As I've read the story of Cliff Stoll, my mind has turned to the topic of computer security. Just last Wednesday, there was a huge bug discovered in the Bash Shell that virtually every computer running Linux is vulnerable to. The exploit has been categorized as being worse than the Heartbleed bug that received international attention earlier this year. As described in the article, Heartbleed allowed attackers to get sensitive information such as "encryption keys or passwords", but the Shellshock bug "allows an attacker much more power. They can use it to take complete control of a system even without having a username and password". As I thought about this, the first question that came to my mind was: how is this possible? how can holes in security like this be overlooked? Being a free and open source project, many people believed the idea of "many eyes" would apply to this software, but as we have seen, this a bug that has survived for more than two decades since Bash's conception in 1989. Clearly, the way we test and prevent bugs is not perfect, and can greatly be improved upon, and after these two incidents this year I believe that it is something that we as programmers need to direct our attention towards.
No comments:
Post a Comment