I'm going to exaggerate for the sake of argument, so here we go.
You all see it. It's a site with a shiny new tool that solves all your problems. Then you see a nice looking command that looks something like this:
curl -fsSL https://<awesome>/install.sh | sh
You see it and think, "Oh, this is great. I can run this and it's installed?" Let's do it.
You install it (sometimes putting your password because it really needs it to do the job for you) and you're good to go.
Then disaster happens and you're feeling like crap because you ran that command.
I've done it and it's fine for some companies since it's the easiest (and sometimes the only) way to install that product, but you should be extra careful before doing this.
It's not always a convenience. It's a security issue. You're letting a random company run a random piece of code on your machine. That's it. You're basically letting a person into your house and leaving for coffee while they "do something for you". Sometimes it's someone good fixing your sink, other times it's not quite.
This is quite different than installing an app from the App Store for example. There are safeguards (not that they will protect you 100%) in place that will at least try to block some nefarious operation. But if you install the script and put your password then it can do anything to your system.
I wrote about it in the past that giving the advice to "just read the code" is incredibly stupid (TL;DR if you are not technical you can't, so it's better to provide an opinion than saying that), so I won't say "just read the script". I don't read them either.
What you can actually do is see if you trust the company. If you're installing something from Microsoft or Google for example, then there's a good chance that they know what they are doing and that the script is safe, but it's great to be skeptical.
Also, there's nothing wrong with doing a quick Google search and seeing if people are having issues with the script. I know we're all in a hurry but if we install crap on our computers then the impact and the time to recover (if possible) things would be enormous.
To be clear, not always companies write scripts that have issues or security concerns. Sometimes things happen like this or this (security researcher that fell for it) for example, so it's not always a conspiracy to take away your data. Like all humans, people make mistakes and can even use a part of other software that has some nasty stuff as a dependency for example.
Final Thoughts
This is starting to be one of the most common install solutions from companies but also one of the most enticing vectors for malware for people who are up to no good.
So be careful and above do a quick check in any way that you can before running it.
Photo by Alina Grubnyak on Unsplash
No comments yet
Be the first to share your thoughts on this article!