Comment by charleslmunger
7 years ago
Which part is mistaken?
You're of course correct that the general problem is unsolvable - but the goal is to opportunistically infect people who directly paste the "curl example.com/setup | bash" that's helpfully provided in your getting started guide, without serving an obviously malicious payload to someone who could be inspecting it.
Sorry, 2AM. You're right of course.
I think the real message is that this is a new class of timing attack, and that it should be treated as such. E.g. curl itself needs to be updated to buffer its own output.
Or perhaps people shouldn't curl | bash? I don't want curl to buffer all output, I use it on devices with little RAM and do stream processing.
I disagree. Maybe a new tool that downloads and then runs a script from the interwebs needs to be written, but curl itself does one job and does it well.
I.e., curl is a *nix tool.
> Maybe a new tool that downloads and then runs a script from the interwebs needs to be written
What you're describing there is a package manager. What we don't need is a tool for running any random script from the wider internet.
3 replies →