1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Linux, OS X hit by Shellshock Bash vulnerability

Discussion in 'Article Discussion' started by Gareth Halfacree, 25 Sep 2014.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,386
    Likes Received:
    1,809
  2. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    13,218
    Likes Received:
    2,200
    Not the best time for this to hit Apple, is it?
     
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,386
    Likes Received:
    1,809
    I reckon this one's going to get a bit nasty. Sure, Apple, Canonical, Red Hat et al can roll out patches, but Bash is a frequent sight in embedded devices - the majority of which never receive firmware updates, even if their manufacturer bothers to release any. Can you say "botnet waiting to happen?"
     
  4. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    13,218
    Likes Received:
    2,200
    You think an IoT botnet was the plan from the kick-off?
     
  5. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,386
    Likes Received:
    1,809
    There was no plan: it's a daft error in an obscure feature which nobody noticed for a couple of decades. Amusingly, somebody who worked on Research Unix back in the day claims that it's a variant of an error they discovered in their sh(1) implementation - the pre-pre-pre-cursor to Bash - thirty years ago. Code is complex, and frequently full of mistakes; you just hope that the good guys find 'em before the bad guys do.
     
  6. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,250
    Likes Received:
    312
    The bad guys would probably try to keep it hush hush, although i dare say the good guys spy on what the bad guys are doing, sharing, publishing. Or at least i hope they do.
     
  7. Phil Rhodes

    Phil Rhodes Hypernobber

    Joined:
    27 Jul 2006
    Posts:
    1,415
    Likes Received:
    10
    But shouldn't the open source model have prevented this?

    Somehow?

    Er...
     
  8. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,250
    Likes Received:
    312
    Not sure what your definition of "prevented" is but from my understanding the open source model has identified it and is going to patch it.

    Bash has been around for 25 years and is still being supported, i can't think of any proprietary software that would still be supported after 25 years, fact is they stop supporting software like Windows 3.0 because it's no longer viable to fix security vulnerabilities that have been there from day one but no one knew about.
     
  9. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,386
    Likes Received:
    1,809
  10. Phil Rhodes

    Phil Rhodes Hypernobber

    Joined:
    27 Jul 2006
    Posts:
    1,415
    Likes Received:
    10
    I'm fully aware that all software suffers from security vulnerabilities. The surprise is that anyone finds it surprising anymore.

    The problem we have currently is that Linux is widely assumed to be very secure. I've always queried this, on two bases: first, it's never been deployed on anything like the scale of its competitors, so we really have no idea how secure it is, and second, you have to be a fairly competent computer user to use it at all. I run antivirus software and have done for decades. It has not once picked anything up - not because I'm running any particular OS, but because I know what I'm doing. We have no idea what's likely to happen if we start giving it to numpties.

    (Well, actually, I think we have a pretty good idea what's going to happen - but we can't say so because the open source movement will pour sugar in our petrol tanks).

    Now we're starting to see Linux deployed more widely I suspect the real scale of the problem will become more apparent.

    P
     
  11. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,386
    Likes Received:
    1,809
    I'm impressed: that's significantly less frothing than your usual Linux-related posts. Sadly, it's also inaccurate: Linux has enjoyed a considerably wider distribution in every single market bar the desktop and laptop sector for years. It's long been the dominant force in servers, industrial, embedded and high-performance computing - and before that, its predecessors like Unix ruled the roost. We're not "starting to see Linux deployed more widely" - it's long been deployed widely. We're perhaps starting to see it make (slightly) more impact on the desktop, but not massively - it's still a tiny, tiny bit-player in the desktop and laptop market. Interestingly enough, said desktop and laptop market is pretty much immune to this 'ere bug: it's only exploitable on servers with some fairly specific configurations. There's no way to exploit it on a desktop, unless said desktop is running a webserver with specific CGI configuration - in which case it ain't a desktop any more.

    Better still, Bash isn't Linux. See that headline: Bash is the default shell in the BSD-based (and, I'd like to point out, proprietary) Apple OS X, too. Likewise, there are Linux distributions that don't use Bash. In fact, anyone using Debian or Ubuntu is pretty much immune to this bug: although Bash is used for login shells (meaning Shellshock can still be exploited to, for example, break out of a forced-application SSH environment providing you have valid authentication credentials for the server), all non-interactive stuff goes through /bin/sh which is symlinked to Dash - a different shell which is not vulnerable to Shellshock. Even oddly-configured CGI scripts hold no fear for Dash!

    'Course, you had to spoil an otherwise fairly reasonable post with this:
    I really, really wish I knew why you hated Linux and the open source movement so much. I mean, properly hate - not just ignore, or avoid, but actively seek out any opportunity to have a dig. Even when it comes to making rubbish up to post in the software/hardware/tech-support sub-forums about your "Linux laptop." Which reminds me: you never did follow up that one where you accused Linux of doing something Microsoft products have done since the year dot, did you?
     
  12. RichCreedy

    RichCreedy Hey What Who

    Joined:
    24 Apr 2009
    Posts:
    4,699
    Likes Received:
    172
    I thought embedded devices like routers used a different smaller less resource hungry shell, cant remember the name though
     
  13. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,386
    Likes Received:
    1,809
    BusyBox - some, but far from all.
     
  14. Phil Rhodes

    Phil Rhodes Hypernobber

    Joined:
    27 Jul 2006
    Posts:
    1,415
    Likes Received:
    10
    Okay, insert "on the desktop" after "it's never been deployed," although really the point is moot - it's about who's using it. 200,000 installs on a server farm administered by a handful of people is not, in this context, really a very wide deployment.

    They started it. The sense of smug superiority, the arrogance, the presumptiveness, the unsubtle looking-down on the competition, would be offensive enough if Linux was competent. But it isn't. As a reasonably advanced computer user, I constantly encounter people who try to persuade me to use it, and take violent offence when I explain why I can't. I can't because the open source software movement has failed to come up with software that does what I need it to do, because it's poorly thought out, badly managed, and lacks critical technical competencies. I'm pissed off with being told how to work by people whose ideas are so bad, and who appear to have no good idea what computers are actually for.

    So yes, I do take inestimable pleasure every time Linux screws up, and every time the open source model is shown to be what it actually is. If open source worked properly the problem which spawned this discussion could not happen. Open source is no better or worse at security than any other approach, and I shall take the greatest possible pleasure in including this thread in my citations every time some tub-thumping idiot tries to tell me otherwise.

    What did I not follow up?
     
  15. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,386
    Likes Received:
    1,809
    There are far more systems in the world running Linux or a variant thereof than there are running Windows. That, I would say, is a 'wide deployment.'
    Sounds to me like you need to hang out with better people. I've not encountered that sort of behaviour myself; I have, however, encountered a proprietary software fan doing everything he can to denigrate something he doesn't even bother to try to understand. In your post history, in fact.

    As I frequently say in response to this very tired argument of yours: that's fine. If open source software can't do what you need, then you'll have to use other software. This is normal, and right. Personally, open source software does exactly what I need: I exist as the sole breadwinner for a two-adult, one-child, one-cat household using nothing but open-source packages from the operating system down to the image editor. I've even produced a best-selling book, now in its third edition, using open-source software exclusively.

    My point here is this: just because open source doesn't work for you, doesn't mean it cannot work for anyone.

    There's only one person thumping a tub here, Phil, and it's you. As usual.

    This thread here, in which you expressed incredulity that 'Linux' uses lockfiles to protect open documents - until it was pointed out that it's the document editor, not the operating system, that's doing that, and that Microsoft Word running on Windows does exactly the same thing. You went very quiet after that.
     
  16. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,250
    Likes Received:
    312
    Maybe them being violent is more to do with the way you tell them.
    Most people don't get a smack in the face, or beaten up just for saying no thanks. :D
     
  17. Phil Rhodes

    Phil Rhodes Hypernobber

    Joined:
    27 Jul 2006
    Posts:
    1,415
    Likes Received:
    10
    I don't believe you.

    I'm astonished. Why?

    But I'm sure you'll understand why my assumption, on discovering a piece of software behaving in a thrown-together, archaic and poorly-thought-out manner that it was probably the product of open source thinking...
     
  18. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,386
    Likes Received:
    1,809
    Funny, I was just thinking the same thing about you. You're strong on rhetoric, Phil, but weak on evidence. You're also everything you claim to hate, as I will demonstrate below.
    Because, believe it or not, it's the best way to handle things. Imagine a network. Imagine a file server. Imagine a bunch of Word (or LibreOffice, whatever) files on said file server. Imagine User A opens and edits said file. Imagine User B opens and edits said file. Imagine both try to save. Whoops: collision. "But," you may ask in your naïveté, "why can't the file just be marked read-only in the file system?" To which I answer: what file system? The clients have no way of knowing what file system the network server is running, or what attributes it supports in terms of permissions and meta-data. The only way you can be sure that you've marked the file as read-only is by creating a lock-file - which is exactly what office suites, Microsoft Word et al, have been doing for years. They're also used to store changes without modifying the original file (which is how Word's AutoRecovery feature works), and to speed up various functions. Here's Microsoft's explanation on the matter.

    Now, that perfectly demonstrates "[the] sense of smug superiority, the arrogance, the presumptiveness, the unsubtle looking-down on the competition" which you apparently find so obnoxious in others. Pot, Kettle, you know the rest. If you can't see how your attitude is the perfect demonstration of everything you claim to hate - and have accused the apparently homogeneous open-source community of having - then there's really no helping you.
     
  19. Phil Rhodes

    Phil Rhodes Hypernobber

    Joined:
    27 Jul 2006
    Posts:
    1,415
    Likes Received:
    10
    Good grief, I certainly hope so! Fight fire with fire.

    Anyway, I'm entitled to look down on the competition. It's inferior.

    Sure, but that goes for any kind of file you like. Why are documents special?

    P
     
  20. adidan

    adidan Avatar now in stock for xmas 2019

    Joined:
    25 Mar 2009
    Posts:
    13,854
    Likes Received:
    1,527
    I always find it odd for anyone to have such stong views on something as worthless as an OS.

    I'm an OS whore, I'll use anything that does want I want it to when I want it to.
     

Share This Page