Heroic former PC Gamer writer creates a script to banish all the AI features from Google Chrome

ryujin470@fedia.io · 2 days ago

Heroic former PC Gamer writer creates a script to banish all the AI features from Google Chrome

ɔiƚoxɘup@beehaw.org · edit-2 1 day ago

On Windows, all you have to do is open PowerShell as administrator and copy-paste this command:

& ([scriptblock]::Create((irm “https://raw.githubusercontent.com/corbindavenport/just-the-browser/main/main.ps1”)))

…said the Nigerian prince. Hahahahahahahahahahahaha

I’ve read enough.

No.

Edit: Oh my god, it gets even better, the script reaches out and downloads shit from the Internet too. What the everloving fuck!

TehPers@beehaw.org · 1 day ago

You shouldn’t trust random scripts off the internet of course, but…

You do realize these scripts all come from this GitHub repo, right? It’s possible to verify them all, unless I’m missing a script here I guess. Even the registry files are plain text and readable directly in GH.

ɔiƚoxɘup@beehaw.org · 15 hours ago

Yes and I have read them but the problem is that if you get people to start running random powershell from sources they don’t recognize, and you can’t tell me that the average Joe knows what GitHub is, that’s not a good thing.

It’s already a threat vector that’s being exploited in the wild.

Add to that that even though it’s verifiable, this also makes this guy a target for supply chain attack.

This is bad all around.

At the very least he could have signed the scripts which he did not.

Let’s say somebody tries to run this at work and they actually succeed and they manage to get it to run so that means they have bypassed the restriction that keeps them from running unsigned scripts and so right there they’ve made their machine more vulnerable so there’s that too.

Look, I recognize what the guy’s trying to do and it’s admirable but he should use a signed installer or put something in the Windows store (ok maybe MS wouldn’t like that) or at least use some sort of modern cryptographic protections. This guy (The article author really, I don’t blame the actual scriptwriter so much) is having people paste code and run it.

TehPers@beehaw.org · 14 hours ago

I don’t disagree that running random scripts off the internet is a bad idea, and I even made that clear. I was just pointing out that these specific scripts are verifiable entirely by the URL (which is just the raw GH file URL for the file in that repo).

I agree that signing the scripts would be a good idea though. I’m not sure how hard (or expensive) it is to do so though. If it’s anything like TLS certs, it’s probably just not worth it to them (though LE exists for TLS).