Shellshock Summary

DESCRIPTION

Twenty-five year old security flaw CVE-2014-6271 found in all versions of bash.
Per http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
"The behavior is implemented as a hack involving specially-formatted environmental variables: in essence, any variable starting with a literal "() {" will be dispatched to the parser just before executing the main program. You can see this in action here:
$ foo='() { echo "hi mom"; }' bash -c 'foo'hi mom

NOTES

  • 2014-09-25 14:55:22 Experiments indicate that putting anything in front of the (), like a name for the function or the keyword function, disable the flawed behavior
  • 2014-10-04 05:02:11 Calling bash from ash still passes all the commands in the variable(s)

RESOURCES

Ayn Rand


Ayn Rand by Ian, on Flickr
Just watched Ayn Rand on Johnny Carson (1967)

This was not the usual late-night-talk-show guest interview. No jokes. Very serious. And went over into what was supposed to be another guest's time. (total of about 30mins)

If Ayn Rand were alive today and could speak for herself, I think she would vigorously denounce Rand Paul, Paul Ryan and the rest of her "neo-disciples"... and they would denounce her.

For example... In this interview, she very strongly asserts that no one has the right to another person's life. To that end, she clearly expresses her opposition to any draft for any reason. Only individuals have the right to decide to risk their lives.

Seems to me that the Republicans have hijacked some of her philosophies (primarily laissez-faire capitalism) to justify destroying the lives of others in furtherance of their own affluence.

This interview indicates that in her philosophy of Objectivism, she expected everyone to vigorously pursue their own self-interest. To me, the flaw in it was that she seemed to think everyone had roughly the same capacity to do that. We know that they don't. But at the time of the interview (1967), the divergence was far smaller than it is today.

I couldn't disagree more with today's Republican interpretation of Ayn Rand's philosophies. I could say the same about the Christian churches' interpretation of Jesus' philosophies. I think both have been used to further agendas that each would abhor were they alive.

Perhaps that's why these "reinterpretations" have only come about well after the icons were too dead to disagree.

Republicans are Scared. We Democrats are too.



Child Tending Broken Baby Seedling free creative commons
We have become highly "risk-averse." The uncharitable would say, "cowardly."

I've been one of those. But I may be coming out the other side now.

We are afraid. We are overwhelmingly afraid.

We have a lot to be afraid of. More than most of us can rationally handle.

For most people, "truth" is almost totally determined by how much we trust the speaker. But Watergate began an irreversible erosion in the reliability of that instinct in this country. Iran-Contra was another milestone in that process. The 2000 presidential election.

The election of Barak Obama filled us with hope that the nightmare was finally over.

Then came Mitch McConnell and the R's war on the the first black Presidency, the Supreme Court's ruling on Citizen's United, and countless other recent events.

Now we have ISIS and Ebola... dangers for which it is socially acceptable to freak-out over because they are external rather than internal.

(Maybe it's like beating up somebody for calling your brother names... the same brother you pick on mercilessly every day.)

The freakout over Ebola is really our pent up fears finally having an outlet for their expression.

"Fight" and "flight" are both reactions to fear. Despite our prejudices, "flight" is often a wiser choice for ultimate success and survival than "fight."

Most species have a predilection, an instinctive bias, for one or the other. Cultures often develop such biases too. But unlike instincts, cultural bias can take less time to change in light of traumatic events.

By the 1940s, the Japanese culture had developed a "fight" bias when faced with adversity. A couple of atom-bombs however converted them to a more thoughtful "flight" bias. Look at them now!

The Republicans have a strong prejudicial "fight" bias. For them, "offense" is not just "the best defense," it's the ONLY defense. Anything else is considered shameful.

Democrats however have a "flight" bias. Most try to avoid conflict, "find common ground," and compromise for the common good.

Democrats force ourselves to respect the views of people we truly believe are just "bat-shit-crazy."

Democrats often have "bleeding hearts," but they bleed because their heads are restraining them from trying to give more than they have.

Democrats work hard to stretch forethought as far as possible to anticipate and overcome problems with our own ideas. (A practice that's often used against us, BTW.)

Democrats then, it seems to me, are the only hope our country has for survival. We are the only ones looking ahead, and using our heads, to overcome the dangers we face.

I never thought I'd say this but... Republicans are not "bad people."

They're just scared.

It is up to Democrats to protect them as well as ourselves.

It's up to Democrats to find solutions, as Republican fears have stopped them from even trying.

The Republican leadership have become like cornered animals. All rationality is gone. They see little or no way out. The only, very slim chance they see for survival, is an almost certainly suicidal attack.

We Democrats have to get off their backs and take action ourselves... though we don't know what to do any more than they do.

But their "fight" bias has them taking action anyhow. Actions that have put us all in that desperate corner.

Those Republican actions are lethal.

We Democrats had better figure out better ones... and quickly.

Germany offers free college tuition to U.S. and international students

 Germany offers free college tuition to U.S. and international students
  • Germany is about to be flooded with student visa applications.
  • The cost of rent in Germany will skyrocket.
  • The Germany economy is about to boom to far greater than that of the U.S. on a per-capita basis.
  • German is about to become the hottest course in U.S. schools.
  • U.S. student enrollment is about to plummet causing a short-term spike in tuition in a futile attempt to make up the difference. After a year or two, the U.S. will be forced to follow Germany's lead.
  • A great many U.S. students that get into Germany will do their best to stay after graduation as European governments and societies share the beliefs and ideals of young people far better than the U.S.

Maybe there is hope...

Shellshocked?

StackExchange: Unix/Linux
The question...

Should bash shells be replaced with the new patched version?
US-CERT recommends users and administrators review TA14-268A, Vulnerability Note VU#252743 and the Redhat Security Blog (link is external) for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch.
A fact...

A timeline...
Ramifications...
  • The Bash shellshock "vulnerability" has been a "feature" of Bash for 22 years. You'd think in all that time, in all those high-security environments that run Unix or Linux, someone would have worried about misuse.
  • Now, every installation of Bash in the world is about to be replaced.
  • Though Bash is open-source, few people actually take the time to study the code of such large and complex programs.
  • Bash is written in C, which supports embedded assembly-language code. Code that even fewer programmers have the skills to read.
  • Bash is written in C, which easily supports treating any block of binary, such as something labeled as data or a small image, as code.
  • Thus, a skilled programmer could hide "backdoor" code in plain sight, and it probably wouldn't be discovered unless it caused an error of some kind.
  • Extremely high-skilled programmers that break the law are often employed by federal agencies.

SSH keys beautifully explained

How to set up public key ssh authentication (http://wogan.wordpress.com/)
How to set up public key ssh authentication (http://wogan.wordpress.com/)
Understanding how SSH keys work and how to properly use them has long baffled even some of the most venerable programmers.

In the physical world, a given key usually fits just one lock. We have to special order multiple locks "keyed the same" for entry doors and such. To share access to something, we give out multiple copies of these physical keys.

It's thus tempting to imagine the shared "public key" to be analogous to a physical key and the "private key" to be the lock.

Actually, it's the other way around.

Wogan explains in "How to set up public key ssh authentication" (January, 2014).

SSH public-keys and private-keys

 understanding public key private key concepts, Blake Smith, 08 Feb 2010
Still confused about SSH public and private keys?

Blake Smith's 2010 article, "understanding public key private key concepts" provides the absolute best analogy I've come across.

This brief article lays it as simply and memorably as it gets.

What are all you people doing here?

The Pearly Gates (Wieskirche Gates)
Wieskirche Gates
"What are all you people doing here?" said God as he stood barring the Pearly Gates.

"Why didn't you save us?" said the multitudes before him.

God replied...

"I sent you my son so you'd learn the nobility of self sacrifice. You didn't.

"I sent you Ebola so you'd learn compassion for those you feared. You didn't.

"I sent you AIDS so you'd learn humility that such things could happen to those you loved. You didn't.

"I sent you terrorism so you'd learn that oppression by the few will always be overthrown by the many. You didn't.

"I sent you climate change so you'd learn to wisely recycle your waste lest nature do it for you... most harshly. You didn't.

"I sent you these things and many more, that your souls might be saved."

"So. Can we go in now?" a man asked.

God replied, "What do you think?"