[Tfug] Do we need a new bash?

Mr Brevity Bexley410 at aim.com
Thu Sep 25 11:28:40 MST 2014


On 9/25/2014 11:15 AM, erich wrote:
> They call it,
>        "Shellshock" Yesterday I read that it affects internet "things" such
> as a coffeemaker or oven attached to the internet. Today it's anything
> with a bash shell. Bash is popular, but it's not the only shell. Why
> wouldn't other shells be vulnerable?
>          I'd send internet links to show what I was talking about, but our
> listserve kicks them out. (We're pretty secure. Aren't we?)

The problem is more with "things".  When was the last time you updated
the code in your router? NAS? TV? gasoline pump? washing machine? etc.

Folks who take the option of embedding things like Linux *in* products
often have no idea of "what's under the hood".  Do you really need
something as bloated as a Linux kernel to run a router?  (it should
be a single monolithic executable... not a bunch of "programs" that
are invoked -- by shell scripts -- against a kernel!)

The "shortcut" of repurposing a DESKTOP OS *in* an appliance has costs and
consequences -- unnecessary complexity (== reduced reliability/security)
is just one of them!

There is a reason why security/reliability conscious designs adhere to
the KISS principle.






More information about the tfug mailing list