It's been 25 years, I guess I can come clean

By now you're aware that there's yet another security bug, this time in "bash," a "shell" used on many servers. For the non-geeks, the gist of the issue is that a very common and absolutely necessary part of the operating system could, in some reasonable circumstances, allow a malicious user to run any code they want on a server to which they should not have access. This is, of course, a bad thing. The bug, now identified, has been fixed and system operators are rushing to patch their systems with newer versions that don't exhibit the flaw.

It's been over 25 years, so I think I can come clean. I knew of such a bug when I was in college that gave me 100% read access to any file on any system. I couldn't modify them, and this bug didn't let me execute arbitrary code, but if I noticed that you had a file in your home directory called "ChrisIsADoodyHead.txt," I could read it. Even if it was in a closed-off directory and locked down, itself. While I never had a need to, I could have looked at all of your code for the computer science class we shared and cheat on my homework. And I mean every file on the file system.

I could read all of your email.

After about a year, the bug was discovered, and I was actually beta testing a version of UNIX (SCO - remember SCO?) that had it and I reported it. It took about another year to move through production and be deployed. Remember, these were the days before automatic patching. Most installs were done from a stack of floppy disks and new versions came out yearly. Maybe quarterly, at best.

The point I'm making is twofold. First, these bugs are everywhere and will always be around. Don't be shocked when they're reported. They happen, they get fixed, and the next one comes along. You're going to get burned by them. And yes, evil douchebags are going to exploit them to, say, illegally download nude pictures of celebrities. There's no victim-blaming when I say that you should acknowledge this reality and do what you can to protect yourself.

And my second point, which is the takeaway here, and the reason I've "come clean" after 25 years to make the point: These bugs are in the wild and known right now. Please stop and think about that. Someone, somewhere, is almost surely reading or copying your stuff if it's online. These bugs don't live in obscurity until someone discovers them and immediately fixes them. Someone finds them and uses them for years until someone else discovers them in a more public way. Remember the speculation and then confirmation that the NSA was exploiting a bug for years before it was ever discovered in public? You don't need to take my word for this.

And please don't shoot the messenger.

Full disclosure: I never shared this bug with anyone else in college as far as I remember. I never found anything illegal, and only once found something that, if disclosed, could have caused problems (someone was cheating something seriously in a number of classes). I never said anything. I honestly can't remember ever seeing anything on anyone that was even remotely bad. Email, back then, also was only something shared among geeks, for the most part. There was pretty-much no private social online usage. I mostly poked around administrative stuff. This being a time before digital photography, I never even saw any nude selfies :-) Some people may not believe this disclosure, and I'm okay with that.

  11683 Hits