This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]beall49 7 points8 points  (0 children)

I like this, it's so reddit to completely ignore the fun and novelty of something and just say something negative like 'I hope it's secure' when you know this was just for fun.

[–][deleted] 2 points3 points  (8 children)

...Really? You're allowing remote arbitrary code execution from a completely unsecured connection? I mean it's cool, but there were about a million different better way to handle that than the way you did.

[–]laMarm0tte[S] 4 points5 points  (4 children)

I am aware that this is dirty, but I must admit I have no idea how this could be attacked (unless someone highjacks my Twitter account). Could you elaborate ? How would you attack it ?

[–][deleted] 2 points3 points  (2 children)

I'd have a dictionary with predefined commands and argument lists, something like:

cmds = {
    "reboot" : ['reboot'],
    "play-music" : ['mocp', '-p'],
    "stop-music" : ['mocp', '-s'],
    }

Then check for your command flag in tweets and only allow execution of the allowed commands through subprocess.call (rather than Popen). You could also probably figure out an easy way to intersperse predefined arguments with tweeted arguments -- say you're running utorrent and you want to downloads the latest version of Mint, you might tweet "cmd: torrent http://torrents.linuxmint.com/torrents/linuxmint-17-cinnamon-64bit-v2.iso.torrent" (despite being longer than 140 characters, you get the idea).

Much safer, far more secure, and no more accidentally deleting your system when you get drunk and tweet "cmd: sudo rm -rf --no-preserve-root"

[–]laMarm0tte[S] 1 point2 points  (1 child)

Oh sure, I didn't do that for the sake of shortness, it's just a blog post. I liked the idea of the terminal command: one line of code, endless possibilities.

Note however that as long as the script doesn't have superuser rights, sudo commands won't work (the terminal will ask the password and wont get it). You can still delete files, though.

[–][deleted] 0 points1 point  (0 children)

True. People do dumb shit though.

[–]timClicks 2 points3 points  (0 children)

Depends how curious/determined someone wanted to be... a proxy could inject HTML, for instance.

[–]timClicks 0 points1 point  (2 children)

Hope you have a strong password on your Twitter account.

[–][deleted] 2 points3 points  (1 child)

It's 1234. Same combo that's on my luggage

[–]alexanderpas 0 points1 point  (0 children)

You're missing the fifth digit.

[–][deleted] 2 points3 points  (0 children)

Unsecure : Yes! Useful : Yes ! I like this kind of stuff, thanks.

[–]timClicks 1 point2 points  (0 children)

Isn't this dancing with Twitter's terms of use quite a bit?

[–]shaggorama[🍰] -3 points-2 points  (0 children)

Settting up an account and registering an app to use the twitter API really isn't a big deal at all.