![\"Bash](\"http:\/\/www.digital-digest.com\/blog\/DVDGuy\/wp-content\/uploads\/2014\/09\/bash_shellshock.jpg\")
<\/a>The Bash “Shellshock” bug in action<\/p><\/div>\n
So what is Bash?<\/strong> It’s a shell for Unix\/Linux based systems (including OS X). What is a shell?<\/strong> A shell is a command processor, basically something that lets you do everything from listing files and directories, to\u00a0running programs and piping outputs from them to other programs,\u00a0to running scripts. When you see hackers in unrealistic Hollywood movies, they’re usually typing a bunch of commands on a black screen with white\/green text – then they’re typing on an (most likely made up) shell (with an extremely large\u00a0font). So just to make it clear, the bug is not called Bash<\/a>.\u00a0Bash is the software\u00a0that has the bug. The bug itself has been called the Bash bug (which I think is where the confusion comes from), although many\u00a0are calling it by the rather catchy name of Shellshock.<\/p>\n So what is the Shellshock bug?<\/strong> It’s basically a rather silly bug\u00a0that allows instructions to execute commands\u00a0to be added to environment variables. It turns a fairly innocuous function\u00a0that doesn’t really do much into one that can basically do everything.<\/p>\n So instead of running a command which simply set the variable\u00a0“MyName = Sean”, hackers can instead set the value of the variable “MyName” to be “Sean” plus some command to execute. So instead “MyName = Sean”, they can do “”MyName = Sean;\u00a0Plus run commands that sends\u00a0all the password and credit card data on this server\u00a0to the hacker’s server\u00a0and then delete all the files on this server”, and this stupid bug will actually allow all of the\u00a0latter instructions to be executed.<\/p>\n On the surface, a shell bug might not be all that damaging – one would have to already have gained access to the system before you can access the shell. The problem is that many\u00a0internet-facing parts of a server that runs Bash,\u00a0including the parts that\u00a0render web pages and scripts, call upon shells like Bash to perform certain actions, including setting\u00a0environment variables. This means that, with only a little bit of knowledge, one can potentially execute\u00a0almost any program\u00a0on a\u00a0vulnerable server, programs that could allow the hacker to delete files, steal information, or just about anything really.<\/p>\n So why is this bug so serious?<\/strong> For starters, 60% of all web servers have the bug – a much higher rate than the Heartbleed bug because Bash is more\u00a0integral to these servers – it’s such a basic part of the system, and such an old part of it, that nobody though it could possibly be buggy … until now. It also appears that OS X is vulnerable, although most OS X installs are not configured to allow attacks from outside.\u00a0Most worryingly, it’s\u00a0not just web servers that can be affected –\u00a0any device running some\u00a0version of Linux and has Internet access *could be* affected, including smartphones, routers, even things like Blu-ray players and in-car entertainment systems. Many of these Internet-of-things devices are also difficult\/impossible to update in order to fix the vulnerability, and as there are so many of these devices and so many versions of them, even the manufacturers (if they still exist) probably\u00a0won’t know which\u00a0devices\/versions are\/aren’t vulnerable.\u00a0To make matters worse, the first set of patches that went out to various server versions were incomplete, giving admins a false sense of security if they didn’t notice that there were subsequent updates.<\/p>\n So basically, it’s a bug that’s very commonly found, easy to exploit, can\u00a0potentially do a huge amount of damage and\u00a0hard to fix for some devices – so yep, very serious.<\/p>\n So why is this bug not\u00a0as serious as some in the media are reporting it to be?<\/strong>\u00a0While there are probably billions of devices that run some variant of Unix\/Linux, not all of them include Bash. Embedded devices such as routers prefer the lightweight\u00a0BusyBox, which uses ash and not Bash, for example. So luckily\u00a0iOS*, Android* and a lot of devices aren’t vulnerable to the bug, but\u00a0that still leaves maybe a few hundred millions\u00a0devices that are still vulnerable. But even if these\u00a0devices are vulnerable, it takes a combination of different things (web accessible script that uses Bash to\u00a0change environment variables) for something malicious to be\u00a0done, and so while\u00a0a few hundred million devices may have this bug, a much smaller number can actually be exploited successfully.<\/p>\n * Rooted devices that may have had Bash installed, may be vulnerable.<\/p>\n Hope that clears up a few things. Sorry for spending so much time on this, but it’s not as if I have a lot of other things to\u00a0write about this week, as you’ll find out\u00a0below.<\/p>\n A follow-up to a story from a few weeks ago (edit: it was actually last week … jeez, I have no sense of time these days), Google has hit back<\/a>\u00a0in the war (of open letters) between itself and Rupert Murdoch’s News Corp. News Corp labeled the search engine a “platform for piracy”, and Google has now hit back with its own open letter\u00a0titled Dear Rupert<\/a>\u00a0and cites all of the company’s herculean efforts in fighting the piracy problem (222 million web pages removed from Google’s indexes, for example). It’s almost a line-by-line debunking of all the claims made in the now infamous News Corp letter, well worth a read if you want Google’s take on the whole “is Google taking over the world a good thing or not” debate.<\/p>\n I probably watch more Netflix than the average person, mainly because I like having certain shows on in the background while I’m working on the computer at home (yes it’s distracting, but in a good way!). I’ve already streamed through The Office twice this way, and I’m currently doing The Fresh Prince of Bel-Air via Mexican Netflix (as they have all the seasons). So the news that the average Netflix subscriber now watches 1.5 hours of content every day<\/a> didn’t\u00a0really strike me as surprising – I watch that much between lunch and afternoon tea.<\/p>\n You too can influence how Netflix decides what movies to add to their library (Not Intended to Be a Factual Statement)<\/p><\/div>\n But if you actually analyse what people are actually watching, I think you’ll find it’s more The Nanny, than\u00a0The Wolf of Wall Street or any other high profile movie releases. This is because most top movies are simply not available on Netflix. New research shows that only 16% of popular and acclaimed\u00a0films are actually on Netflix at the moment, compared to 94% on sell-through platforms like iTunes.<\/p>\n The latter, 94%, has been used by the MPAA<\/a> to suggest that availability is not a huge issue when it comes to causes for piracy, but in reality, it’s the former 16% that may still be fueling the desire to download. It would be interesting to see what the piracy rate is for movies that do make it to Netflix, compared to movies that have never been on the platform –\u00a0surely this should provide us with more valuable insight than simply saying “94%”.<\/p>\n Speaking of Netflix,\u00a0I may have found a way\u00a0to influence\u00a0how Netflix decides which flicks to add\u00a0to their\u00a0library. For the past few months, whenever I have the time, I’ve been doing a\u00a0search on\u00a0Netflix for the delightful Martin Short, Nick Nolte comedy Three Fugitives<\/a>. I know it isn’t there, but I’m\u00a0searching for it anyway in the hope that the data boffins at Netflix spots\u00a0the numerous searches being made for the movie\u00a0and something gets done. And it’s worked! The movie\u00a0will be available to stream in early October, thanks to my efforts and my efforts only I can only assume (as I must be\u00a0the only one to be searching for this movie on Netflix, or the Internet in general). A similar thing happened with Harry and the Hendersons<\/a>, which I had been furious searching for in the preceding months, and finally watched again on Mexican (or was that Canadian) Netflix this month. So get busy and start searching (obviously a trick that works better for titles that has little\u00a0commercial\u00a0value, then say searching for ‘Guardians of the Galaxy’).<\/p>\n Please note that the above advice contains zero scientific or logical merit, and is solely based on the flimsiest of empirical evidence, if you can even call it that.<\/p>\n<\/p>\n<\/p>\n<\/a><\/p>\n