You are not logged in.

#1 2024-02-08 12:51:08

skypher
Member
Registered: 2024-02-08
Posts: 7

Registration security issue

I've had to reregister for the forums and noticed that it requires you to run a shell command by copying and pasting it to a terminal and then inserting the output.

I think this creates a dangerous precedent. Users, especially newbies, shouldn't be taught to run any shell command from a website.

If this is some kind of captcha, I would suggest switching to another method.

Last edited by skypher (2024-02-08 12:52:05)

Offline

#2 2024-02-08 13:23:38

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,447

Re: Registration security issue

It is a captcha and it has been very effective at keeping out bot accounts.

I consider the actual test as such quite useful. The logical precedence that newbies shouldn't blindly copy paste commands could be ammended and telling them  to use this as an excercise to understand what they are executing exactly. Ultimately everyone should understand the commands they are pasting into a teminal and this is no different.In terms of random commands to paste and going by examples some other webpages give this is quite tame and is a read only access on information any Archer has on their system  and should be able to provide anyway.

Last edited by V1del (2024-02-08 13:24:58)

Offline

#3 2024-02-08 13:48:29

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,330
Website

Re: Registration security issue

I second the above, to the point that the following bears repeating:

V1del wrote:

... use this as an excercise to understand what they are executing

That said, there is a flaw in assuming there are no exceptions to the generally good idea here:

skypher wrote:

Users... shouldn't be taught to run any shell command from a website.

Taken to it's logical extreme and without any exceptions, then our whole installation guide (along with the rest of our wiki) should be removed and users just left to figure it all out on their own.

Our installation guide gives users commands to use that will wipe their hard drive of any current OS, repartition that drive, install software, much of which runs as root.  Doesn't this sound pretty ghastly compared to a captcha that has a user munge some data including the date and kernel version into a forum entry code with no resulting side-effects on the host system?

No one should copy and paste commands from random websites.  But if bbs.archlinux.org is considered a random / untrustworthy website, why would one seek to register here anyways?

Last edited by Trilby (2024-02-08 13:52:23)


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#4 2024-02-08 13:58:14

Raynman
Member
Registered: 2011-10-22
Posts: 1,539

Re: Registration security issue

And with the first question you ask after registering, it's highly likely you're gonna be given shell commands to run to diagnose/solve your problem. (edit: Trilby edited this point in already.)

BTW the actual question is "what is the output of ..."; running it is just one (obvious/easy) way to determine the answer.

Last edited by Raynman (2024-02-08 13:59:18)

Offline

#5 2024-04-29 07:58:52

uncle_dod
Member
Registered: 2024-04-28
Posts: 7

Re: Registration security issue

This method also eliminate a large portion of people who you want to see and become Arch users, as it doesn't give any indication on what is wrong with the answer provided and the fact you can print at least two legit different hashes out of it.

Offline

#6 2024-04-29 12:52:25

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,330
Website

Re: Registration security issue

uncle_dod, while I suspect most of us want to be open and welcoming, we really don't have any specific want for more users.  We are not advertising.  An exceedingly vast majority of us couldn't care less whether arch linux is seen as "popular" (many of us may prefer it wasn't).

But your second point is more concerning.  Can you elaborate on what you think the two different legit hashes would be and / or how it could generate two different results?


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#7 2024-04-30 08:30:27

uncle_dod
Member
Registered: 2024-04-28
Posts: 7

Re: Registration security issue

Trilby wrote:

uncle_dod, while I suspect most of us want to be open and welcoming, we really don't have any specific want for more users.  We are not advertising.  An exceedingly vast majority of us couldn't care less whether arch linux is seen as "popular" (many of us may prefer it wasn't).

It was a generic form of "you".
The emphasis was on keeping a community alive and well, not on the "popularity" nor ignorance of some. 

Trilby wrote:

Can you elaborate on what you think the two different legit hashes would be and / or how it could generate two different results?

date -u +%V$(uname)|sha512sum|sed 's/\W//g'
echo date -u +%V$(uname)|sha512sum|sed 's/\W//g'

It matters because of the way it formed:

What is the output of "date -u +%V$(uname)|sha512sum|sed 's/\W//g'"?

User mistake of copying with

"

is far from zero.
Once you google for an answer to that copy-paste, you'll get many results with "echo".
Assuming many who try to sign up seek for help, it's a good idea to make a clarification on that point.

Offline

#8 2024-04-30 08:59:41

seth
Member
Registered: 2012-09-03
Posts: 59,882

Re: Registration security issue

If you're copying

"date -u +%V$(uname)|sha512sum|sed 's/\W//g'"

into a terminal and expect an output or can't make sense of the invariable ENOENT response, you're not using archlinux to begin with.

And if you're indeed added the quotes and then attempt

echo "date -u +%V$(uname)|sha512sum|sed 's/\W//g'"

because google or some stupid chatbot told you so, you're still not getting a hash.
And if at any point you accidentally copied only the tailing quote (genuinely possible physical mistake), you'll end up w/ an open quote and the shell will in one way or another let you know about that.

In summary: if you struggle to enter that command, you don't need to register because you're not using archlinux.

Offline

#9 2024-04-30 09:15:33

uncle_dod
Member
Registered: 2024-04-28
Posts: 7

Re: Registration security issue

1) Terminal => date -u +%V$(uname)|sha512sum|sed 's/\W//g'"

2) Google => date -u +%V$(uname)|sha512sum|sed 's/\W//g'"

One(if not the fist) links are: https://stackoverflow.com/questions/277 … s-with-sed

Offline

#10 2024-04-30 11:54:04

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,330
Website

Re: Registration security issue

Um, yes - if you change the command by adding additional commands that are not present in the question, it will change the results.  But there are far more than two possible results if we allow for changing the command!  But I guess I'm just being ignorant again, aren't I.  New members coming in, complaining about how hard it was to get in (despite being successful), and then calling existing members ignorant ... that's not exactly conducive to keeping the community "alive and well."

Also I've heard of the royal we, but what is the "generic you" if not a placeholder for this community?  Somehow you are asserting that there is not only a generic you that is distinct from this community, but further that we should care about the views of this generic you ... in fact more so that our own views.

Last edited by Trilby (2024-04-30 12:01:19)


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#11 2024-04-30 14:55:37

seth
Member
Registered: 2012-09-03
Posts: 59,882

Re: Registration security issue

https://www.google.com/search?q=date%20 … %2Fg%27%22 gets me a chinese blog and a google book about "A Practical Guide to Red Hat Linux 8"? and if you enter

date -u +%V$(uname)|sha512sum|sed 's/\W//g'"

into a shell, you'll get an open promt.
Pro™ shells for real™ men hedonists will even hint the open condition ("pipe pipe dquote")

Again: I can perfectly see how because of the string of non-alphanumerics one might accidentally capture the double quote on mouse selection, but if that error doesn't immediately become obvious when pasting into the terminal (as was established here or elsewhere isn't the mostbestgood idea anyway) that's a fairly good indicator that one probably doesn't want to use arch and grow some experience on a mor prefab'd distro first.

Offline

Board footer

Powered by FluxBB