Enter your password SUCKER! ;-) (a simple demo)
Posted 05-31-2012 at 10:38 PM by rainbowsally
Enter your password SUCKER!
;-)
Features:
Question: Who are they protecting My Compter from? From ME??? I am unapologetically an AB-normal user. But it's My Computer and I want to know what's in it and what it's doing.
Nice preamble, huh? ;-)
Now...
If you've never done any programming you might be surprised how easily you can get a user's password with a utility like this inserted into the command flow somewhere. Not just on your computer, but anywhere that you may get prompted for your password unnecessarily (such as after you've already logged in).
Now for the fun part... ;-) This is a small script so it doesn't need to be base64 encoded, uncompressed or any of that other fancy stuff.
This example doesn't require root permissions and it doesn't require a real password.
[See notes at the bottom. -rs]
file: ~/Desktop/add-remove-pw-sucker.demo (executable)
I'm wondering if some of the big hacking problems we've heard about are actually perpetrated by unscrupulous system dministrators and developers (see line ~50 of GPL v. 3). And add "rogue" "good guys" at the NSA if you use Windows.
I use openSUSE 11.4 these days.
Open suse boasts of having 30,000 verified developers world-wide and somehow their source packages end up missing contents, having unexpected ends of files, wrong patches and installing into the wrong directory.
Makes yuh wonder.
From day-one I wondered, who they are protecting the computer from with all this security stuff, with backdoors wide open and running with root privileges visibly in ksysguard. Sort by PID and watch for about 15 seconds.
Not convinced? Too hard to do?
Consider this example. You want dolphin to ask for a user's password.
Rename the original dolphin _dolphin and add a script named dolphin that says: "On this system Dolphin requires your password...". Then put the password and the user's name >> into text file where you can pick it up later. And have the script launch the real dolphin now named '_dolphin'.
The part above requires little more than what we have in this demo.
Set it to run only the very first time the user logs in if you want to stand a better chance of not raising suspicions and you'll reduce the size of the data file.
It's that easy.
It's really that easy. And that's a very unsophisticated hacker charade. All it requires is root privileges for about 10 milliseconds to insert the bug.
[What the H3LL is Package Kit doing in the background? <scratch-head -- scratch-head some more> Is it downloading software created by 30,000 verified developers worldwide? I could say a LOT more but GPL v. 3 has had this problem identified for years. All we need to do as users is to politely remind some of these bums that are sending out these screwy linux distros that they are flagrantly violating their GPL license (among other things).]
But for now let's just become aware of the hallucinogenic interpretations of "computer security" these days... and don't assume anyone else can peer into these opaque RPMS and DEB packages -- each the size of the city of LQ and written in Martian -- any better than you can.
:-)
So.. Maybe show this demo to your spouse, your friends, and your kids.
Do we "computer literate" types cover our own eyes and then assume that nobody can see us?
Dedicated to putting "open" back into "open source",
The Computer Mad Science Team
:-)
;-)
Features:
- Installer uninstaller in a simple clickable (or at least it should be clickable) script. (You can try setting the file associations these to run scripts with kde-open, xdg-open, gnome-open, ... or try the shell-exec app at this blog.)
- Fun. But is it practical? Maybe, and maybe not. It depends on if you already knew how risky handing control of parts of your system to strangers can be.
Question: Who are they protecting My Compter from? From ME??? I am unapologetically an AB-normal user. But it's My Computer and I want to know what's in it and what it's doing.
Nice preamble, huh? ;-)
Now...
If you've never done any programming you might be surprised how easily you can get a user's password with a utility like this inserted into the command flow somewhere. Not just on your computer, but anywhere that you may get prompted for your password unnecessarily (such as after you've already logged in).
Now for the fun part... ;-) This is a small script so it doesn't need to be base64 encoded, uncompressed or any of that other fancy stuff.
This example doesn't require root permissions and it doesn't require a real password.
[See notes at the bottom. -rs]
file: ~/Desktop/add-remove-pw-sucker.demo (executable)
Code:
#!/bin/bash cd `dirname "$0"` HERE=$PWD desktopFile="Password SUCKER.desktop" # a nice looking desktop icon hiddenFile=".password-sucker.exec" # the executable, hidden on the desktop icon=object-locked # we'll try a few others if this is missing create_demo() { ########################### the engine is a hidden file cat << _eof > $hiddenFile #!/bin/sh cd \`dirname "\$0"\` pw=\`kdialog --password " This operation totally unnecessarily requires your password so . . . Enter your password, SUCKER! "\` kdialog --msgbox "Oh! Wow. \"\$pw\". How unique. I never would have guessed." _eof chmod +x $hiddenFile ########################### the desktop icon cat << _eof > "$desktopFile" [Desktop Entry] Icon=$icon Name[en_US]=Password SUCKER Name=Password SUCKER StartupNotify=true Terminal=false Type=Application Exec=/bin/bash -e $PWD/$hiddenFile _eof chmod +x "$desktopFile" } # create if [ ! -e "/usr/share/icons/oxygen/48x48/status/$icon.png" ]; then kdialog --passivepopup "Hang on.. looking for a suitable icon for the app." 2 cd /usr/share list=`find * -name *.png | sed '/.*locked.*/!d'` 2>/dev/null if [ "$list" != "" ]; then a=$list icon=$a else cd /usr/opt/*/share list=`find * -name *.png | sed '/.*locked.*/!d'` 2>/dev/null a=$list icon=$a fi fi res=`kdialog --radiolist "Create or Remove the demo?" "create" "create" "on" "remove" "remove" "off"` if [ "$res" == "remove" ]; then rm -f "$hiddenFile" "$desktopFile" kdialog --msgbox "Password demo has been removed" fi if [ "$res" == "create" ]; then if [ -e "$hiddenFile" ] && [ -e "$desktopFile" ]; then kdialog --passivepopup "Overwriting existing files" 1 fi create_demo kdialog --msgbox "Password demo has been created" fi
I use openSUSE 11.4 these days.
Open suse boasts of having 30,000 verified developers world-wide and somehow their source packages end up missing contents, having unexpected ends of files, wrong patches and installing into the wrong directory.
Makes yuh wonder.
From day-one I wondered, who they are protecting the computer from with all this security stuff, with backdoors wide open and running with root privileges visibly in ksysguard. Sort by PID and watch for about 15 seconds.
Not convinced? Too hard to do?
Consider this example. You want dolphin to ask for a user's password.
Rename the original dolphin _dolphin and add a script named dolphin that says: "On this system Dolphin requires your password...". Then put the password and the user's name >> into text file where you can pick it up later. And have the script launch the real dolphin now named '_dolphin'.
The part above requires little more than what we have in this demo.
Set it to run only the very first time the user logs in if you want to stand a better chance of not raising suspicions and you'll reduce the size of the data file.
It's that easy.
It's really that easy. And that's a very unsophisticated hacker charade. All it requires is root privileges for about 10 milliseconds to insert the bug.
[What the H3LL is Package Kit doing in the background? <scratch-head -- scratch-head some more> Is it downloading software created by 30,000 verified developers worldwide? I could say a LOT more but GPL v. 3 has had this problem identified for years. All we need to do as users is to politely remind some of these bums that are sending out these screwy linux distros that they are flagrantly violating their GPL license (among other things).]
But for now let's just become aware of the hallucinogenic interpretations of "computer security" these days... and don't assume anyone else can peer into these opaque RPMS and DEB packages -- each the size of the city of LQ and written in Martian -- any better than you can.
:-)
So.. Maybe show this demo to your spouse, your friends, and your kids.
Do we "computer literate" types cover our own eyes and then assume that nobody can see us?
Dedicated to putting "open" back into "open source",
The Computer Mad Science Team
:-)
Total Comments 0