When a computer stops behaving, the solution often involves looking up an obscure command and pasting it into the terminal -- even experienced administrators and programmers aren't immune to this, because remembering the exact syntax for commands you use once every couple years is a choresome task.
For many years, security researchers have warned that CSS can be used to trick users by putting different text on the clipboard than the highlighted text on the screen, inserting malicious commands in place of innocuous ones.
The default Mac terminal warns users when they're pasting commands that have a carriage return, and gives them the option of removing it. This seems like a good countermeasure to me -- I'd like a version for my terminal program that let me always strip out CRs when pasting.
echo "not evil"
Will be replaced with
Note the newline character gets appended to the end of the line. When a user goes to paste the echo command into their terminal, "evil" will automatically get echoed to the screen without giving the user a chance to review the command before it executes. More sophisticated payloads that hide themselves can also be used, such as something demoed here and seen below
echo "not evil"
This command will create an evil file in your home directory and clear the terminal out. The victim appears to have the command they intended to copy, nicely pasted into the terminal.
Pastejacking [Dylan Ayrey/Github]
(Image: DEC VT100 terminal, Jason Scott, CC-BY)
Shenzhen Gwelltimes Technology Co., Ltd is the white-label vendor behind a whole constellation of Internet of Things networked home cameras sold as security cameras, baby monitors, pet monitors, and similar technologies; these cameras are designed to be monitored by their owners using an app, and because of farcically bad default passwords ("123") and other foolish […]
Fingerprint locks are catastrophically awful, part LXVII: the software security on the crowdfunded Tapplock "is basically nonexistent" -- the lock broadcasts its own unlock code over Bluetooth, and if you send it back to the lock, it pops open.
A team of computer scientists, psychologists and neuroscientists used eye-tracking and fMRI to measure how users perceived security warnings, such as warnings about app permissions and browser warnings about insecure pages and plugin installations.
While it’s fun to watch Hollywood action heroes hack into cameras to spy on their targets, the thought of an actual cybercriminal using our own security devices against us is chilling for most. That’s what makes the iPM World HD 360 Degree 1080p Wireless IP Camera essential for anyone looking to deter digital and physical intruders […]
Spring came and went, but we’re not here to judge if you didn’t get around to cleaning up your living space. After all, taking the time to vacuum your floors can stretch out into a lengthy task when you’re constantly switching between power outlets and trying to jam your machine into those tight corners. With […]
Projects big and small always go smoother when the whole team is collaborating, but members tend to get lost once the conference call ends. Timelinr is a project management solution that helps keep your stakeholders, team, and clients in the loop with high-level project roadmaps and granular task boards. Subscriptions are available today for $49.99. […]