Users are blameless, I find the fault with the developers.
Asking users to pipe curl to bash because it’s easier for the developer is just the developer being lazy, IMO.
Developers wouldn’t get a free pass for taking lazy, insecure shortcuts in programming, I don’t know why they should get a free pass on this.
The post is specifically about how you can serve a totally different script than the one you inspect. If you use curl to fetch the script via terminal, the webserver can send a different script to a browser based on the UserAgent.
And whether or not you think someone would be mad to do it, it’s still a widespread practice. The article mentions that piping curl straight to bash is already standard procedure for Proxmox helper scripts. But don’t take anyone’s word for it, check it out:
https://community-scripts.github.io/ProxmoxVE/
It’s also the recommended method for PiHole:
These are rare ads for you, because you’re not in the target demographic that they get shown to.
Everyone’s online experience can be totally different based on what group an algorithm puts you in.
You don’t have to click an ad for it to be a security threat.
It is possible to abuse the mechanics of a web browser to send a fullscreen ad that resists typical means of app closing, scaring a normal user into clicking to install something malicious.
The weakest link is always the user, and advertisements are literally meant to target users. Exactly how hard do you think it is for an ad network to target the kinds of people most likely to get scared and just click the [Fix] button that downloads the malware?
Your average user gets infected and they take a computer to a repair shop to get it fixed, which costs money.
If the ad network would accept liability for damages caused by malware ads their ad networks delivered to people, I could be more sympathetic to the position that blocking ads is unfair to the content creaters paid by ad views. But if I’m financially responsible for fixing damage caused by ads, then I reserve the right to block them.
Full stop.
There’s a difference between ‘language’ and ‘intelligence’ which is why so many people think that LLMs are intelligent despite not being so.
The thing is, you can’t train an LLM on math textbooks and expect it to understand math, because it isn’t reading or comprehending anything. AI doesn’t know that 2+2=4 because it’s doing math in the background, it understands that when presented with the string
2+2=, statistically, the next character should be4. It can construct a paragraph similar to a math textbook around that equation that can do a decent job of explaining the concept, but only through a statistical analysis of sentence structure and vocabulary choice.It’s why LLMs are so downright awful at legal work.
If ‘AI’ was actually intelligent, you should be able to feed it a few series of textbooks and all the case law since the US was founded, and it should be able to talk about legal precedent. But LLMs constantly hallucinate when trying to cite cases, because the LLM doesn’t actually understand the information it’s trained on. It just builds a statistical database of what legal writing looks like, and tries to mimic it. Same for code.
People think they’re ‘intelligent’ because they seem like they’re talking to us, and we’ve equated ‘ability to talk’ with ‘ability to understand’. And until now, that’s been a safe thing to assume.