Security Cargo Cults

Earlier I mentioned a hack I use when I need to get a clean browser quick. Here it is again:

rm -f ~/.config/ralsina/devicenzo.conf
curl https://devicenzo.googlecode.com/svn/trunk/devicenzo.py | python

Since that got posted on reddit (no, not linking it), it triggered "interesting" arguments. Basically many were shocked (shocked) about running arbitrary internet code locally in this manner. It's insecure. While I am by no means a security expert, at least I know I am ignorant.

Let's examine that insecurity claim a little, in the context of what I was proposing. I am trying to tell people "here's a small web browser that requires no setup and since it's not your main browser, you can nuke it and reset its state easily before running it, like this".

So, what's wrong with doing it that way, according to the commenters:

It's insecure because you can't see the code before running it because it's piped.

Well, that makes it exactly as insecure as every unsigned binary you ever downloaded. Or, let's be honest, every shell script, python script, perl script etc you have ever downloaded. Or you audit them?

Who exactly is being prevented from auditing it by having it presented this way? Is the intersection of "people who can audit this script" and "pople who don't understand pipes" not empty?

For those who can audit, this makes no difference. For those who can't audit, this makes no difference.

It would be better if I provided a hash of the file to know it's not tampered

And how would you know the hash is not tampered? Wat you want, really is a digital signature of the script.

If you trust google (and usually, people do), then you know that:

  1. The script was uploaded by me (check the history of the file)
  2. The script has not been tampered from the repo (since it's a secure connection and yes, there is a hash of the revision)

If you don't trust google, then you don't know who uploaded it, and if you don't trust me, you don't care who uploaded it, even if it's signed (because it's signed by someone you don't trust).

How does the user know it's not malware?
He doesn't. Life is like that.
Why should the user trust you?
He shouldn't. OTOH, were he so inclined, he can check who wrote it, and that I am a real person, with a long history of sharing code online and no claims of ever pushing malware.
This is more insecure because it downloads on every run
You don't need to run malware more than once, anyway. So, not much of a difference.
This propagates bad habits
So does Dunkin' Donuts, and noone posts about it at reddit. But in any case, sure, it's a bad habit. Big deal.

So, is it secure? Hell no! Is it significantly less secure than installing a random PPA you see mentioned in a forum? Maybe slightly. Is it less secure than running random unsigned binaries? Hell no. Is it less secure than downloading and running it? No. Is it less secure than building a random thing from source? Hell no.

But is it less secure than the other realistic ways in which I can give you a 100+ line chunk of python code that works as a web browser? I don't think so.

In the context of "here's the code for it, it can do this", this is not significantly insecure. It's more or less as insecure as the alternatives. With the advantage that, if you want, you can audit it. It's 128 lines of code (assuming you trust Qt and PyQt and Python, etc)

So there.