per-impression demand accounting//proof that they are not being billed for pages sent in response to bot (or RSS feed, or indexing spiders, or …) requests, and they contract with auditing//monitoring services who routinely test, test, and retest to assure that thier clients’ embedded advertising assets are indeed only being served conditionally.

              #57611
              Member
              ModdIt

                Thanks to previous posters. even many experienced user get caught by scammers
                at times.

                On sneakiness, watch conky, listen to fans, if they start to run loud and
                you are not working cpu or gpu hard look for a reason.
                as delivered most browsers will run headless, often very busy doing something
                a website has asked/commanded them to do. This also happens to tor browser.

                Firefox has tools for (remote) screenshots, remote setting changes, formfill,
                hidden in browser/features folder.

                If you are very trusting you can leave those as is, save passwords in the browser,
                synchronise data across devices with corporate offerings too. Bookmarks, passwords,
                login data. Store your important files for free in a cloud which can turn to bitter
                cold hailstones tomorrow. Your data on offer in darknet or just gone because the server
                without warning.

                Advice there, Read the privacy notice, for firefox reserve a day or so, palemoon is clear
                and concise. Be unpredictable, use different browsers at whim, do not save passwords in
                the browser, at least until recently firefox saved and showed them in plaintext.
                I do like and use use Librewolf and ungoogled chromium, have learned a lot from the way
                LibreWolf uses policys to controll compiled in features.
                Please be aware, Many policy settings only work correctly with FF LTS release !!!.

                Use js only if you have to, no script is pretty good for controll but you need to learn
                how.

                Know how to use top and kill,
                if your browser is running headless after some page visit you will need them.
                A few days ago that happened repeatedly on Zeit.de which is very reputable.

                Do not just shutdown, I have seen a browser restart headless afer a shutdown and reboot
                high cpu network and disk activity. I wrote that stick full using dd then reinstalled.

                GHacks is one of my go to places for learning, I go way beyond the standard user.js offering,
                also add a policy file to lock some sensitive settings.

                NEVER refresh firefox when the nagging popup shows, that resets everything to as delivered.
                You must remove hidden extensions after every update, delete crash reporter, updater pingserver too.
                Crash reporter can reportedly capture and send a memory dump, trust in that where a settings server
                is active, null.

                Long post but big subject.

                • This reply was modified 3 years ago by ModdIt.
                #57620
                Member
                oops

                  … First time I’ve learned about this danger from reading was (if I’m not mistaken) during second half of the 90s of last century.

                  … So last millennium 😉

                  #57621
                  Member
                  marcelocripe

                    I thank everyone for sharing this very important information about care and safety.

                    Eu agradeço a todos por compartilharem estas informações importantíssimas sobre cuidados e segurança.

                    marcelocripe

                    #57630
                    Member
                    PPC

                      I usually warn when posting tips here in the forum, that users should check the code before entering it in the terminal… I never thought that “tips” found on-line could also have the increased risk of having “extra” text sent to the clipboard, other than what’s visible…
                      Anyway, when I search for how to do stuff on-line, I (almost) always copy and past the commands to a text file, before pasting them to the cli… Now I’ll really always do that!

                      P.

                    Viewing 9 posts - 1 through 9 (of 9 total)
                    • You must be logged in to reply to this topic.