m********5 发帖数: 17667 | 1 【 以下文字转载自 Military 讨论区 】
发信人: mitbbs2715 (好吃不懒做), 信区: Military
标 题: open source极不安全啊Shellshock来了
发信站: BBS 未名空间站 (Thu Sep 25 13:22:35 2014, 美东)
NSA长久以来注入的一个Bash bug终于被发现了...
NSA真是无处不在,无所不知 | k**o 发帖数: 15334 | 2 iOS affected, Android not affected。苹果不愧是NSA的honey pot | m********5 发帖数: 17667 | 3
bash的这个bug非常深沉,历史上数次有小fix,都被悄悄reverse,现在不是一两个patch
就能解决的问题。ssh也有类似后门。开源早就被植入大量后门,再小心也会倒霉。这
次爆出来应该是有了新的成熟后门,因此曝光老的bash bug, 在大家急忙fix的时候悄
悄放入新的后门。以前认为openBSD, freeBSD审核相对较严(毕竟最先在9x年发现open
source后门丑闻的就是BSD dev),现在BSD也不能幸免。
【在 m********5 的大作中提到】 : 【 以下文字转载自 Military 讨论区 】 : 发信人: mitbbs2715 (好吃不懒做), 信区: Military : 标 题: open source极不安全啊Shellshock来了 : 发信站: BBS 未名空间站 (Thu Sep 25 13:22:35 2014, 美东) : NSA长久以来注入的一个Bash bug终于被发现了... : NSA真是无处不在,无所不知
| f*******t 发帖数: 7549 | 4 出处?没找到相关报道
patch
open
★ 发自iPhone App: ChineseWeb 8.7
【在 m********5 的大作中提到】 : : bash的这个bug非常深沉,历史上数次有小fix,都被悄悄reverse,现在不是一两个patch : 就能解决的问题。ssh也有类似后门。开源早就被植入大量后门,再小心也会倒霉。这 : 次爆出来应该是有了新的成熟后门,因此曝光老的bash bug, 在大家急忙fix的时候悄 : 悄放入新的后门。以前认为openBSD, freeBSD审核相对较严(毕竟最先在9x年发现open : source后门丑闻的就是BSD dev),现在BSD也不能幸免。
| m********5 发帖数: 17667 | 5 "I suspect that many of the Internet of Things, or Internet of Everything,
devices that have been distributed have Linux roots," says Alan Dundas, vice
president and product architect for Authentify. "How will the small CPU in
your thermostat prevent malware introduced via a Bash flaw from sniffing
around whatever else is connected to it? It probably wasn't designed to have
that capability. Therein lies the fatal error of connecting lots of simple
items into a complex network without thoroughly evaluating what could go
wrong."
"This is potentially worse than Heartbleed," says Dundas, "because many
things Linux is embedded in were never intended to be patched."
Like Heartbleed, Shellshock is a vulnerability in open-source software.
"I see this as a failure in the mindset of the open-source community where
everyone waits for everyone else to do something or find something," says
Chris Stoneff, director of professional services for Lieberman Software. "
One of the interesting things happening with so much bashing of closed-
source projects like Microsoft and the embrace of more open software like
Linux and OSX is how much visibility Linux and OSX have gained in recent
years to would-be attackers. It has shone a light on one of the biggest lies
perpetrated on people: We are not vulnerable because we don't use Microsoft
. Well, the proof is now here, and it's time for Linux and OSX and UNIX to
take some heat."
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-
chief of Enterprise Efficiency. Prior that she was senior editor for the
Computer Security Institute, writing and speaking about virtualization,
identity management, cybersecurity law, and a myriad ...
patch
open
【在 m********5 的大作中提到】 : : bash的这个bug非常深沉,历史上数次有小fix,都被悄悄reverse,现在不是一两个patch : 就能解决的问题。ssh也有类似后门。开源早就被植入大量后门,再小心也会倒霉。这 : 次爆出来应该是有了新的成熟后门,因此曝光老的bash bug, 在大家急忙fix的时候悄 : 悄放入新的后门。以前认为openBSD, freeBSD审核相对较严(毕竟最先在9x年发现open : source后门丑闻的就是BSD dev),现在BSD也不能幸免。
| c***r 发帖数: 4631 | |
|