With all the discussion around the Bitcoin whitepaper being discovered in macOS, I think it’s important to take a step back from a security perspective.
All of these posts on Twitter and elsewhere said “Open the terminal and run some command to see the Bitcoin whitepaper!” I’ve intentionally omitted the command here.
For those in the technology security industry, you’re aware of the risks running an arbitrary command on the command line. But many others are not aware of the risk.
I want to put this simply:
Do NOT run commands directed by internet strangers in your terminal*Do NOT run commands directed by internet strangers in your terminal*
* unless you know what you’re doing* unless you know what you’re doing
There are infinitely many bad things that can happen from copy-pasting some command into the terminal and running it. These can range from downloading malware, wiping your hard drive, exfiltrating sensitive data, etc.
In this particular case, the command was pretty transparent about what it was doing and was safe. But that’s not a guarantee.
Be careful folks.
Good post.
Websites which provide install instructions as
curl <url> | bashare also very guilty of this.See https://0x46.net/thoughts/2019/04/27/piping-curl-to-shell/
I don't see how this is any different from installing any other program on your computer. Most people using Windows just type in their admin password when installing stuff. And the people on Linux installing something with terminal instructions are basically the same thing.
I see your point but I also see a difference between running random code and being suspectible to the issues mentioned in the article vs running code which is more or less guaranteed that it does what you want:
(also from the mentioned article)
Things not mentioned are for example checksums which are also checked automatically by package managers.
In fact it goes further than that - pretty much every Linux package manager will refuse to even load packages from a repo unless the repo's PGP key matches up with the public key on your local system. You cannot add a new repo without adding the PGP key. If a malicious actor hacked the repo, they could not push out packages without also obtaining access to the private PGP key of the repo owner.
Windows users may be used to installing random executables, but Windows systems also tend to have a lot of malware. Linux has many extra layers of security vs Windows, which doesn't even have a package manager unless you install a third party one - same is true of macOS as well, if we're being fair.
Point is, when discussing Linux security, saying "but piping random scripts direct to bash with sudo is as secure as Windows" is basically the computing equivalent of "better love story than Twilight."
Great addition, thanks.
Really interested to see if this changed @zuspotirko's mind
Do people frequently install executables from Twitter posts?
There is no difference if it's a Tweet or a Github ReadMe or a recommendation from a friend: if you don't know what you are installing you don't know what you're installing no matter the source
I generally agree with you but
it's literally just
open <path>.pdf. Like literally. One has to be a special kind of regarded to not know what their're doing. It doesn't get more simple than thatLike I said, this one was transparent about what it was doing. But it sets a dangerous precedent.
???
Are you aware how irrelevant this "precedent" is or are you mistaken about the meaning about the word "precedent"? People have been posting terminal commands on the internet for decades now.
That's like saying someone stealing from Walmart last week was a precedent. It's not. Theft has existed forever, it's not a "precedent"
Maybe precedent is not the right term here. Maybe enabling bad behavior fits better?
I think the post was a bit ill formulated. I think the post was less about that specific command but more generally about running random code without verifying or not taking any precautions.
At least that's how I read it.
Yeah that's the message I got too. The terminal command in question is harmless, and OP explicitly says this along with saying it was transparent about what it is doing, but the point is to be wary of blindly pasting terminal commands if you are unsure about exactly what they do. It takes five seconds to paste them into Google before running them on your system.
It wasn't that long ago people were posting shit like "make your Mac 10x faster by running rm -rf ~/" and "delete system32 it's a virus" and yes people actually fell for that shit.
When people get into the habit of blindly trusting terminal commands without understanding what they're doing, they can easily fuck their shit up.
The tl;dr is simply "don't trust, verify."
*including chatbots (like claude.ai)
The LLMs may make honest mistakes today.
I believe it's only a matter of time before they intentionally suggest code that has an ulterior motive which is sinister in ways that could benefit the AIs themselves, or their developers.
Sure, but with this one liner you can download the bitcoin whitepaper pdf straight from the blockchain:
seq 0 947 | (while read -r n; do bitcoin-cli gettxout 54e48e5f5c656b26c3bca14a8c95aa583d07ebe84dde3b7dd4a78f4e4186e713 $n | jq -r '.scriptPubKey.asm' | awk '{ print $2 $3 $4 }'; done) | tr -d '\n' | cut -c 17-368600 | xxd -r -p > bitcoin.pdfAbsolutely agree, very true