Shellshock: Bash software bug leaves up to 500 million computers at risk of hacking

[eschwartz]

Quote:

Originally Posted by cromag

Actually, the government was a big user of UNIX (back in my day) and there are several versions of Linux that are approved for use in various departments. In particular, there is at least one version approved for the Dept of Defense -- with rumors that they have at least one even more secure version they use in-house.

Because they of all people would know just how secure Windows is, after the backdoors have been installed at their behest.

[Andrew H.]

Quote:

Originally Posted by Sregener

At a fundamental level, it is the philosophy behind the software that makes Linux safer. This is for a few reasons.

First, the code is not secret. That means that many security flaws are quickly discovered, because many eyes can see them.

[Snip]

Nothing short of heaven is perfect, but Linux's security through openness has been a winning formula for years and will continue to be so.

That's kind of the open source mantra, but I'm skeptical. The Shellshock vulnerability has existed since 1992. Heartbleed was published, reviewed, accepted as a standard...and a huge weakness was not discovered for two years.

[Waylander]

Do I need to panic about my Macbook? I ran a virus scan and came up clean, but that may not mean anything.

[eschwartz]

Quote:

Originally Posted by Waylander

Do I need to panic about my Macbook? I ran a virus scan and came up clean, but that may not mean anything.

Not unless you are running some sort of network service -- the vulnerability requires that people actually have some sort of way of inserting code on your computer.

SSH access would open the door too -- but that requires the attacker have a valid SSH authentication key.

http://www.pcworld.com/article/26886...shock-bug.html


Also, virus scans will only show that you haven't been attacked yet.

[rcentros]

Quote:

Originally Posted by Waylander

Do I need to panic about my Macbook? I ran a virus scan and came up clean, but that may not mean anything.

The difference between Windows and Linux (and Mac) is that, with Windows, you're almost always talking about malware, drive-by infestations, ransomware, etc., after the fact. With Linux you're almost always talking about hypothetical problems -- "what could have happened."

[Waylander]

I'm slightly worried because the college campus wifi has no protection. What should I do?

[eschwartz]

Quote:

Originally Posted by Waylander

I'm slightly worried because the college campus wifi has no protection. What should I do?

Don't enable remote logins for a guest account (no password protection), don't enable remote logins period if you have decked out your login password in neon all over the lawn (or posted an SSH private key -- which you have authorized for logging into your computer -- on shady or even unshady sites), don't enable a webserver and put up CGI scripts, and you should be perfectly safe.

In other words, if you were vulnerable, you would've already known because you're in *that world*.

[pssquirrel]

Quote:

Originally Posted by Waylander

Do I need to panic about my Macbook? I ran a virus scan and came up clean, but that may not mean anything.

Apple just released a security patch:
http://support.apple.com/kb/DL1769

More info: http://mashable.com/2014/09/29/apple-shellshock-update/

[Waylander]

Thanks pssquirrel, I've just downloaded the patch. Better to be safe than very sorry. to eschwartz, I haven't done any of the things you've mentioned, so should be ok. Thanks to both of you for the advice.

[Katsunami]

Quote:

Originally Posted by taustin

I'll say. NPR did a piece on it yesterday, and the expert they were interviewing did not seem to be aware this does not affect Windows. The host, of course, was unaware of what an operating system is.

It can affect Windows if you run Cygwin. I have it installed because, if I need or want a command line, i'm much more used to Unix/Linux than Windows. I've been running Services for Unix, and later Cygwin, since 1998.

[gmw]

Quote:

Originally Posted by Andrew H.

That's kind of the open source mantra, but I'm skeptical. The Shellshock vulnerability has existed since 1992. Heartbleed was published, reviewed, accepted as a standard...and a huge weakness was not discovered for two years.

Yes. The idea that the code must be safe because many eyes can see it assumes that many eyes (with the education and experience to spot a bug) are actually looking. It's not a reliable assumption.

A lot of this stuff, especially in the open source world, has been around for a long time. People re-use the code because that's the smart and efficient thing to do. But do they go over it looking for bugs? Of course not, because that would deny the efficiency you were looking for by re-using the code in the first place. They put trust in the fact that it's been around for a long time, so it must be reliable - right? Not always.

Which is not an argument against using open source software, it's just facing the reality that software is a complex beast. Bugs are found by explicit testing and by using the software - hence popular software often has what might look like a disproportionately long list of bug-fixes. The true advantage of open source is not that everyone can see if there are bugs in the source, but that anyone (with the relevant skills) can fix the bugs when they are found.

[taustin]

Quote:

Originally Posted by Katsunami

It can affect Windows if you run Cygwin.

I suspect that the expert has never heard of Cygwin. I'd bet real money the host never has. They both clearly had no clue what this is all about, what the risks are, or what computers are at risk. They were there to generate hysteria, because that's what news organizations do.