Don't copy-paste terminal commands from the web

I typically “clean” anything I copy from the web by pasting into notepad. Normally this is just to strip out formatting before pasting into a different program, but it works just fine to “discover” hidden malicious code as well.

sudo rm -rf /*

You wish! EVERY DAY OF MY LIFE IS THIS.

Except that most people have scripts on because, for example, Twitter, Facebook, and Gmail don’t work if you turn off all scripts.

exactly, I read it too and thought, on what planet?

Are you from 1992?

No, I just recognize that allowing scripts to run by default is the digital equivalent of licking every doorknob you come across.

This doesn’t really have anything to do with scripts as far as the browser is concerned, so having scripts disabled doesn’t provide any protection. If you had CSS turned off though, you would see the otherwise hidden code.

It’s also the thing that lets most modern sites to dynamic work so you’re locking yourself into Geocities era web.

I can leave that era of the web when I decide the site I’m looking at is trustworthy. But trusting the site from the start doesn’t seem like a good idea to me. I prefer to exercise control over what code my computer runs, rather than letting any Tom Dick or Harry run arbitrary code on my machine without asking.

It also makes it easier to exclude domains like quantserve and doubleclick, and other ad networks and trackers that perhaps aren’t already denied in my hosts file.

As you said, this would work on Windows too if one were to paste Batch commands into a CMD window, or Powershell into it’s window, or even Python or Ruby into their respective interactive interpreters on any OS.

I think it is not a matter of copying terminal commands itself which is the problem, but the pasting them into a terminal which requires caution. The web script is simply telling your clipboard what to copy, which may not be what you see on screen. This does not mean interpreting javascript code in the clipboard itself! Then people can paste potentially malicious code into their terminal and have it run automatically. Since the copied text can have line return characters embedded, lines of commands can be run before the user could see what they were pasting.

For example, here’s what is seen on the linked page:

git clone git://git.kernel.org/pub/scm/utils/kup/kup.git

And here’s what it actually contains if you copy it to the clipboard:

[quote] git clone /dev/null; clear; echo -n “Hello “;whoami|tr -d ‘\n’;echo -e ‘!\nThat was a bad idea. Don’”'”‘t copy code from websites you don’“'”‘t trust!
Here’“'”'s the first line of your /etc/passwd: ';head -n1 /etc/passwd
git clone git://git.kernel.org/pub/scm/utils/kup/kup.git [/quote]

Besides the problem of being exploited by malicious code, there is more common problem of whether or not to trust random people to not break your system by mistake.

I just install uBlock Origin and Privacy Badger and call it a day.

And I do that too. Plus NoScript and self-destructing cookies.

NoScript breaks too many sites to be worth the hassle. I keep my browser up to date, don’t run flash or other binary plugins, and don’t download malware.

I consider at this point using NoScript more of a way to enforce good web browsing habits. You can also do permanent-whitelist in it, so that makes it easier to build up a list of your by-default trusted sites, like the BBS. You can then back it up. Sure it takes a month or two to build up your settings list, but after that it’s not that inconvenient to me at least. And I can backup the settings once I’m comfortable with them.

Similarly, never run shell commands from your company chat channel when you are the newest person on the team. The hazing. It burns.

This. Lots of people insisting “this isn’t a JS problem” are misunderstanding the attack. Here’s how this works (in this case, less-maliciously to add a attribution link to copied text):

tl;dr Browser events tracking keyboard and mouse behavior allow for source site code to append text to the thing you are copying, invisibly. What you copy ain’t what you saw, and may include shit you should never execute.

On the bright side - dinner’s almost ready!

Bah. I have my secretary print out all my web pages for me. Then I have another one read them to me, acting out the pictures if necessary, and I’ve never been infected with anything. Except chlamydia.