Latest LQ Deal: Linux Power User Bundle
Go Back > Blogs > rainbowsally
User Name


Rate this Entry

Enter your password SUCKER! ;-) (a simple demo)

Posted 05-31-2012 at 11:38 PM by rainbowsally

Enter your password SUCKER!


  • Installer uninstaller in a simple clickable (or at least it should be clickable) script. (You can try setting the file associations these to run scripts with kde-open, xdg-open, gnome-open, ... or try the shell-exec app at this blog.)
  • Fun. But is it practical? Maybe, and maybe not. It depends on if you already knew how risky handing control of parts of your system to strangers can be.

Question: Who are they protecting My Compter from? From ME??? I am unapologetically an AB-normal user. But it's My Computer and I want to know what's in it and what it's doing.

Nice preamble, huh? ;-)


If you've never done any programming you might be surprised how easily you can get a user's password with a utility like this inserted into the command flow somewhere. Not just on your computer, but anywhere that you may get prompted for your password unnecessarily (such as after you've already logged in).

Now for the fun part... ;-) This is a small script so it doesn't need to be base64 encoded, uncompressed or any of that other fancy stuff.

This example doesn't require root permissions and it doesn't require a real password.

[See notes at the bottom. -rs]

file: ~/Desktop/add-remove-pw-sucker.demo (executable)
cd `dirname "$0"`

desktopFile="Password SUCKER.desktop"   # a nice looking desktop icon
hiddenFile=".password-sucker.exec"      # the executable, hidden on the desktop
icon=object-locked                      # we'll try a few others if this is missing

########################### the engine is a hidden file
cat << _eof > $hiddenFile
cd \`dirname "\$0"\`

pw=\`kdialog --password "
This operation totally unnecessarily requires your password so . . .
Enter your password, SUCKER!

kdialog --msgbox "Oh!  Wow.  \"\$pw\".
How unique.  I never would have guessed."
  chmod +x $hiddenFile
########################### the desktop icon
cat << _eof > "$desktopFile"
[Desktop Entry]
Name[en_US]=Password SUCKER
Name=Password SUCKER
Exec=/bin/bash -e $PWD/$hiddenFile

chmod +x "$desktopFile"
} # create

if [ ! -e "/usr/share/icons/oxygen/48x48/status/$icon.png" ]; then
  kdialog --passivepopup "Hang on.. looking for a suitable icon for the app." 2
  cd /usr/share
  list=`find * -name *.png | sed '/.*locked.*/!d'` 2>/dev/null
  if [ "$list" != "" ]; then
    cd /usr/opt/*/share
    list=`find * -name *.png | sed '/.*locked.*/!d'` 2>/dev/null

res=`kdialog --radiolist "Create or Remove the demo?" "create" "create" "on" "remove" "remove" "off"`
if [ "$res" == "remove" ]; then
  rm -f "$hiddenFile" "$desktopFile"
  kdialog --msgbox "Password demo has been removed"
if [ "$res" == "create" ]; then
  if [ -e "$hiddenFile" ] && [ -e "$desktopFile" ]; then
    kdialog --passivepopup "Overwriting existing files" 1
  kdialog --msgbox "Password demo has been created"
I'm wondering if some of the big hacking problems we've heard about are actually perpetrated by unscrupulous system dministrators and developers (see line ~50 of GPL v. 3). And add "rogue" "good guys" at the NSA if you use Windows.

I use openSUSE 11.4 these days.

Open suse boasts of having 30,000 verified developers world-wide and somehow their source packages end up missing contents, having unexpected ends of files, wrong patches and installing into the wrong directory.

Makes yuh wonder.

From day-one I wondered, who they are protecting the computer from with all this security stuff, with backdoors wide open and running with root privileges visibly in ksysguard. Sort by PID and watch for about 15 seconds.

Not convinced? Too hard to do?

Consider this example. You want dolphin to ask for a user's password.

Rename the original dolphin _dolphin and add a script named dolphin that says: "On this system Dolphin requires your password...". Then put the password and the user's name >> into text file where you can pick it up later. And have the script launch the real dolphin now named '_dolphin'.

The part above requires little more than what we have in this demo.

Set it to run only the very first time the user logs in if you want to stand a better chance of not raising suspicions and you'll reduce the size of the data file.

It's that easy.

It's really that easy. And that's a very unsophisticated hacker charade. All it requires is root privileges for about 10 milliseconds to insert the bug.

[What the H3LL is Package Kit doing in the background? <scratch-head -- scratch-head some more> Is it downloading software created by 30,000 verified developers worldwide? I could say a LOT more but GPL v. 3 has had this problem identified for years. All we need to do as users is to politely remind some of these bums that are sending out these screwy linux distros that they are flagrantly violating their GPL license (among other things).]

But for now let's just become aware of the hallucinogenic interpretations of "computer security" these days... and don't assume anyone else can peer into these opaque RPMS and DEB packages -- each the size of the city of LQ and written in Martian -- any better than you can.


So.. Maybe show this demo to your spouse, your friends, and your kids.

Do we "computer literate" types cover our own eyes and then assume that nobody can see us?

Dedicated to putting "open" back into "open source",

The Computer Mad Science Team

Posted in Uncategorized
Views 1103 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 02:41 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration