OMG rm -rf ~ in a valentine bash script and its partly my fault

OMG rm -rf ~ in a valentine bash script and its partly my fault(williamedwardscoder.tumblr.com)

44 points by talmirza 13 years ago | 33 comments

thirsteh 13 years ago |

The repo owner was stupid for not checking what they were merging, and the author is stupid for making the pull request in the first place. If they wanted to prove a point, they should have merged something a little less harmful, like "echo This file could have deleted your home folder. Don't run random scripts from the Internet without inspecting them first."

afarrell 13 years ago | |

Right. If you are going to troll, do it with something annoying but harmless: download and play an audio file, lock the screen so they have to sign in again, pop open 100 gnome-shells, etc.

meaty 13 years ago | | |

Back in the day, the goatse was the preferred method of education.

sc0rb 13 years ago | | |

Opening 100 gnome shells that will crash my system and make me lose whatever I was working on is NOT harmless.

eric_bullington 13 years ago |

Wow, how disappointing. And poor title to describe a very bad decision by a human being, not a movement. This has nothing to do with open source, and everything to do with human nature. Someone on the inside of a closed source project with commit rights at a company with a poor review process could just as easily have done this to make some kind of point. Same result.

Furthermore, I can't possibly audit every single line of every open source project I run on my personal machine. Did you review every line of the last distro you installed? A python package installed via pip can just as easily 'rm -r ~' as a bash script can, as can a vim plugin, etc. etc. In the end, it often comes down to trust, and credibility.

What have you done to yours?

aw3c2 13 years ago |

What kind of title is this? "Evil Open Source". It has nothing to do with the content. The linked post itself is titled "OMG rm -rf ~ in a valentine bash script and its partly my fault??!?!"

nailer 13 years ago | |

I accidentally downmodded you. But +1, the title has nothing to do with the app. Both people involved are very, very immature.

beatgammit 13 years ago | |

It also isn't technically Open Source. I didn't see anywhere in the REPO that stated it was Open Source. At best, it's Freeware/Shareware, at worst, you're stealing the author's work by downloading.

Minor nit, but I think it adds to your comment.

ptbello 13 years ago | |

What's with "partly" anyway? More like "entirely", regardless of the muppet conspirancy theory

throwaway125 13 years ago | | |

I'm not sure I understand with how you got to "entirely". Yes, his pull request was dangerous but it also reveals how the repo owner would accept just about any pull request you send him. That seems like a major issue. I'm sure both parties involved will not make these mistakes in the future.

moccajoghurt 13 years ago |

"Your house is not fire-proof, that's why I burned it."

Congratulations for proving your point by destroying other people's work.

Seriously that's nothing you would expect from a thoughtful person.

mseebach 13 years ago | |

"Your house is not fireproof, so to taunt you a bit I'm going to throw some burning matches in your frontyaOH MY GOD WHY DID YOU THROW A BUCKET OF GASOLINE ON THEM?"

philh 13 years ago |

I get the impression he was not expecting that pull request to get merged. This was silly, but not malicious. He wasn't trying to delete home directories to prove a point: the point he was making was directed at the repo owner.

Meanwhile, merging that pull request seems downright stupid, but maybe there are mitigating factors I'm not aware of?

mpyne 13 years ago | |

Don't issue pull requests that you don't want merged. It's really that simple. The maintainer could easily merge it by accident by absentmindedly clicking the button they normally click in response to well-formed pull requests while thinking they'd rejected it. Maybe they have a cat, or a toddler, who knows?

Don't put your name on stuff you don't want merged.

Jem 13 years ago |

This reminds me of the prat that decided to teach me a lesson in PHP security by exploiting my first script & deleting my entire website when I was 15. :(

Lesson learned, and it got me into PHP security, but I can't help but feel there are nicer ways to go about giving such an important lesson...

thirsteh 13 years ago | |

Like adding a note that he could've deleted all your files. This is just vandalism disguised as a "heads-up."

meaty 13 years ago | |

Sometimes the hard way to learn the lesson is the best way and sometimes a costly mistake by someone is an education for lots of people. It's an unfortunate side of human nature but it's valuable.

My own experience by proxy: A colleague of mine kept everything he owned on a single CDRW. It got put in a Pioneer slot loader. A few seconds later "boom" and the disk shattered into thousands of small pieces. He cried. I, and the 15 other people in the room, learned about keeping backups in multiple locations.

The same thing happens when a seal eats a penguin. Hundreds of other penguins learn to keep away from seals.

axelfreeman 13 years ago | |

If i teach some people websecurity i post some fancy chiptune music from youtube with autoplay. Problem proofed, much cooler, lesson learned. All happy.

kenkam 13 years ago |

It's a shame, the fact that he decided to rm -rf ~ has hijacked the point he was trying to make in the first place. Now everyone's discussing if there's a better way of making his point rather than downloading random scripts on the internet and running them.

And the dramatic irony is: he tried to warn people that bad things can happen if they run scripts without verifying... by doing _exactly_ what he is warning about -- doing malicious stuff to you. It wasn't well thought out, was it?

Lesson: one can make a point without deleting someone's home directory... (or something equally evil)

simonh 13 years ago |

"In a fit of silliness"

No. Not silly. Not at all.

"I think I was the muppet they got to pull the trigger of the gun they pointed."

Amazing.

~They got me to pull the trigger.~ ~I'm just a muppet.~

No. Not a muppet. Not at all.

Sickening.

brazzy 13 years ago | |

Stop being a judgemental ass. He expected the pull request to be read and ignored, not blindly (or maliciously) merged.

If anything is sickening, it's this readiness to assign blame and exaggerate guilt.

simonh 13 years ago | | |

> ..not blindly (or maliciously) merged..

Or accidentally.

He saw someone making a careless rookie mistake, who quite obviously didn't really understand what they were doing, and equally obviously didn't understand how dangerous it was, and then deliberately put a live landmine in their way.

He then posted to his blog saying how shocked, amazed and not in any way responsible he was for the resulting explosion.

How would you characterise that?

bnegreve 13 years ago | | |

I disagree, why would you even submit a pull request if you expect it to be ignored. I think the whole point was to write a sensational blog post.

npsimons 13 years ago |

Editors: can we get the title fixed, please? This has nothing whatsoever to do with open source.

mpyne 13 years ago |

So since we're all so busy assigning blame here, who is going to blame the end user for deciding to pipe a script straight from the Internet into a shell, whether directed by a README or not?

Saves the trouble of having to learn how to attack security vulnerabilities if you can simply have the user r00t themselves for you...

kyllo 13 years ago |

Haha. Next time if you are just trying to make a point to the open source maintainer who's supposed to be reviewing your pull request, write the payload but comment it out so it doesn't actually do anything.

The real lesson here is DON'T MERGE PULL REQUESTS YOU HAVEN'T LOOKED AT.

speeder 13 years ago |

I don't know who are crazier here.

Also the owner of the script saying that the person should not made a pull request (and a issue) instead is missing the point, not that I agree with a dangerous pull request (in case the owner of the repository is crazy), but the owner of the repository merging the request just because it was a request (instead of a issue) sounds like someone wishing to shit to happen.

It would be like pushing a wedge into the train tracks and blaming the guy (that also had the bad idea) to put the wedge near the tracks.

VLM 13 years ago |

Among people gullible enough to download and run executables containing random unknown content, the blogger has now lost some personal credibility, but the good news is the gullible will continue to download and run executables containing random content because they see the story as an individual social norms violation, not a miserable systemic failure. The blogger was successful in that had he not submitted a rm -Rf and then publicized the story, the problem would not be discussed at all, but it was a failure in that the story only resonates with those who already don't care about security.

rlpb 13 years ago | |

> Among people gullible enough to download and run executables containing random unknown content

Like Ruby developers, for example?

http://www.ruby-lang.org/en/downloads/

"curl -L https://get.rvm.io | bash -s stable --ruby"

static_typed 13 years ago |

This is one of my pet peeves of late - so many tools and tutorials advise the user to curl and pipe some script of the net to install and make it work. Why aren't we teaching people to be a little cautious - to download, review and then install? How did developers become so lazy, and so coddled that we desire convenience over security or forethought? Or worse, is it really due to an increasing number of developers who are unable rather than unwilling to review scripts, tools or libraries before use. Do we need a new movement for 'the literate programmer', that emphasises the need to learn than just the core language or framework or ecosystem that they are using?

anon1385 13 years ago | |

https://en.wikipedia.org/wiki/Underhanded_C_Contest

The Underhanded C Contest was a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice.

pnathan 13 years ago | |

In general I don't want to spend time reading source of software I use. If I'm downloading a script from a trusted source, I like to be confident that I'm getting the right script.

That's accomplished by the author publishing a sha256 hash and me following this workflow:

    curl http://scriptname > scriptname.foo
    sha256 scriptname  # visually verify that it looks right from the web site
    chmod 755
    ./scriptname.foo

Of course, if I'm downloading from an untrusted source, I review the script and any commands I miss.

Note that, e.g., Calibre, has their Linux update procedure to be as follows[1]:

    sudo python -c "import sys; py3 = sys.version_info[0] > 2; u = __import__('urllib.request' if py3 else 'urllib', fromlist=1); exec(u.urlopen('http://status.calibre-ebook.com/linux_installer').read()); main()"

I'm sorry, but I don't see any verifications that calibre has not been rooted and malware installed. It's not HTTPS either, so I won't even get an SSL warning for a MITM attack.

To decode the Python: that command/script downloads a script from the internet without verification, and executes it as root.

[1] http://calibre-ebook.com/download_linux

MindTwister 13 years ago | |

Scenario: I want to install rvm

I could download their install script, read it through and then proceed to run it

or,

Since I'm trusting rvm not to do any harm in the first place, I might as well use their handy one-liner and install it in one go. Anything they can do in their one-liner they can do to me when I install rvm anyways.

sudo python -c "import sys; py3 = sys.version_info[0] > 2; u = __import__('urllib.request' if py3 else 'urllib', fromlist=1); exec(u.urlopen('http://status.calibre-ebook.com/linux_installer').read()); main()"