Security

“Shellshock” and various other FUD

Leave a comment

I was going to write about what’s new in Alfresco Enterprise 5.0, which was launched at the Alfresco Summit in SF this week.

But then I got distracted by Bash and “shellshock“.  I linked to the Forbes article, but I could have linked to 77,500 other news articles (according to Google at 5pm today) and I guarantee that 77,000 or more of those stories will contain misinformation, confusion, FUD, and general bullshit.

I run a mac, so as soon as I read the news I knew that OSX contains bash and would therefore be vulnerable.  I’m far from a bash guru, but it’s my shell of choice and I use it on Linux and Solaris as well if I can.

Last night I checked my firewall settings and tightened them up a little by enabling “stealth mode”, deleting rights from a couple of old apps that don’t need connections, and unchecking the “automatically allow…” box

firewall copy

However, the more I read about the issue, the less I saw it being likely to affect most users.  The bug/exploit/hack requires a remote user or process to execute a script on your server/computer in order to invoke the weakness – which is executing more code than the shell should allow, usually as profile settings.  This is a decent explanation of the issue.

So the average user will be unaffected by this unless she or he has enabled advanced unix services and set up their machine to respond to requests from external servers.  Obviously web servers and other public-facing servers need to respond to such requests, so they are more at risk.  Hopefully most of those systems will be professionally managed (he says with a straight face) and patched quickly and efficiently.  The embedded systems and infrastructure (switches, routers) weaknesses are potentially more difficult to solve and patch, but that’s another topic.

What really annoyed me about the coverage of this (apart from the general cluelessness exhibited by authors writing for many publications in order to incite outrage and fear) was that people who should know better were using this as an argument *against* cloud services.  That’s absurd, since both systems are equally at risk and the chances of cloud infrastructure being professionally and competently managed is (in my experience) higher than locally managed servers.

Leave a Reply

Your email address will not be published. Required fields are marked *