Don't copy-paste terminal commands from the web

Huh?
Licking things is how you figure out what they are – equivalent of pasting in text editor…

i think you’re confusing “pasting” and eating paste.

Yeah. Right-click, View page source…

The linked article sez:

Try running this command in your terminal. It's supposed to be harmless, right? It is harmless, yes, but what happens still isn't what you'd expect and demonstrates the dangers in doing stuff like that. Mark it with your mouse, copy it somehow (e.g. using CTRL+C) and paste it into a terminal. What happens?

tl;dr: whatever Javascript put into your clipboard gets run irrespective of what you thought you were copying, and the outcomes can be exceedingly unpleasant.

Ubuntu is a Linux distro often adopted by Linux newbies since it’s pretty easy to install and use. Due to this fact, you will see, sprinkled around the Ubuntu forums, this warning (their bolding):

Ubuntu Forums has a strict zero-tolerance policy when it comes to posting dangerous commands. In the past members have been banned for posting dangerous commands. If the intent is malicious, this is simply unnacceptable. If it is meant as a joke – it is not funny.

Please be cautious when a command is suggested or if directed to download script/s as a solution to a problem. When in doubt as to the safety of the procedure, it’s always a good idea to wait for more opinions, and/or have the command explained and verify if the explanation makes sense by consulting readily available documentation on Linux commands (such as manpages). If you have any doubts about the content of a command or script, report the post/thread and forum staff
will investigate.

Please take care when posting commands or scripts to assist other users. Post only well known, documented and current commands appropriate for the operating system in use, or scripts from reputable sources. If you do post commands in order to help someone but which have the potential to be dangerous, always make sure you warn possible users of the dangers, not just to the user you are helping, but others who may come across the post later. If posting scripts that help with various tasks, please be prepared to provide a source and description of the content.

I always paste into Text Wrangler first.

clipboard poisoning can happen via 3 routes:

1. CSS can be used to hide and alter what is being copied.
2. Javascript can replace the clipboard contents with something else.
3. Flash can replace the clipboard contents with something else.
   (presumably any other plugin or technology that interacts with the clipboard or alters what you see on the screen could be used for clipboard poisoning)

NONE of these will allow anything to be executed from the clipboard directly, NONE of these execute javascript. The poisoned clipboard contents have to be pasted into the shell because they are altered shell scripts/commands, NOT javascript, and are only an issue when run from the shell. The key is that is it fine to copy any command you want to the clipboard, just don’t paste anything you copied from a web page directly into the shell, rather paste it into a text editor and recopy it from there once you’ve ensured it hasn’t been altered/poisoned.

I use both of those and use NoScript same as @LDoBe as well.
it is easy enough to whitelist scripts temporarily or permanently if they are from trusted sources.
it isn’t for using the web scriptless so much as getting to approve and have control over which scripts run.

as a developer it also helps ensure i’m coding things with proper fallbacks whenever possible…NoScript also allowed flash execution approval per site as well, long before there were other ways to do that, and as you know that is just smart browsing.

I think you have to be fairly competent to use NoScript properly, my parents certainly couldn’t determine which scripts are necessary for a function and which ones are from advertisers, etc.

If you ever stray off the beaten path of the web into the dark shady corners, it is an absolute must. For hypothetical example if you are reading about zero day security exploits on a Russian site that only exists as a tor node, you’d be crazy to do so with scripts enabled. NoScript is a condom for the web.

PureText will save you half the copy-pasting: http://stevemiller.net/puretext/

Yep I see tgat this exploit is just putting the hidden text logically embedded within what you think you’re copying, but wrapped inside a span that’s absolutely positioned outside of the window by 100 pixels up and to the left of the actual page so you don’t see it. It’s physically rendered way off the canvas, but is logically embedded inside a line that’s visible.

Neat trick. If I’d stuck with being a webdeveloper I probably would have come across it a long time ago.

but you can trust ruby and whoever has hacked the ruby site!

Seeing that command trying to read the first line of /etc/passwd amused me, because I’d pasted it into a Powershell prompt.
Windows! More secure than linux for a change

This sounds like the sort of thing that might be specific to one particular operating system…

That would be nice on my personal machine. The work machine where security would have a cow for installing unapproved stuff and I have a whitelist of currently installed apps. Well not so much.

:(){ :|:& };:

the kaomoji for collapsing?

It’s a complete program written in Bourne shell. You could paste it right into a terminal window, although I recommend that you don’t (there’s a little MRSA on that particular stainless steel doorknob).

Noscript, Adblock and Self Destructing Cookies are a nice combination as long as you’re at least halfway code literate. Noscript interferes too much with browsing for non-coders.

I should have added some other emoticon, I thought the “collaps” would be enough…

eta: Almost forgot: Thanks for the explanation! One of the reasons I like BBS are the incredible helpful and polite users.

Oh yes.

I should go look at some of those forums instead of waiting for all of the zero days to come to me.

Be aware that you’ll find some other stuff. That you can’t unsee.

Worse than 8chan?

Oh, no you don’t! I am not even tempted look at 8chan and find out. I’ve learned my lesson!

Suffice it to say that down in the dark parts where business gets done by the Rom chavos and the credit card numbers and kiddie scripts are flying around, there’s a lot of snuff and scat vid. One of the benefits of using a tightly locked down browser, of course, is that you can avoid seeing any videos.

Another thing I’ve learned is that if you administrate a lot of email servers, do whatever you have to do to avoid reading other people’s email. It’s just a matter of time until you encounter something that’ll haunt you forever. Especially avoid rendering any pictures!