[Tfug] Do we need a new bash?

[Zack Breckenridge]

> The worst thing from this will be the > same as heartbleed, every non-
technical
> manager type jumping up and down > that this has to get fixed, even to
the > point of shutting systems down
> until they can get fixed... when the systems are
> test/internal systems that can only > be reached by going through
> bastion hosts on the internal network...

So, normally I don't side with non-technical manager types... But if you
have an *unpatched bash* sitting around (and that includes OS X), turning
off the machine until you can patch it isn't such a bad idea.

After patching and reviewing the bug's impact and upgrading for the past
day and a half, and looking at what traffic others are seeing online
already... Without going into much detail (and I can if you'd like), I will
agree that the bug actually *is* this bad.

I mean, it's hard to qualify untechnical managers' recommendations, because
they're generally based on news cycles ;) but in this case -- the news
isn't so far off.

As a colleague and I decided yesterday, we think this bug should be
explained probabilistically: x% of hosts with an unpatched bash WILL be
compromised with a probability of 1. No one knows what x is yet, and it's
likely no one ever will. And also, no one knows what the exact path to
compromise will look like yet. It will likely differ in many cases.

Zack B.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20140926/624fa3d3/attachment-0002.html>