Global computing and communications have barely recovered from the Heartbleed bug in the OpenSSL crypto library which laid siege to the internet in April, and it is now beset by the Shellshock Bash bug, whose very name suggests grievous bodily harm. But you know what’s even scarier? We have been reading scare stories about one bug or the other for 14 years, and we still get excited.
By Pratik Kanjilal
Bug journalism began in 1999, as the clock begun to tick down to the notorious Millennium Bug. It was expected to turn the world’s electronically networked mind into mush one moment after midnight on New Year’s Eve. According to urban folklore, streetlights would begin to blink like strobes, airplanes would nosedive out of the sky, nuclear-tipped missiles would lift off on their own, stock market databases would go to pot and the London Underground would host the world’s biggest pileup. On the bright side, ATMs worldwide would be pumping out cash like there was no tomorrow. And indeed, there would be no tomorrow.
None of these exciting things happened, but they could have. The Millennium Bug was real and particularly dangerous, since computers would have behaved in utterly arbitrary ways when they encountered the number 2000, which they could not read as a year. They could have read it as zero or infinity, or just frozen up, and the consequences would have been as unpredictable as this behaviour.
However, none of the dozens of bugs and exploits that have been reported breathlessly since that time really held the seeds of catastrophe. And from the sobering experience of 1999, when the unknown was staved off by thousands of software engineers and technicians the world over who worked against the clock to check billions of lines of code, the human race has learned how to deal with bugs. News of the Bash bug, for instance, was embargoed until providers of operating systems could develop patches against it.
This was conveniently overlooked in the scare-mongering that followed. The ease with which the bug can be forced to let an intruder into a system was highlighted—and indeed, if you can write a one-line script of Bash code, you can theoretically run riot. Since people with this elementary ability number in the millions, this could have become a big headache for the law-abiding. Except that most machines running Bash were already protected.
Obvious factors limiting the spread of exploits were lost in the noise. In the interest of comprehension, Bash is the Bourne Again Shell (some programmers do pun) which runs on Unix and Unix-like systems. Think of it as the command line—the empty prompt where humans type commands. Bash’s command interpreter, which tells the machine what humans want it to do, is slightly broken. It keeps reading beyond the page. If, for instance, a script sets an environment variable and signals the end of the command, Bash wants to know more. And if a command to wipe the hard disk follows, Bash will silently execute it.
This is like a nuclear bomb that you can make in the basement, and the US authorities have naturally ranked it at the highest risk. But consider the bomb’s trigger: a CGI script has to invoke the Bash shell in an internet-facing server. Bash runs only on Unix and Unix-like machines, mainly Linux and BSD. Mac OS runs it too, but it powers consumer machines which don’t run Web servers, the malware’s point of entry. Between them, Unix-likes host over half the world’s websites. But how likely is an internet host to leave its system unpatched? Besides, Linux has at least four alternative shells to Bash.
So, while attacks on Akamai and the US Department of Defence began immediately after the Shellshock bug hit the headlines, websites are unlikely to be felled in droves by this exploit. The challenge lies elsewhere—in old software packages, embedded Linux and the Internet of Things.
Like in 2000, software developers and maintainers will again sift through applications which invoke the shell, a routine strategy in Linux. On-chip embedded Linux systems, which control all sorts of things from servomotors in spacecraft to car phone systems and the wi-fi router in your home, may have to be flashed. In general, if a device is small and connected, it is probably running something Unix-like, usually a stripped-down avatar of Linux.
This Internet of Things is the new frontier for everything, including bugs. It will be interesting to see how its promoters deal with their first major bug. Internet servers and home routers are easy to patch remotely, since their owners and manufacturers know where they are and have an interest in protecting them. But swarms of objects like radio-tagged airline luggage, or clouds of chip-sized microsatellites that add up to giant remote sensing antennas, are somewhat autonomous. Despite all the excitement about Shellshock, this is the only area of uncertainty. By now, everything else should be safe.
