When a computer stops behaving, the solution often involves looking up an obscure command and pasting it into the terminal -- even experienced administrators and programmers aren't immune to this, because remembering the exact syntax for commands you use once every couple years is a choresome task.
For many years, security researchers have warned that CSS can be used to trick users by putting different text on the clipboard than the highlighted text on the screen, inserting malicious commands in place of innocuous ones.
The default Mac terminal warns users when they're pasting commands that have a carriage return, and gives them the option of removing it. This seems like a good countermeasure to me -- I'd like a version for my terminal program that let me always strip out CRs when pasting.
echo "not evil"
Will be replaced with
Note the newline character gets appended to the end of the line. When a user goes to paste the echo command into their terminal, "evil" will automatically get echoed to the screen without giving the user a chance to review the command before it executes. More sophisticated payloads that hide themselves can also be used, such as something demoed here and seen below
echo "not evil"
This command will create an evil file in your home directory and clear the terminal out. The victim appears to have the command they intended to copy, nicely pasted into the terminal.
Pastejacking [Dylan Ayrey/Github]
(Image: DEC VT100 terminal, Jason Scott, CC-BY)
Berlin-based security researcher Sébastien Kaul discovered that Voxox (formerly Telcentris) -- a giant, San Diego-based SMS gateway company -- had left millions of SMSes exposed on an Amazon cloud server, with an easily queried search front end that would allow attackers to watch as SMSes with one-time login codes streamed through the service.
Researchers at NYU and U Michigan have published a paper explaining how they used a pair of machine-learning systems to develop a "universal fingerprint" that can fool the lowest-security fingerprint sensors 76% of the time (it is less effective against higher-security sensors).
A year ago, the Norwegian Consumer Council commissioned a study into kids' smart watches, finding that they were incredibly negligent when it came to security and incredible greedy when it came to surveillance: a deadly combination that meant that these devices were sucking up tons of sensitive data on kids' lives and then leaving it […]
Ever wondered what it takes to make the transition from amateur photography to a full career? If you answered “a better camera,” you’re half right. Before you get the equipment, get the know-how to use it with the Hollywood Art Institute Photography Course & Certification. Taught by experienced pros, this course is geared towards shutterbugs […]
Anyone can learn piano, but don’t tell that to the bored kids who had to endure hours of “Chopsticks” and similar drills in their music lessons. Today, there’s a better way. Pianoforall lets you jump right in to discover what makes music fun, leaving you eager to learn more. In a simple but innovative approach, […]
There are two times you never want to just “eyeball” it: Conducting brain surgery and matching shades of paint for your walls. Whether you’re painting or repainting, make sure you’re never just “close enough” to the color you want. Not when the Nix Mini Color Sensor can scan and match any color perfectly. Small enough […]