Shellshock Bug Shows Low Quality of Open Source Software

(p. B1) Long before the commercial success of the Internet, Brian J. Fox invented one of its most widely used tools.
In 1987, Mr. Fox, then a young programmer, wrote Bash, short for Bourne-Again Shell, a free piece of software that is now built into more than 70 percent of the machines that connect to the Internet. That includes servers, computers, routers, some mobile phones and even everyday items like refrigerators and cameras.
On Thursday [Sept. 25, 2014], security experts warned that Bash contained a particularly alarming software bug that could be used to take control of hundreds of millions of machines around the world, potentially including Macintosh computers and smartphones that use the Android operating system.
The bug, named “Shellshock,” drew comparisons to the Heartbleed bug that was discovered in a crucial piece of software last spring.
But Shellshock could be a bigger threat. While Heartbleed could be used to do things like steal passwords from a server, Shellshock can be used to take over the entire machine. And Heartbleed went unnoticed for two years and affected an estimated 500,000 machines, but Shellshock was not discovered for 22 years.
. . .
Mr. Fox maintained Bash — which serves as a sort of software interpreter for different commands from a user — for five years before handing over the reins to Chet Ramey, a 49-year-old programmer who, for the last 22 years, has maintained the software as an unpaid hobby. That is, when he is not working at his day job as a senior technology architect at Case Western Reserve University in Ohio.
. . .
(p. B2) The mantra of open source was perhaps best articulated by Eric S. Raymond, one of the elders of the open-source movement, who wrote in 1997 that “given enough eyeballs, all bugs are shallow.” But, in this case, Steven M. Bellovin, a computer science professor at Columbia University, said, those eyeballs are more consumed with new features than quality. “Quality takes work, design, review and testing and those are not nearly as much fun as coding,” Mr. Bellovin said. “If the open-source community does not develop those skills, it’s going to fall further behind in the quality race.”

For the full story, see:
NICOLE PERLROTH. “Flaw in Code Puts Millions At Big Risk.” The New York Times (Fri., SEPT. 26, 2014): B1-B2.
(Note: ellipses, and bracketed date, added.)
(Note: the online version of the story has the date SEPT. 25, 2014, and has the title “Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant.”)

Leave a Reply

Your email address will not be published. Required fields are marked *