Comment on Heroic former PC Gamer writer creates a script to banish all the AI features from Google Chrome
Quexotic@beehaw.org 3 days agoYes and I have read them but the problem is that if you get people to start running random powershell from sources they don’t recognize, and you can’t tell me that the average Joe knows what GitHub is, that’s not a good thing.
It’s already a threat vector that’s being exploited in the wild.
Add to that that even though it’s verifiable, this also makes this guy a target for supply chain attack.
This is bad all around.
At the very least he could have signed the scripts which he did not.
Let’s say somebody tries to run this at work and they actually succeed and they manage to get it to run so that means they have bypassed the restriction that keeps them from running unsigned scripts and so right there they’ve made their machine more vulnerable so there’s that too.
Look, I recognize what the guy’s trying to do and it’s admirable but he should use a signed installer or put something in the Windows store (ok maybe MS wouldn’t like that) or at least use some sort of modern cryptographic protections. This guy (The article author really, I don’t blame the actual scriptwriter so much) is having people paste code and run it.
TehPers@beehaw.org 3 days ago
I don’t disagree that running random scripts off the internet is a bad idea, and I even made that clear. I was just pointing out that these specific scripts are verifiable entirely by the URL (which is just the raw GH file URL for the file in that repo).
I agree that signing the scripts would be a good idea though. I’m not sure how hard (or expensive) it is to do so though. If it’s anything like TLS certs, it’s probably just not worth it to them (though LE exists for TLS).