Hacker News new | past | comments | ask | show | jobs | submit login

This keeps coming up on Hacker News, and while I'm sure the people on Hacker News know this is bad, they probably still do it anyways because it's never had an adverse effect for them.

Speaking for myself, this has never caused a problem for me, and I'll probably keep doing it because it's convenient and that convenience is more valuable weighed against the potential bad things that could happen. Most likely is the case that the package just doesn't execute. The probability that it ends up on rm or something destructive is probably very low, and if someone is actively trying to MITM you, they will find a way if you are smart enough not to run scripts from wget, most people aren't the target of this kind of very specific attack.

Like Apple's TouchID – it may not really be secure, but it's very convenient, and that will often be enough to make it mainstream.




We value convenience over security. It's the new normal.

I think we all understand this is not for the best but since it's normal we'd just go with it.


It's not a discrete one or the other choice here. I think it's very unrealistic to believe that for the average person this is a dangerous security risk in practical terms.

The number of times people might do this is probably well below 100 and there are much more risky day to day security faux pas than this.


Casual pipe to shell is just a symptom of something much bigger, obviously present only in programmers.

One reason the bad is successful being the new normal is it came in smaller doses you don't even notice that or you think it's ok to ignore.


The alternative most people are advocating is to download the script completely, and then run it if the download was successful. That can still be accomplished with a single line of shell script.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: