LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Blogs > rainbowsally
User Name
Password

Notices


Rate this Entry

Enter your password SUCKER! ;-) (a simple demo)

Posted 05-31-2012 at 10:38 PM by rainbowsally

Enter your password SUCKER!

;-)

Features:
  • Installer uninstaller in a simple clickable (or at least it should be clickable) script. (You can try setting the file associations these to run scripts with kde-open, xdg-open, gnome-open, ... or try the shell-exec app at this blog.)
  • Fun. But is it practical? Maybe, and maybe not. It depends on if you already knew how risky handing control of parts of your system to strangers can be.

Question: Who are they protecting My Compter from? From ME??? I am unapologetically an AB-normal user. But it's My Computer and I want to know what's in it and what it's doing.

Nice preamble, huh? ;-)

Now...

If you've never done any programming you might be surprised how easily you can get a user's password with a utility like this inserted into the command flow somewhere. Not just on your computer, but anywhere that you may get prompted for your password unnecessarily (such as after you've already logged in).

Now for the fun part... ;-) This is a small script so it doesn't need to be base64 encoded, uncompressed or any of that other fancy stuff.

This example doesn't require root permissions and it doesn't require a real password.

[See notes at the bottom. -rs]

file: ~/Desktop/add-remove-pw-sucker.demo (executable)
Code:
#!/bin/bash
cd `dirname "$0"`
HERE=$PWD

desktopFile="Password SUCKER.desktop"   # a nice looking desktop icon
hiddenFile=".password-sucker.exec"      # the executable, hidden on the desktop
icon=object-locked                      # we'll try a few others if this is missing

create_demo()
{
  
########################### the engine is a hidden file
  
cat << _eof > $hiddenFile
#!/bin/sh
cd \`dirname "\$0"\`

pw=\`kdialog --password "
This operation totally unnecessarily requires your password so . . .
Enter your password, SUCKER!
"\`

kdialog --msgbox "Oh!  Wow.  \"\$pw\".
How unique.  I never would have guessed."
_eof
  
  chmod +x $hiddenFile
  
########################### the desktop icon
  
cat << _eof > "$desktopFile"
[Desktop Entry]
Icon=$icon
Name[en_US]=Password SUCKER
Name=Password SUCKER
StartupNotify=true
Terminal=false
Type=Application
Exec=/bin/bash -e $PWD/$hiddenFile
_eof

chmod +x "$desktopFile"
} # create


if [ ! -e "/usr/share/icons/oxygen/48x48/status/$icon.png" ]; then
  kdialog --passivepopup "Hang on.. looking for a suitable icon for the app." 2
  cd /usr/share
  list=`find * -name *.png | sed '/.*locked.*/!d'` 2>/dev/null
  if [ "$list" != "" ]; then
    a=$list
    icon=$a
  else
    cd /usr/opt/*/share
    list=`find * -name *.png | sed '/.*locked.*/!d'` 2>/dev/null
    a=$list
    icon=$a
  fi
fi

res=`kdialog --radiolist "Create or Remove the demo?" "create" "create" "on" "remove" "remove" "off"`
if [ "$res" == "remove" ]; then
  rm -f "$hiddenFile" "$desktopFile"
  kdialog --msgbox "Password demo has been removed"
fi
 
if [ "$res" == "create" ]; then
  if [ -e "$hiddenFile" ] && [ -e "$desktopFile" ]; then
    kdialog --passivepopup "Overwriting existing files" 1
  fi
  create_demo
  kdialog --msgbox "Password demo has been created"
fi
I'm wondering if some of the big hacking problems we've heard about are actually perpetrated by unscrupulous system dministrators and developers (see line ~50 of GPL v. 3). And add "rogue" "good guys" at the NSA if you use Windows.

I use openSUSE 11.4 these days.

Open suse boasts of having 30,000 verified developers world-wide and somehow their source packages end up missing contents, having unexpected ends of files, wrong patches and installing into the wrong directory.

Makes yuh wonder.

From day-one I wondered, who they are protecting the computer from with all this security stuff, with backdoors wide open and running with root privileges visibly in ksysguard. Sort by PID and watch for about 15 seconds.

Not convinced? Too hard to do?

Consider this example. You want dolphin to ask for a user's password.

Rename the original dolphin _dolphin and add a script named dolphin that says: "On this system Dolphin requires your password...". Then put the password and the user's name >> into text file where you can pick it up later. And have the script launch the real dolphin now named '_dolphin'.

The part above requires little more than what we have in this demo.

Set it to run only the very first time the user logs in if you want to stand a better chance of not raising suspicions and you'll reduce the size of the data file.

It's that easy.

It's really that easy. And that's a very unsophisticated hacker charade. All it requires is root privileges for about 10 milliseconds to insert the bug.

[What the H3LL is Package Kit doing in the background? <scratch-head -- scratch-head some more> Is it downloading software created by 30,000 verified developers worldwide? I could say a LOT more but GPL v. 3 has had this problem identified for years. All we need to do as users is to politely remind some of these bums that are sending out these screwy linux distros that they are flagrantly violating their GPL license (among other things).]

But for now let's just become aware of the hallucinogenic interpretations of "computer security" these days... and don't assume anyone else can peer into these opaque RPMS and DEB packages -- each the size of the city of LQ and written in Martian -- any better than you can.

:-)

So.. Maybe show this demo to your spouse, your friends, and your kids.

Do we "computer literate" types cover our own eyes and then assume that nobody can see us?

Dedicated to putting "open" back into "open source",

The Computer Mad Science Team

:-)
Posted in Uncategorized
Views 1253 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 09:32 AM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration