It’s long been a theory of mine that most of the computer viruses (I think it’s actually virii, since ‘virus’ is from the Latin, not the Greek) are written by anti-virus software providers. Note, if you will, how much trouble all the main providers have whenever a new kind of ransomware comes out, and how long it takes them to respond to the problem. Stuxnet, as well, proved to be a uniquely difficult nut for Symantec et al to crack. By contrast, the virii that do nothing but random harm for no understandable purpose are always handled by near-immediate updates that just require the installation of the appropriate software — fully paid and licensed to the current version, of course.
With that in mind, I’m a bit suspicious about a couple of recent vulnerabilities that seemed to fall lightly or heavily on the so-called open-systems side of the fence: “Heartbleed” and “Shellshock”. They launched on the scene almost as if they had marketing support. Catchy names, big publicity campaigns, a lot of “FUD” bundled on from the beginning. Could either or both originate from computer companies with vested interests in a proprietary-software-centric world?
Nah, that’s paranoid. Still, it’s worth noting that the Heartbleed vulnerability was more effective in a lab set up to demonstrate the Heartbleed vulnerability than it has been in the real world. And Shellshock? Well, for most of us, that’s entirely irrelevant.
Yet it was not always so.
It’s interesting to see how the social paradigms of computing have changed in the past thirty years, and to contrast the actual direction of that change to the direction one would guess given the stereotypes of computer users throughout history. In the beginning was the mainframe, and the mainframe was designed to be used 24/7 by dozens, even hundreds, of people. It was critical that those people play nice with each other; failing to do so could cause significant trouble for everyone. Thus the arrival of the suspender-wearing, Dennis-Ritchie-bearded sysadmin, with his iron-fisted control of the mainframe/VAX/Unix system.
The media was in love with personal computers from the moment Steve Jobs made them interesting but the real work was always done on a mainframe. Today, about forty years after the beginning of the PC revolution, real work continues to be done on mainframes. Nearly every major corporation in the world that has actual, tangible products uses a mainframe of some sort. If you really need your computing assets to be secure and accessible, you use a mainframe.
But there are no more mainframe users. Not like there used to be. Today you have endless interfaces to the mainframe, but those interfaces are software-based, from PCs and web clients and the like. Very few people have a “terminal screen” as part of their job nowadays. If you have a mainframe login in the year 2014, chances are you’re either a mainframe admin or a piece of software.
The same is increasingly true for UNIX and Linux systems. As the use of such computers ballooned, first with the dominance of the Apache webserver and secondly with the Android operating systems, the number of users per system dwindled. Ten years ago, I owned a webserver that had approximately seventy-five users who logged into a shell or through FTP to build their sites, store files, and communicate. Today, I still have the system, but I am the only user left.
As computing became generic and widespread, the community of computer users grew to include nearly everyone, and very few of those people could be counted upon to behave. The literature of early systems is chock-full of stereotypical physics and astronomy students who demanded extra CPU cycles or space in the most arrogant, autism-spectral manner possible, only to be stopped by the wise men with the suspenders and the relaxed potbellies. Yet when everybody got access to a keyboard and mouse, everybody demanded that they have it all — all the resources, all the space, all the CPU. They demanded five-thousand-dollar Pentium systems that sat idle twenty-two hours a day, they demanded double monitors that were dark most of the time, they demanded resources based on the worst-case scenario.
As did the programmers, who found it much easier to write code that would swallow a single Windows computer whole than they’d found it to write code that could peacefully coexist on a mainframe. This is particularly true in healthcare IT, where every dipshit insurance provider and state agency and peripheral manufacturer requires that you provide a buffed-out Windows desktop customized to their particular specs.
Meanwhile, the “virtualization” people were busy enabling the above mouth-breathers by turning high-power computers into facsimiles of multiple low-power ones. The “blade system” of today could run a Linux system with power and speed to blow your mind, but instead it’s used to run fifty VMWare ESX hosts, all stupid and slow and each one carrying a completely and stupidly redundant copy of the operating system.
Every so often, someone tries to centralize computing again. But the modern attempts at centralization, like VDI (virtual desktops) and the like, still maintain the ridiculous visual fiction that each user has his own computer. Many of them create a virtual computer from scratch when the user logs in then destroy it when the user logs off. Because that makes more sense than expecting people to behave on a shared system.
So we come to Shellshock. With the right script, pretty much every UNIX system in recently memory can instantly be “rooted”, which is to say that the user can acquire full control over the system. So I’ve been talking to my clients and customers. Do you have unprivileged users on the systems? Of course they don’t. Today’s users connect to a UNIX system through a computer that belongs just to them and which sits idle most of the time. And if they ever log on locally, chances are it’s to do “root” work anyway.
So Shellshock doesn’t matter. It’s a way for individual users to usurp common resources — but nobody has common resources any more. We insist on our own computing. The so-called normal people who aren’t introverted geeks and losers can’t be trusted to communicate and share the way the nerds could. Nor can they be trusted to communicate without the monitoring of endless firewalls and security programs and nannies.
Shellshock destroys communities on a computer, but those communities are long gone. Think of it this way: there was once a time that you could kill everyone in a village by chaining the church doors on Sunday morning and burning the place down. You couldn’t do it today. Come Sunday, we are all doing our own thing and woe betide the person who suggests we don’t. Whether in person or through the terminal window, we no longer permit real community, real closeness, real intimacy, real danger.

I have just-under-admin status on Big Iron, but not that big: midrange (IBM System i). Been doing this for a quarter-century.
Oh, and “virus” is Latin fourth declension: the plural presumably would be “virus,” but with a long U.
Thank you. I took two years of Latin and disappointed my teachers every day of those years.
Catholic school? I was forced to take Latin and Greek.
Hey now, keep it down! I make a pretty good living off VDI and ESX and blades and redundant virtual Windows servers!!
But you speak the truth, especially about healthcare IT systems. That is what I have been working on recently and it is by far the most painful. Well, legal IT systems are pretty bad too.
Hey- now you both lay off Healthcare IT systems, they are an important part of the modern ponzi economy and I happen to make a good living off that…
http://finance.yahoo.com/q/bc?t=5y&s=CERN&l=on&z=l&q=l&c=&ql=1&c=^GSPC
If there’s any real impact, I think it’ll be embeded devices with a web interface running some little linux distro - like some things I have that monitor stuff - i.e. send an E-mail when an event happens. Of course you need the web interface to configure the thing. Regular websites - the real attack vector - should presumably be easily updated. These embedded things should be isolated, anyway.
I think a lot of these problems arise because the start of the software was simplistic but over time, people kept adding features/functionality and never considered any adverse abuse potential - it likely never dawned on the coders.
The discussion about the old mainframe multiuser systems vs. the distributed virtualization hits home - as a grad student, I did computations on multiuser crays and could see how many users I was competing with for the limited resources. Now I manage an openstack cluster and every of my users gets their own virtual workstation and is in blissful ignorance of how many others they are competing with or what the load over the cluster is.
The question is: who’s running a bash script in CGI, in the year 2014?
Not a lot of people… but there are plenty who run a program written in some other language that nevertheless manages to call bash somehow, typically via a call like system(). See, for instance,
http://marc.info/?l=qmail&m=141183309314366&w=2
And that’s qmail, one of the most security-conscious programs around.
Now THAT is fascinating!
” Very few people have a “terminal screen” as part of their job nowadays. If you have a mainframe login in the year 2014, chances are you’re either a mainframe admin or a piece of software.”
I am neither, and as recently as today I was doing my best not to press the wrong button in a 3270 emulator session. IMS 4evar.
Second declension, mass noun…no plural in the Latin…
wat
Latin, yo.
Shame you won’t find Latin in the curriculum at the high school level anywhere except a handful of elite prep schools these days. The main benefit of studying Latin is in the way it improves English. Something like 29% of English is pure Latin, and 58% is Latin derived (if you include French). By some estimates there are actually more Latin derived words in English than there are Latin words, period.
But the really interesting thing is how Germanic-derived words make up nearly all of the “simple” words and Latin makes up nearly all the “sophisticated” words.
Source of the most frequent 7,476 English words
1st 100 1st 1,000 2nd 1,000 Subsequent
Germanic 97% 57% 39% 36%
Italic 3% 36% 51% 51%
Hellenic 0 4% 4% 7%
Others 0 3% 6% 6%
Latin would be useful if I were planning on becoming a Cardinal, or going into linguistic studies. Otherwise it becomes nothing more than brain sludge.
if your guys’ goal was to make someone feel stupid, you’ve succeeded. I have no idea what Latin has to do with this exchange.
The question is where the word “virus” comes from, because that would indicate what the plural should be.
Like Prius 🙂
Jack I am probably out of my depth here (not my field) but your article makes me wonder whether in the larger sense, at least from a consumer standpoint we ARE moving towards most computers being terminals due to the fact that we have moved so much into the cloud? We sort of allowed Google and Facebook to build castles that lord over our little villages to borrow your metaphor. In the future it is not hard to imagine a PC will be just an internet portal. A terminal just to connect to Google. Isn’t gmail already sort of that for most people? If you removed any and all email software or apps tomorrow and forced everyone to email only through gmail.com, many might not even notice.
It also brings to mind what I hear every time I talk to a developer and they can’t shut up about how much they hate JAVA and love PHP, because in essence JAVA makes your machine do all the work whereas with PHP its the cloud doing the work of loading content.
“Still, it’s worth noting that the Heartbleed vulnerability was more effective in a lab set up to demonstrate the Heartbleed vulnerability than it has been in the real world. ”
I beg to differ; You could’ve dumped people’s Yahoo email addresses *and* passwords by just poking at the yahoo’s servers. I am pretty sure that National level intelligence agencies knew about this (and Shellshock) from way beforehand.
The scary part about shellshock is that people can (and have started, after it going public) run stuff inside your server if you have not done your due diligence in your CGI scripts.
But who the hell is running Bash as CGI? In 2014? It wasn’t that common in 1999.
In the time it takes to find a box running Bash on CGI you could root a dozen systems in other ways.
Technically shellshock isn’t a root exploit unless the application is running as root which I fervently hope does not occur in 2014. The most likely exploit will be from apache which runs as httpd. That account can still cause lots of damage but cannot change the config of the box. That said, an rm -rf from httpd can “disappear” the site. Even more interesting is that is would be easy to generate literally vast army of machines to DDOS any site you would like with spurious requests. Potentially one could cause DNS issues through vast numbers of machines requesting a dig or nslookup through this exploit as I currently understand it.
I think a more accurate description of the exploit is not “rooting” as that is very unlikely. “Getting shell” is what I would use to describe the exploit.
Shellshock Attacks Spotted Against NAS Devices
First in-the-wild exploits found targeting QNAP network-attached storage devices.
Just a week after news of the Shellshock Bash bug went wide open, researchers believe the onslaught against the Internet of Things (IoT) has already begun. The malicious actors are starting with attacks targeting network-attached storage (NAS) devices, say researchers with FireEye, who believe these are the first in-the-wild attacks against embedded devices using the Bash remote code injection vulnerability.
[ SNIP ]
http://www.darkreading.com/operations/shellshock-attacks-spotted-against-nas-devices-/d/d-id/1316285
http://www.securityweek.com/hackers-compromised-yahoo-servers-using-shellshock-bug