In April of this year, the Internet spiraled into a panic after the discovery of a security bug called Heartbleed. Computer security expert Bruce Schneier called it a “catastrophic flaw,” and, attempting to contextualize its potential consequences, declared that “on a scale of one to ten, [it’s] an eleven.”
The bug, not to be confused with a computer virus, (bugs are mistakes built into coding that viruses then take advantage of) was an error written into a security program known as OpenSSl, which encrypts communications between users and web servers. Nearly two-thirds of websites were deemed vulnerable, and it allowed the capable hacker untraceable access to heaps of sensitive personal information. When properly manipulated, the bug was a kind of virtual treasure hunt. Hackers could grab 64 KB of memory at a time from a server and pick through whatever they found—passwords, pictures, you name it. Eventually, numerous companies released so-called “patches,” or code written to fix program flaws. The threat may have been quelled, but a pervasive anxiety remains across the Internet regarding a new type of security threat. Heartbleed raised the Internet’s blood pressure to unprecedented levels.
Last Wednesday, Heartbleed was replaced by a more formidable foe. A new, more invidious bug called Shellshock was discovered by US-Cert, and popular techsite ZDnet was not alone in claiming that the new bug “makes Heartbleed look insignificant.” The basic difference between the two bugs is that while the first could steal personal information from computers and exploit it, Shellshock actually allows the hacker to take over the system itself. The National Institute of Standards and Technology warned that vulnerability to the flaw is widespread but low in terms of complexity, meaning it can be used easily by hackers.
Reading about Shellshock online is a truly mystifying experience for the tech-illiterate. The amount of computer-ese and techno-jargon on tech-forums is bewildering and not easily translated to colloquial English. Out of respect for those unversed in the abstruse language of the 21st century, here is a brief, comprehensible explanation of the bug that could be annihilating a web server near you.
Shellshock is a bug that can be manipulated in the shell command line interface Bash. If you already feel lost, don’t—here’s a translation guide. A command line is the way to give a computer instructions. It’s akin to having a text message conversation with the machine, so that you can issue a command to the computer that says, for example, move this file here or change my password, and it will do it. You can also write programs with your command line. You can put in variables that state that, per se, every time I type in the letter X, I actually mean a long and complicated list of commands that I don’t want to have to retype a hundred times. Later on, I can just press X instead of writing out mountains of code.
This is where the bug comes in. Essentially, everything within that given variable X should be treated as text, never as a command. That way, you can pass the command line text from the external sites without worrying that it will do damage. However, in this particular command line interface Bash, which happens to be quite common, typing a certain string of characters into the start of a variable trips up and starts treating the text as a command line instruction instead of text.
The program that serves your webpage also uses Bash command line to talk to other smaller programs. But if the input from the world—the things coming from random web users that can be sent to you—has been maliciously crafted to include that special string of characters that allow text to be treated as a command, any person on the web might be able to run very dangerous commands on your web server. This is known as “remote code execution.” Hackers from the outside can crash servers or potentially turn a system into a botnet—a system of computers that obey hackers’ commands.
Shellshock is troubling for reasons both obvious and obscure. As I write this, attacks are infecting thousands of vulnerable machines with “malware,” designed to infect systems in the ways stated above. What’s more, the attack is simple enough that even relatively untrained hackers can use it.
To make matters worse, there are more systems running on Bash than you might think. Upwards of two-thirds of machines that connect to the Internet have Bash, and more than just computers are affected. Web servers, routers, Android mobile phones, and even everyday items like refrigerators and cameras can be manipulated. When the whole world becomes digitally interconnected, from your thermostat to your car keys, the potential from massive, systemic breakdown becomes infinitely higher. When a “patch” comes out, users can download the program onto their computers and essentially immunize themselves from the problem. But few will think or even know how to update more mundane items like routers and cameras, from which web data can still be stolen.
Any system that doesn’t have bash is much less likely to be affected. Windows computers don’t have Bash installed automatically, but Apple’s OS X operating systems do. I recently tested my own Mac computer for vulnerability online, a process that basically requires Shellshocking your own computer, and the results were as feared. Hordes of Mac users are at risk.
The question on most people’s minds is “where is all this heading?” The answer isn’t comforting. Computer experts fear it won’t be long before someone writes code for a “worm,” a type of self-replicating virus that infects systems at an exponential rate. Veracode’s Chris Wysopal says it’s only a matter of time. “There’s no reason someone couldn’t modify this to scan for more Bash bug servers and install itself,” Wysopal says. “That’s definitely going to happen.” Programmers are hard at work making patches for the bug before the worst occurs.
The most puzzling and problematic aspect of Shellshock is that the bug has been sitting unnoticed in the Bash program for about 22 years. This means any system running the program could have been exploited since the very beginning of the Internet, akin to a structural flaw in an apartment building that won’t be noticed until years down the road. The reason that should come across as mind-boggling is that our Internet security—confidence that we can safely put in private material from passwords to credit card information—has never existed. Theoretically, hackers could have been exploiting this weakness for two decades. It so happens that our illusions of safety were likely conveniently accurate, and that the publicity of the existence of the bug last Wednesday was the first the hacker community had heard of it. But the questions bugs like Shellshock and Heartbleeed raise are daunting. A huge portion of early Internet development came at the hands of enthusiasts and volunteers. A lot of the commercial tools that both corporations and individual users now depend upon were built on top of programs maintained by a few unpaid volunteers in what is known as the open-source community. The consequence has been that the very building blocks underneath the sleek surface of modern websites bear the mark of a more primitive, trusting past. The early manufacturing of code that worked, but not necessarily securely, built the modern palace of the Internet on disturbingly shoddy foundations.
Even while industries make billions of dollars off of this establishment, companies the likes of Google and Amazon reinvest little of their profits to improve the structural foundations that make their systems possible. Up until a few days ago, there was one sole person in charge of upkeep on Bash, a system built into more than 70 percent of machines that connect to the Internet. His name is Chet Ramey, and he has worked on Bash for 22 years as a hobby without pay.
That the problem of general Internet security should rest in the hands of a few volunteers may seem shocking to the average user. But to computer programmers, it’s old hat. Programs like Bash are examples of “open-source” software, software that is made available to the Internet community to study, change, and distribute to anyone and for any purpose. The idea behind the open-source movement is that freedom from patents and copyright makes the Internet run more smoothly. The motivating impulse is not profitability, but collective advancement. According to a study conducted by the Standish Group, “open-source software has resulted in about $60 billion per year in savings to consumers.” The program is public and collaborative, and the theory of security behind it is that “many eyes” working together will root out any bugs and safety issues.
Last year when Heartbleed came out, a coalition of major tech companies including Apple, Google, and Amazon joined together to support some of the more important pieces of open source software. But Bash wasn’t on the list. As open source developer Meredith J. Patterson wrote last week, “These bugs that happen... aren’t one-off problems. They’re systemic.” The lack of formal checks on programs that are at the core of the Internet is more than disconcerting, as the individual user is often unaware of their own vulnerability. It’s been a week since Shellshock was first discovered. By now, patches have been issued and most major systems have been secured. If you see that bothersome updates alert in the top-right corner, that is likely the antidote for your vulnerable machine.
We can’t know when another problem of this sort will appear again, but without widespread reform of the way we monitor the very foundations of the Internet, our illusions of safety are nothing more than heartfelt desires, and the bleed may have only just begun.