zlacker

[parent] [thread] 8 comments
1. Waterl+(OP)[view] [source] 2023-09-26 23:51:18
Surely these are the same kinds of people who will carefully review all scripts before running them, right?
replies(4): >>serf+84 >>pornel+w5 >>tzs+u6 >>ddtayl+o9
2. serf+84[view] [source] 2023-09-27 00:13:17
>>Waterl+(OP)
people act weird around any kind of script, more-so than executables, i've never really understood it.

I periodically get told that a published browser userscript of mine is malicious or suspicious in emails simply because of the cautions and wording around the userscript installers themselves (it's just a css tweak, a theme), meanwhile the executables I have in the wild have generated zero similar feedback.

my theory is that since the script is more easily read that it attracts people to read it without any theory or knowledge of what they're even looking at .

replies(1): >>Waterl+S8
3. pornel+w5[view] [source] 2023-09-27 00:21:07
>>Waterl+(OP)
Absolutely. And just to be sure, I also check file checksums, which I've downloaded from same server over the same connection.
4. tzs+u6[view] [source] 2023-09-27 00:26:30
>>Waterl+(OP)
Even if you don't review it before running it, after

  $ curl https://whatever/foo.sh > foo.sh
  $ sh foo.sh
if something goes terribly wrong you can examine foo.sh to try to figure out what happened and how to fix it. Even if foo.sh managed to delete itself you can just grab it again.

After

  $ curl https://whatever/foo.sh | sh
if something goes wrong and you then try

  $ curl https://whatever/foo.sh > foo.sh
to get a copy of the script to examine a malicious server can tell that you aren't piping to a shell [1] and give a non-malicious script.

Since it takes an insignificant amount of effort to defend against this why not get in the habit of doing it?

[1] >>17636032

◧◩
5. Waterl+S8[view] [source] [discussion] 2023-09-27 00:42:05
>>serf+84
This feels like a thing but I can’t think of a name for it.

Where something that can be verified gets more scrutiny than something that can’t.

Maybe someone else knows.

replies(3): >>fragme+db >>coucha+wc >>mr_toa+Qq
6. ddtayl+o9[view] [source] 2023-09-27 00:45:48
>>Waterl+(OP)
Actually they do. Not individually one by one themselves but they outsourced this to their distro maintainers which do a spectacular job.

I'll take a properly curated package in flatpak Fedora repos over a random script downloaded and piped into a root shell any day

◧◩◪
7. fragme+db[view] [source] [discussion] 2023-09-27 00:57:29
>>Waterl+S8
Verification bias?
◧◩◪
8. coucha+wc[view] [source] [discussion] 2023-09-27 01:05:31
>>Waterl+S8
"bikeshedding"?
◧◩◪
9. mr_toa+Qq[view] [source] [discussion] 2023-09-27 02:39:24
>>Waterl+S8
https://en.wikipedia.org/wiki/Streetlight_effect
[go to top]